From be86fa33f687a877ce052404fb018eae6ae9f892 Mon Sep 17 00:00:00 2001 From: Bohuslav Kabrda Date: Tue, 6 Mar 2012 07:06:12 +0100 Subject: Fix for CVE-2012-1098. - Fix for CVE-2012-1099. --- actionpack-safe-buffer-slice-fix.patch | 44 ++++++++++++++++++++++++ actionpack-select-options-XSS-fix.patch | 61 +++++++++++++++++++++++++++++++++ rubygem-actionpack.spec | 16 ++++++++- 3 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 actionpack-safe-buffer-slice-fix.patch create mode 100644 actionpack-select-options-XSS-fix.patch diff --git a/actionpack-safe-buffer-slice-fix.patch b/actionpack-safe-buffer-slice-fix.patch new file mode 100644 index 0000000..3eaca8d --- /dev/null +++ b/actionpack-safe-buffer-slice-fix.patch @@ -0,0 +1,44 @@ +From 00e632de2bde61425142ef8edc408e8d21ff9134 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Wed, 29 Feb 2012 16:37:30 -0800 +Subject: [PATCH] Squashed commit of the following: +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 917fd1a03845f4eedaccbc338f9d7524e98d45ee +Author: José Valim +Date: Wed Feb 29 22:30:51 2012 +0100 + + Ensure [] respects the status of the buffer. + +commit 6adc41789017682306181e3db5b30337fe450bcc +Author: Akira Matsuda +Date: Mon Feb 13 17:57:05 2012 +0900 + + use AS::SafeBuffer#clone_empty for flushing the output_buffer + +commit e50ee96a0b37e7c5adfc555edd402ad04cc159f1 +Author: Akira Matsuda +Date: Mon Feb 13 17:54:58 2012 +0900 + + add AS::SafeBuffer#clone_empty +--- + .../lib/action_view/helpers/capture_helper.rb | 2 +- + .../core_ext/string/output_safety.rb | 50 ++++++++++++------- + activesupport/test/safe_buffer_test.rb | 46 ++++++++++++++++-- + 3 files changed, 74 insertions(+), 24 deletions(-) + +diff --git a/actionpack/lib/action_view/helpers/capture_helper.rb b/actionpack/lib/action_view/helpers/capture_helper.rb +index cbc660d..c91e4c1 100644 +--- a/actionpack/lib/action_view/helpers/capture_helper.rb ++++ b/actionpack/lib/action_view/helpers/capture_helper.rb +@@ -179,7 +179,7 @@ module ActionView + def flush_output_buffer #:nodoc: + if output_buffer && !output_buffer.empty? + response.body_parts << output_buffer +- self.output_buffer = output_buffer[0,0] ++ self.output_buffer = output_buffer.respond_to?(:clone_empty) ? output_buffer.clone_empty : output_buffer[0, 0] + nil + end + end diff --git a/actionpack-select-options-XSS-fix.patch b/actionpack-select-options-XSS-fix.patch new file mode 100644 index 0000000..f0211c0 --- /dev/null +++ b/actionpack-select-options-XSS-fix.patch @@ -0,0 +1,61 @@ +From 5b4082fddf3412aef6c085fbb2a13fd3bbc75f4e Mon Sep 17 00:00:00 2001 +From: Sergey Nartimov +Date: Mon, 20 Feb 2012 15:41:17 -0800 +Subject: [PATCH] fix output safety issue with select options + +--- + .../lib/action_view/helpers/form_options_helper.rb | 6 +++--- + .../test/template/form_options_helper_test.rb | 9 ++++++++- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/actionpack/lib/action_view/helpers/form_options_helper.rb b/actionpack/lib/action_view/helpers/form_options_helper.rb +index 082647f..949b02a 100644 +--- a/actionpack/lib/action_view/helpers/form_options_helper.rb ++++ b/actionpack/lib/action_view/helpers/form_options_helper.rb +@@ -596,13 +596,13 @@ module ActionView + private + def add_options(option_tags, options, value = nil) + if options[:include_blank] +- option_tags = "\n" + option_tags ++ option_tags = content_tag('option', options[:include_blank].kind_of?(String) ? options[:include_blank] : nil, :value => '') + "\n" + option_tags + end + if value.blank? && options[:prompt] + prompt = options[:prompt].kind_of?(String) ? options[:prompt] : I18n.translate('helpers.select.prompt', :default => 'Please select') +- option_tags = "\n" + option_tags ++ option_tags = content_tag('option', prompt, :value => '') + "\n" + option_tags + end +- option_tags.html_safe ++ option_tags + end + end + +diff --git a/actionpack/test/template/form_options_helper_test.rb b/actionpack/test/template/form_options_helper_test.rb +index 6656420..9ca4bf6 100644 +--- a/actionpack/test/template/form_options_helper_test.rb ++++ b/actionpack/test/template/form_options_helper_test.rb +@@ -432,7 +432,7 @@ class FormOptionsHelperTest < ActionView::TestCase + + def test_select_under_fields_for_with_string_and_given_prompt + @post = Post.new +- options = "" ++ options = "".html_safe + + output_buffer = fields_for :post, @post do |f| + concat f.select(:category, options, :prompt => 'The prompt') +@@ -536,6 +536,13 @@ class FormOptionsHelperTest < ActionView::TestCase + ) + end + ++ def test_select_escapes_options ++ assert_dom_equal( ++ '', ++ select('post', 'title', '') ++ ) ++ end ++ + def test_select_with_selected_nil + @post = Post.new + @post.category = "" +-- +1.7.6 + diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index 61e6799..b76cdd8 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -7,7 +7,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC Name: rubygem-%{gem_name} Epoch: 1 Version: 3.0.11 -Release: 1%{?dist} +Release: 2%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org @@ -36,6 +36,14 @@ Patch2: actionpack-tests-fix.patch Patch3: actionpack-downgrade-dependencies.patch +# Fixes CVE-2012-1098 +# https://bugzilla.redhat.com/show_bug.cgi?id=799275 +Patch4: actionpack-safe-buffer-slice-fix.patch + +# Fixes CVE-2012-1099 +# https://bugzilla.redhat.com/show_bug.cgi?id=799276 +Patch5: actionpack-select-options-XSS-fix.patch + Requires: ruby(rubygems) Requires: rubygem(activesupport) = %{version} Requires: rubygem(activemodel) = %{version} @@ -94,6 +102,8 @@ pushd .%{gem_instdir} %patch0 -p0 %patch1 -p0 %patch2 -p0 +%patch4 -p2 +%patch5 -p2 # create missing symlink pushd test/fixtures/layout_tests/layouts/ @@ -165,6 +175,10 @@ rake test --trace %changelog +* Tue Mar 06 2012 Bohuslav Kabrda - 1:3.0.11-2 +- Fix for CVE-2012-1098. +- Fix for CVE-2012-1099. + * Tue Jan 31 2012 Bohuslav Kabrda - 1:3.0.11-1 - Rebuilt for Ruby 1.9.3. - Updated to ActionPack 3.0.11. -- cgit