From ffe9fad1d5f35cf7d74fca361dad49df5c0ad5e5 Mon Sep 17 00:00:00 2001 From: Vít Ondruch Date: Mon, 4 Jul 2011 15:59:43 +0200 Subject: Update to ActionPack 3.0.9 --- .gitignore | 2 + actionpack-downgrade-dependencies.patch | 40 ----- cve-2011-2197-actionpack-fix.patch | 252 -------------------------------- rubygem-actionpack.spec | 35 ++--- sources | 4 +- 5 files changed, 17 insertions(+), 316 deletions(-) delete mode 100644 actionpack-downgrade-dependencies.patch delete mode 100644 cve-2011-2197-actionpack-fix.patch diff --git a/.gitignore b/.gitignore index 18bba3a..03f9f4f 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,5 @@ actionpack-2.3.8.gem /actionpack-3.0.3.gem /actionpack-tests.tgz /actionpack-3.0.5.gem +/actionpack-3.0.9-tests.tgz +/actionpack-3.0.9.gem diff --git a/actionpack-downgrade-dependencies.patch b/actionpack-downgrade-dependencies.patch deleted file mode 100644 index 0a81d76..0000000 --- a/actionpack-downgrade-dependencies.patch +++ /dev/null @@ -1,40 +0,0 @@ ---- specifications/actionpack-3.0.5.gemspec.orig 2011-01-18 16:24:30.469405214 -0500 -+++ specifications/actionpack-3.0.5.gemspec 2011-01-18 16:26:01.445405000 -0500 -@@ -25,31 +25,31 @@ Gem::Specification.new do |s| - s.add_runtime_dependency(%q, ["= 3.0.5"]) - s.add_runtime_dependency(%q, ["~> 2.1.2"]) - s.add_runtime_dependency(%q, ["~> 0.4"]) -- s.add_runtime_dependency(%q, [">= 1.2.1"]) -- s.add_runtime_dependency(%q, [">= 0.5.7"]) -+ s.add_runtime_dependency(%q, [">= 1.1.0"]) -+ s.add_runtime_dependency(%q, [">= 0.5.4"]) - s.add_runtime_dependency(%q, [">= 0.6.13"]) - s.add_runtime_dependency(%q, ["~> 0.3.23"]) - s.add_runtime_dependency(%q, ["~> 2.6.6"]) - else - s.add_dependency(%q, ["= 3.0.5"]) - s.add_dependency(%q, ["= 3.0.5"]) - s.add_dependency(%q, ["~> 2.1.2"]) - s.add_dependency(%q, ["~> 0.4"]) -- s.add_dependency(%q, [">= 1.2.1"]) -- s.add_dependency(%q, [">= 0.5.7"]) -+ s.add_dependency(%q, [">= 1.1.0"]) -+ s.add_dependency(%q, [">= 0.5.4"]) - s.add_dependency(%q, [">= 0.6.13"]) - s.add_dependency(%q, ["~> 0.3.23"]) - s.add_dependency(%q, ["~> 2.6.6"]) - end - else - s.add_dependency(%q, ["= 3.0.5"]) - s.add_dependency(%q, ["= 3.0.5"]) - s.add_dependency(%q, ["~> 2.1.2"]) - s.add_dependency(%q, ["~> 0.4"]) -- s.add_dependency(%q, [">= 1.2.1"]) -- s.add_dependency(%q, [">= 0.5.7"]) -+ s.add_dependency(%q, [">= 1.1.0"]) -+ s.add_dependency(%q, [">= 0.5.4"]) - s.add_dependency(%q, [">= 0.6.13"]) - s.add_dependency(%q, ["~> 0.3.23"]) - s.add_dependency(%q, ["~> 2.6.6"]) - end - end diff --git a/cve-2011-2197-actionpack-fix.patch b/cve-2011-2197-actionpack-fix.patch deleted file mode 100644 index 1690399..0000000 --- a/cve-2011-2197-actionpack-fix.patch +++ /dev/null @@ -1,252 +0,0 @@ ---- lib/action_view/helpers/text_helper.rb.orig 2011-06-16 21:02:32.000000000 -0400 -+++ lib/action_view/helpers/text_helper.rb 2011-06-16 21:07:58.000000000 -0400 -@@ -115,13 +115,12 @@ module ActionView - end - options.reverse_merge!(:highlighter => '\1') - -- text = sanitize(text) unless options[:sanitize] == false -- if text.blank? || phrases.blank? -- text -- else -+ if text.present? && phrases.present? - match = Array(phrases).map { |p| Regexp.escape(p) }.join('|') -- text.gsub(/(#{match})(?!(?:[^<]*?)(?:["'])[^<>]*>)/i, options[:highlighter]) -- end.html_safe -+ text = text.to_str.gsub(/(#{match})(?!(?:[^<]*?)(?:["'])[^<>]*>)/i, options[:highlighter]) -+ end -+ text = sanitize(text) unless options[:sanitize] == false -+ text - end - - # Extracts an excerpt from +text+ that matches the first instance of +phrase+. -@@ -251,14 +250,16 @@ module ActionView - # simple_format("Look ma! A class!", :class => 'description') - # # => "

Look ma! A class!

