diff options
Diffstat (limited to 'cve-2011-2197-actionpack-fix.patch')
-rw-r--r-- | cve-2011-2197-actionpack-fix.patch | 252 |
1 files changed, 252 insertions, 0 deletions
diff --git a/cve-2011-2197-actionpack-fix.patch b/cve-2011-2197-actionpack-fix.patch new file mode 100644 index 0000000..1690399 --- /dev/null +++ b/cve-2011-2197-actionpack-fix.patch @@ -0,0 +1,252 @@ +--- lib/action_view/helpers/text_helper.rb.orig 2011-06-16 21:02:32.000000000 -0400 ++++ lib/action_view/helpers/text_helper.rb 2011-06-16 21:07:58.000000000 -0400 +@@ -115,13 +115,12 @@ module ActionView + end + options.reverse_merge!(:highlighter => '<strong class="highlight">\1</strong>') + +- text = sanitize(text) unless options[:sanitize] == false +- if text.blank? || phrases.blank? +- text +- else ++ if text.present? && phrases.present? + match = Array(phrases).map { |p| Regexp.escape(p) }.join('|') +- text.gsub(/(#{match})(?!(?:[^<]*?)(?:["'])[^<>]*>)/i, options[:highlighter]) +- end.html_safe ++ text = text.to_str.gsub(/(#{match})(?!(?:[^<]*?)(?:["'])[^<>]*>)/i, options[:highlighter]) ++ end ++ text = sanitize(text) unless options[:sanitize] == false ++ text + end + + # Extracts an excerpt from +text+ that matches the first instance of +phrase+. +@@ -251,14 +250,16 @@ module ActionView + # simple_format("Look ma! A class!", :class => 'description') + # # => "<p class='description'>Look ma! A class!</p>" + def simple_format(text, html_options={}, options={}) +- text = ''.html_safe if text.nil? ++ text = text ? text.to_str : '' ++ text = text.dup if text.frozen? + start_tag = tag('p', html_options, true) +- text = sanitize(text) unless options[:sanitize] == false + text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n + text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}") # 2+ newline -> paragraph + text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline -> br + text.insert 0, start_tag +- text.html_safe.safe_concat("</p>") ++ text.concat("</p>") ++ text = sanitize(text) unless options[:sanitize] == false ++ text + end + + # Turns all URLs and e-mail addresses into clickable links. The <tt>:link</tt> option +@@ -477,7 +478,7 @@ module ActionView + # is yielded and the result is used as the link text. + def auto_link_urls(text, html_options = {}, options = {}) + link_attributes = html_options.stringify_keys +- text.gsub(AUTO_LINK_RE) do ++ text.to_str.gsub(AUTO_LINK_RE) do + scheme, href = $1, $& + punctuation = [] + +@@ -494,14 +495,12 @@ module ActionView + end + end + +- link_text = block_given?? yield(href) : href ++ link_text = block_given? ? yield(href) : href + href = 'http://' + href unless scheme + +- unless options[:sanitize] == false +- link_text = sanitize(link_text) +- href = sanitize(href) +- end +- content_tag(:a, link_text, link_attributes.merge('href' => href), !!options[:sanitize]) + punctuation.reverse.join('') ++ sanitize = options[:sanitize] != false ++ content_tag(:a, link_text, link_attributes.merge('href' => href), sanitize) + punctuation.reverse.join('') ++ + end + end.html_safe + end +@@ -509,18 +508,14 @@ module ActionView + # Turns all email addresses into clickable links. If a block is given, + # each email is yielded and the result is used as the link text. + def auto_link_email_addresses(text, html_options = {}, options = {}) +- text.gsub(AUTO_EMAIL_RE) do ++ text.to_str.gsub(AUTO_EMAIL_RE) do + text = $& + + if auto_linked?