diff options
| -rw-r--r-- | .gitignore | 2 | ||||
| -rw-r--r-- | actionpack-CVE-2012-1098-safe-buffer-slice.patch | 44 | ||||
| -rw-r--r-- | actionpack-CVE-2012-1099-select-options-XSS.patch | 61 | ||||
| -rw-r--r-- | actionpack-downgrade-dependencies.patch | 10 | ||||
| -rw-r--r-- | actionpack-tests-fix.patch | 8 | ||||
| -rw-r--r-- | rubygem-actionpack.spec | 32 | ||||
| -rw-r--r-- | sources | 4 |
7 files changed, 20 insertions, 141 deletions
@@ -9,3 +9,5 @@ actionpack-2.3.8.gem /actionpack-3.0.10.gem /actionpack-3.0.11-tests.tgz /actionpack-3.0.11.gem +/actionpack-3.0.13-tests.tgz +/actionpack-3.0.13.gem diff --git a/actionpack-CVE-2012-1098-safe-buffer-slice.patch b/actionpack-CVE-2012-1098-safe-buffer-slice.patch deleted file mode 100644 index 3eaca8d..0000000 --- a/actionpack-CVE-2012-1098-safe-buffer-slice.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 00e632de2bde61425142ef8edc408e8d21ff9134 Mon Sep 17 00:00:00 2001 -From: Aaron Patterson <aaron.patterson@gmail.com> -Date: Wed, 29 Feb 2012 16:37:30 -0800 -Subject: [PATCH] Squashed commit of the following: -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit 917fd1a03845f4eedaccbc338f9d7524e98d45ee -Author: José Valim <jose.valim@gmail.com> -Date: Wed Feb 29 22:30:51 2012 +0100 - - Ensure [] respects the status of the buffer. - -commit 6adc41789017682306181e3db5b30337fe450bcc -Author: Akira Matsuda <ronnie@dio.jp> -Date: Mon Feb 13 17:57:05 2012 +0900 - - use AS::SafeBuffer#clone_empty for flushing the output_buffer - -commit e50ee96a0b37e7c5adfc555edd402ad04cc159f1 -Author: Akira Matsuda <ronnie@dio.jp> -Date: Mon Feb 13 17:54:58 2012 +0900 - - add AS::SafeBuffer#clone_empty ---- - .../lib/action_view/helpers/capture_helper.rb | 2 +- - .../core_ext/string/output_safety.rb | 50 ++++++++++++------- - activesupport/test/safe_buffer_test.rb | 46 ++++++++++++++++-- - 3 files changed, 74 insertions(+), 24 deletions(-) - -diff --git a/actionpack/lib/action_view/helpers/capture_helper.rb b/actionpack/lib/action_view/helpers/capture_helper.rb -index cbc660d..c91e4c1 100644 ---- a/actionpack/lib/action_view/helpers/capture_helper.rb -+++ b/actionpack/lib/action_view/helpers/capture_helper.rb -@@ -179,7 +179,7 @@ module ActionView - def flush_output_buffer #:nodoc: - if output_buffer && !output_buffer.empty? - response.body_parts << output_buffer -- self.output_buffer = output_buffer[0,0] -+ self.output_buffer = output_buffer.respond_to?(:clone_empty) ? output_buffer.clone_empty : output_buffer[0, 0] - nil - end - end diff --git a/actionpack-CVE-2012-1099-select-options-XSS.patch b/actionpack-CVE-2012-1099-select-options-XSS.patch deleted file mode 100644 index f0211c0..0000000 --- a/actionpack-CVE-2012-1099-select-options-XSS.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 5b4082fddf3412aef6c085fbb2a13fd3bbc75f4e Mon Sep 17 00:00:00 2001 -From: Sergey Nartimov <just.lest@gmail.com> -Date: Mon, 20 Feb 2012 15:41:17 -0800 -Subject: [PATCH] fix output safety issue with select options - ---- - .../lib/action_view/helpers/form_options_helper.rb | 6 +++--- - .../test/template/form_options_helper_test.rb | 9 ++++++++- - 2 files changed, 11 insertions(+), 4 deletions(-) - -diff --git a/actionpack/lib/action_view/helpers/form_options_helper.rb b/actionpack/lib/action_view/helpers/form_options_helper.rb -index 082647f..949b02a 100644 ---- a/actionpack/lib/action_view/helpers/form_options_helper.rb -+++ b/actionpack/lib/action_view/helpers/form_options_helper.rb -@@ -596,13 +596,13 @@ module ActionView - private - def add_options(option_tags, options, value = nil) - if options[:include_blank] -- option_tags = "<option value=\"\">#{html_escape(options[:include_blank]) if options[:include_blank].kind_of?