($`, $') + text.html_safe + else +- display_text = (block_given?) ? yield(text) : text +- +- unless options[:sanitize] == false +- text = sanitize(text) +- display_text = sanitize(display_text) unless text == display_text +- end ++ display_text = block_given? ? yield(text) : text ++ display_text = sanitize(display_text) unless options[:sanitize] == false + mail_to text, display_text, html_options + end + end +--- test/template/text_helper_test.rb.orig 2011-06-16 21:03:06.000000000 -0400 ++++ test/template/text_helper_test.rb 2011-06-16 21:10:53.000000000 -0400 +@@ -48,6 +48,11 @@ class TextHelperTest < ActionView::TestC + assert_equal "<p><b> test with unsafe string </b><script>code!</script></p>", simple_format("<b> test with unsafe string </b><script>code!</script>", {}, :sanitize => false) + end + ++ def test_simple_format_should_not_be_html_safe_when_sanitize_option_is_false ++ assert !simple_format("<b> test with unsafe string </b><script>code!</script>", {}, :sanitize => false).html_safe? ++ end ++ ++ + def test_truncate_should_not_be_html_safe + assert !truncate("Hello World!", :length => 12).html_safe? + end +@@ -166,6 +171,13 @@ class TextHelperTest < ActionView::TestC + ) + end + ++ def test_highlight_on_an_html_safe_string ++ assert_equal( ++ "<p>This is a <b>beautiful</b> morning, but also a <b>beautiful</b> day</p>", ++ highlight("<p>This is a beautiful morning, but also a beautiful day</p>".html_safe, "beautiful", :highlighter => '<b>\1</b>') ++ ) ++ end ++ + def test_highlight_with_html + assert_equal( + "<p>This is a <strong class=\"highlight\">beautiful</strong> morning, but also a <strong class=\"highlight\">beautiful</strong> day</p>", +@@ -306,13 +318,10 @@ class TextHelperTest < ActionView::TestC + end + end + +- def generate_result(link_text, href = nil, escape = false) +- href ||= link_text +- if escape +- %{<a href="#{CGI::escapeHTML href}">#{CGI::escapeHTML link_text}</a>} +- else +- %{<a href="#{href}">#{link_text}</a>} +- end ++ def generate_result(link_text, href = nil) ++ href = CGI::escapeHTML(href || link_text) ++ text = CGI::escapeHTML(link_text) ++ %{<a href="#{href}">#{text}</a>} + end + + def test_auto_link_should_be_html_safe +@@ -323,6 +332,8 @@ class TextHelperTest < ActionView::TestC + assert auto_link('').html_safe? + assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe? + assert auto_link("hello #{email_raw}").html_safe? ++ assert !auto_link(link_raw.html_safe).html_safe?, 'should not be html safe' ++ assert !auto_link(email_raw.html_safe).html_safe?, 'should not be html safe' + end + + def test_auto_link +@@ -419,7 +430,7 @@ class TextHelperTest < ActionView::TestC + + def test_auto_link_should_sanitize_input_when_sanitize_option_is_not_false + link_raw = %{http://www.rubyonrails.com?id=1&num=2} +- assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link(link_raw) ++ assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link(link_raw) + end + + def test_auto_link_should_not_sanitize_input_when_sanitize_option_is_false +--- test/abstract_unit.rb.orig 2011-06-17 07:51:44.000000000 -0400 ++++ test/abstract_unit.rb 2011-06-16 22:41:52.000000000 -0400 +@@ -169,6 +169,7 @@ class BasicController + config.assets_dir = public_dir + config.javascripts_dir = "#{public_dir}/javascripts" + config.stylesheets_dir = "#{public_dir}/stylesheets" ++ config.assets = ActiveSupport::InheritableOptions.new({ :prefix => "assets" }) + config + end + end +--- lib/action_view/helpers/url_helper.rb.orig 2011-06-16 22:39:58.000000000 -0400 ++++ lib/action_view/helpers/url_helper.rb 2011-06-16 22:40:35.000000000 -0400 +@@ -483,7 +483,7 @@ module ActionView + extras << "subject=#{Rack::Utils.escape(subject).gsub("+", "%20")}" unless subject.nil? + extras = extras.empty? ? '' : '?' + html_escape(extras.join('&')) + +- email_address_obfuscated = email_address.dup ++ email_address_obfuscated = email_address.to_str + email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.has_key?("replace_at") + email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.has_key?("replace_dot") + +@@ -491,7 +491,7 @@ module ActionView + + if encode == "javascript" + html = content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe)) +- html = escape_javascript(html) ++ html = escape_javascript(html.to_str) + "document.write('#{html}');".each_byte do |c| + string << sprintf("%%%x", c) + end +--- lib/action_view/helpers/cache_helper.rb.orig 2011-06-16 22:38:31.000000000 -0400 ++++ lib/action_view/helpers/cache_helper.rb 2011-06-16 22:39:35.000000000 -0400 +@@ -53,7 +53,13 @@ module ActionView + # This dance is needed because Builder can't use capture + pos = output_buffer.length + yield +- fragment = output_buffer.slice!(pos..-1) ++ if output_buffer.is_a?(ActionView::OutputBuffer) ++ safe_output_buffer = output_buffer.to_str ++ fragment = safe_output_buffer.slice!(pos..-1) ++ self.output_buffer = ActionView::OutputBuffer.new(safe_output_buffer) ++ else ++ fragment = output_buffer.slice!(pos..-1) ++ end + controller.write_fragment(name, fragment, options) + end + end +--- test/template/text_helper_test.rb.orig 2011-06-17 08:28:21.000000000 -0400 ++++ test/template/text_helper_test.rb 2011-06-17 08:30:42.000000000 -0400 +@@ -324,16 +324,20 @@ class TextHelperTest < ActionView::TestC + %{<a href="#{href}">#{text}</a>} + end + +- def test_auto_link_should_be_html_safe ++ def test_auto_link_should_no_be_html_safe + email_raw = 'santiago@wyeworks.com' + link_raw = 'http://www.rubyonrails.org' + +- assert auto_link(nil).html_safe? +- assert auto_link('').html_safe? +- assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe? +- assert auto_link("hello #{email_raw}").html_safe? +- assert !auto_link(link_raw.html_safe).html_safe?, 'should not be html safe' +- assert !auto_link(email_raw.html_safe).html_safe?, 'should not be html safe' ++ assert !auto_link(nil).html_safe?, 'should not be html safe' ++ assert !auto_link('').html_safe?, 'should not be html safe' ++ assert !auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?, 'should not be html safe' ++ assert !auto_link("hello #{email_raw}").html_safe?, 'should not be html safe' ++ end ++ ++ def test_auto_link_email_address ++ email_raw = 'aaron@tenderlovemaking.com' ++ email_result = %{<a href="mailto:#{email_raw}">#{email_raw}</a>} ++ assert !auto_link_email_addresses(email_result).html_safe?, 'should not be html safe' + end + + def test_auto_link +--- lib/action_view/helpers/text_helper.rb.orig 2011-06-17 08:29:06.000000000 -0400 ++++ lib/action_view/helpers/text_helper.rb 2011-06-17 08:29:25.000000000 -0400 +@@ -300,7 +300,7 @@ module ActionView + # # => "Welcome to my new blog at <a href=\"http://www.myblog.com/\" target=\"_blank\">http://www.myblog.com</a>. + # Please e-mail me at <a href=\"mailto:me@email.com\">me@email.com</a>." + def auto_link(text, *args, &block)#link = :all, html = {}, &block) +- return ''.html_safe if text.blank? ++ return '' if text.blank? + + options = args.size == 2 ? {} : args.extract_options! # this is necessary because the old auto_link API has a Hash as its last parameter + unless args.empty? +@@ -502,7 +502,7 @@ module ActionView + content_tag(:a, link_text, link_attributes.merge('href' => href), sanitize) + punctuation.reverse.join('') + + end +- end.html_safe ++ end + end + + # Turns all email addresses into clickable links. If a block is given, |