(String)}</option>\n" + option_tags -+ option_tags = content_tag('option', options[:include_blank].kind_of?(String) ? options[:include_blank] : nil, :value => '') + "\n" + option_tags - end - if value.blank? && options[:prompt] - prompt = options[:prompt].kind_of?(String) ? options[:prompt] : I18n.translate('helpers.select.prompt', :default => 'Please select') -- option_tags = "<option value=\"\">#{html_escape(prompt)}</option>\n" + option_tags -+ option_tags = content_tag('option', prompt, :value => '') + "\n" + option_tags - end -- option_tags.html_safe -+ option_tags - end - end - -diff --git a/actionpack/test/template/form_options_helper_test.rb b/actionpack/test/template/form_options_helper_test.rb -index 6656420..9ca4bf6 100644 ---- a/actionpack/test/template/form_options_helper_test.rb -+++ b/actionpack/test/template/form_options_helper_test.rb -@@ -432,7 +432,7 @@ class FormOptionsHelperTest < ActionView::TestCase - - def test_select_under_fields_for_with_string_and_given_prompt - @post = Post.new -- options = "<option value=\"abe\">abe</option><option value=\"mus\">mus</option><option value=\"hest\">hest</option>" -+ options = "<option value=\"abe\">abe</option><option value=\"mus\">mus</option><option value=\"hest\">hest</option>".html_safe - - output_buffer = fields_for :post, @post do |f| - concat f.select(:category, options, :prompt => 'The prompt') -@@ -536,6 +536,13 @@ class FormOptionsHelperTest < ActionView::TestCase - ) - end - -+ def test_select_escapes_options -+ assert_dom_equal( -+ '<select id="post_title" name="post[title]"><script>alert(1)</script></select>', -+ select('post', 'title', '<script>alert(1)</script>') -+ ) -+ end -+ - def test_select_with_selected_nil - @post = Post.new - @post.category = "<mus>" --- -1.7.6 - diff --git a/actionpack-downgrade-dependencies.patch b/actionpack-downgrade-dependencies.patch index 4114bd4..b7f76d0 100644 --- a/actionpack-downgrade-dependencies.patch +++ b/actionpack-downgrade-dependencies.patch @@ -1,9 +1,9 @@ ---- specifications/actionpack-3.0.11.gemspec.orig -+++ specifications/actionpack-3.0.11.gemspec +--- specifications/actionpack-3.0.13.gemspec.orig ++++ specifications/actionpack-3.0.13.gemspec @@ -26,7 +26,7 @@ s.add_runtime_dependency(%q<builder>, ["~> 2.1.2"]) s.add_runtime_dependency(%q<i18n>, ["~> 0.5.0"]) - s.add_runtime_dependency(%q<rack>, [">= 1.2.1"]) + s.add_runtime_dependency(%q<rack>, [">= 1.2.5"]) - s.add_runtime_dependency(%q<rack-test>, [">= 0.5.7"]) + s.add_runtime_dependency(%q<rack-test>, [">= 0.5.4"]) s.add_runtime_dependency(%q<rack-mount>, [">= 0.6.14"]) @@ -12,7 +12,7 @@ @@ -36,7 +36,7 @@ s.add_dependency(%q<builder>, ["~> 2.1.2"]) s.add_dependency(%q<i18n>, ["~> 0.5.0"]) - s.add_dependency(%q<rack>, [">= 1.2.1"]) + s.add_dependency(%q<rack>, [">= 1.2.5"]) - s.add_dependency(%q<rack-test>, [">= 0.5.7"]) + s.add_dependency(%q<rack-test>, [">= 0.5.4"]) s.add_dependency(%q<rack-mount>, [">= 0.6.14"]) @@ -21,7 +21,7 @@ @@ -47,7 +47,7 @@ s.add_dependency(%q<builder>, ["~> 2.1.2"]) s.add_dependency(%q<i18n>, ["~> 0.5.0"]) - s.add_dependency(%q<rack>, [">= 1.2.1"]) + s.add_dependency(%q<rack>, [">= 1.2.5"]) - s.add_dependency(%q<rack-test>, [">= 0.5.7"]) + s.add_dependency(%q<rack-test>, [">= 0.5.4"]) s.add_dependency(%q<rack-mount>, [">= 0.6.14"]) diff --git a/actionpack-tests-fix.patch b/actionpack-tests-fix.patch deleted file mode 100644 index 90af2e4..0000000 --- a/actionpack-tests-fix.patch +++ /dev/null @@ -1,8 +0,0 @@ ---- test/abstract_unit.rb.orig 2011-01-10 23:22:06.245506019 -0500 -+++ test/abstract_unit.rb 2011-01-10 23:22:18.633505885 -0500 -@@ -1,4 +1,4 @@ --require File.expand_path('../../../load_paths', __FILE__) -+require 'rubygems' - - lib = File.expand_path("#{File.dirname(__FILE__)}/../lib") - $:.unshift(lib) unless $:.include?('lib') || $:.include?(lib) diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index d8f2661..f683d0f 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -6,8 +6,8 @@ Summary: Web-flow and rendering framework putting the VC in MVC Name: rubygem-%{gem_name} Epoch: 1 -Version: 3.0.11 -Release: 3%{?dist} +Version: 3.0.13 +Release: 1%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org @@ -20,8 +20,8 @@ Source1: http://github.com/rails/rails/raw/v%{version}/%{gem_name}/Rakefile # You may check it out like so # git clone http://github.com/rails/rails.git # cd rails/actionpack/ -# git checkout v3.0.11 -# tar czvf actionpack-3.0.11-tests.tgz test/ +# git checkout v3.0.13 +# tar czvf actionpack-3.0.13-tests.tgz test/ Source2: actionpack-%{version}-tests.tgz Patch0: rubygem-actionpack-enable-test.patch @@ -30,20 +30,8 @@ Patch0: rubygem-actionpack-enable-test.patch # not being present in the gem Patch1: actionpack-rakefile-fix.patch -# Removes code which breaks the test suite due to a -# dependency on a file in the greater rails proj -Patch2: actionpack-tests-fix.patch - Patch3: actionpack-downgrade-dependencies.patch -# Fixes CVE-2012-1098 -# https://bugzilla.redhat.com/show_bug.cgi?id=799275 -Patch4: actionpack-CVE-2012-1098-safe-buffer-slice.patch - -# Fixes CVE-2012-1099 -# https://bugzilla.redhat.com/show_bug.cgi?id=799276 -Patch5: actionpack-CVE-2012-1099-select-options-XSS.patch - Requires: ruby(rubygems) Requires: rubygem(activesupport) = %{version} Requires: rubygem(activemodel) = %{version} @@ -101,9 +89,6 @@ tar xzvf %{SOURCE2} -C .%{gem_instdir} pushd .%{gem_instdir} %patch0 -p0 %patch1 -p0 -%patch2 -p0 -%patch4 -p2 -%patch5 -p2 # create missing symlink pushd test/fixtures/layout_tests/layouts/ @@ -152,6 +137,9 @@ export TMPDIR=$(pwd)/tmpdir pushd .%{gem_instdir} +# load_path is not available, remove its require. +sed -i '1,2d' test/abstract_unit.rb + # dependency loop # depends on actionmailer, while actionmailer has BR(check): actionpack mv test/controller/assert_select_test.rb \ @@ -161,7 +149,6 @@ mv test/controller/assert_select_test.rb \ rake test --trace %files -%defattr(-, root, root, -) %dir %{gem_instdir} %doc %{gem_instdir}/CHANGELOG %{gem_libdir} @@ -170,11 +157,14 @@ rake test --trace %doc %{gem_instdir}/README.rdoc %doc %{gem_instdir}/test/ %doc %{gem_docdir} -%{gem_cache} +%exclude %{gem_cache} %{gem_spec} %changelog +* Fri Jun 01 2012 Vít Ondruch <vondruch@redhat.com> - 1:3.0.13-1 +- Updated to the ActionPack 3.0.13. + * Fri Mar 16 2012 Bohuslav Kabrda <bkabrda@redhat.com> - 1:3.0.11-3 - The CVE patches names now contain the CVE id. @@ -1,2 +1,2 @@ -c67f5eeb29b519724028f64b69c7c757 actionpack-3.0.11-tests.tgz -1a9a7eee2333853563af54afad349ee9 actionpack-3.0.11.gem +8890a7c20c44f8b927592b8d49e2a4de actionpack-3.0.13-tests.tgz +cc755373456a070fca005119abef601b actionpack-3.0.13.gem |