" - def simple_format(text, html_options={}, options={}) -- text = ''.html_safe if text.nil? -+ text = text ? text.to_str : '' -+ text = text.dup if text.frozen? - start_tag = tag('p', html_options, true) -- text = sanitize(text) unless options[:sanitize] == false - text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n - text.gsub!(/\n\n+/, "

\n\n#{start_tag}") # 2+ newline -> paragraph - text.gsub!(/([^\n]\n)(?=[^\n])/, '\1
') # 1 newline -> br - text.insert 0, start_tag -- text.html_safe.safe_concat("

") -+ text.concat("

") -+ text = sanitize(text) unless options[:sanitize] == false -+ text - end - - # Turns all URLs and e-mail addresses into clickable links. The :link option -@@ -477,7 +478,7 @@ module ActionView - # is yielded and the result is used as the link text. - def auto_link_urls(text, html_options = {}, options = {}) - link_attributes = html_options.stringify_keys -- text.gsub(AUTO_LINK_RE) do -+ text.to_str.gsub(AUTO_LINK_RE) do - scheme, href = $1, $& - punctuation = [] - -@@ -494,14 +495,12 @@ module ActionView - end - end - -- link_text = block_given?? yield(href) : href -+ link_text = block_given? ? yield(href) : href - href = 'http://' + href unless scheme - -- unless options[:sanitize] == false -- link_text = sanitize(link_text) -- href = sanitize(href) -- end -- content_tag(:a, link_text, link_attributes.merge('href' => href), !!options[:sanitize]) + punctuation.reverse.join('') -+ sanitize = options[:sanitize] != false -+ content_tag(:a, link_text, link_attributes.merge('href' => href), sanitize) + punctuation.reverse.join('') -+ - end - end.html_safe - end -@@ -509,18 +508,14 @@ module ActionView - # Turns all email addresses into clickable links. If a block is given, - # each email is yielded and the result is used as the link text. - def auto_link_email_addresses(text, html_options = {}, options = {}) -- text.gsub(AUTO_EMAIL_RE) do -+ text.to_str.gsub(AUTO_EMAIL_RE) do - text = $& - - if auto_linked?($`, $') - text.html_safe - else -- display_text = (block_given?) ? yield(text) : text -- -- unless options[:sanitize] == false -- text = sanitize(text) -- display_text = sanitize(display_text) unless text == display_text -- end -+ display_text = block_given? ? yield(text) : text -+ display_text = sanitize(display_text) unless options[:sanitize] == false - mail_to text, display_text, html_options - end - end ---- test/template/text_helper_test.rb.orig 2011-06-16 21:03:06.000000000 -0400 -+++ test/template/text_helper_test.rb 2011-06-16 21:10:53.000000000 -0400 -@@ -48,6 +48,11 @@ class TextHelperTest < ActionView::TestC - assert_equal "

test with unsafe string

", simple_format(" test with unsafe string ", {}, :sanitize => false) - end - -+ def test_simple_format_should_not_be_html_safe_when_sanitize_option_is_false -+ assert !simple_format(" test with unsafe string ", {}, :sanitize => false).html_safe? -+ end -+ -+ - def test_truncate_should_not_be_html_safe - assert !truncate("Hello World!", :length => 12).html_safe? - end -@@ -166,6 +171,13 @@ class TextHelperTest < ActionView::TestC - ) - end - -+ def test_highlight_on_an_html_safe_string -+ assert_equal( -+ "

This is a beautiful morning, but also a beautiful day

", -+ highlight("

This is a beautiful morning, but also a beautiful day

".html_safe, "beautiful", :highlighter => '\1') -+ ) -+ end -+ - def test_highlight_with_html - assert_equal( - "

This is a beautiful morning, but also a beautiful day

", -@@ -306,13 +318,10 @@ class TextHelperTest < ActionView::TestC - end - end - -- def generate_result(link_text, href = nil, escape = false) -- href ||= link_text -- if escape -- %{#{CGI::escapeHTML link_text}} -- else -- %{#{link_text}} -- end -+ def generate_result(link_text, href = nil) -+ href = CGI::escapeHTML(href || link_text) -+ text = CGI::escapeHTML(link_text) -+ %{#{text}} - end - - def test_auto_link_should_be_html_safe -@@ -323,6 +332,8 @@ class TextHelperTest < ActionView::TestC - assert auto_link('').html_safe? - assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe? - assert auto_link("hello #{email_raw}").html_safe? -+ assert !auto_link(link_raw.html_safe).html_safe?, 'should not be html safe' -+ assert !auto_link(email_raw.html_safe).html_safe?, 'should not be html safe' - end - - def test_auto_link -@@ -419,7 +430,7 @@ class TextHelperTest < ActionView::TestC - - def test_auto_link_should_sanitize_input_when_sanitize_option_is_not_false - link_raw = %{http://www.rubyonrails.com?id=1&num=2} -- assert_equal %{http://www.rubyonrails.com?id=1&num=2}, auto_link(link_raw) -+ assert_equal %{http://www.rubyonrails.com?id=1&num=2}, auto_link(link_raw) - end - - def test_auto_link_should_not_sanitize_input_when_sanitize_option_is_false ---- test/abstract_unit.rb.orig 2011-06-17 07:51:44.000000000 -0400 -+++ test/abstract_unit.rb 2011-06-16 22:41:52.000000000 -0400 -@@ -169,6 +169,7 @@ class BasicController - config.assets_dir = public_dir - config.javascripts_dir = "#{public_dir}/javascripts" - config.stylesheets_dir = "#{public_dir}/stylesheets" -+ config.assets = ActiveSupport::InheritableOptions.new({ :prefix => "assets" }) - config - end - end ---- lib/action_view/helpers/url_helper.rb.orig 2011-06-16 22:39:58.000000000 -0400 -+++ lib/action_view/helpers/url_helper.rb 2011-06-16 22:40:35.000000000 -0400 -@@ -483,7 +483,7 @@ module ActionView - extras << "subject=#{Rack::Utils.escape(subject).gsub("+", "%20")}" unless subject.nil? - extras = extras.empty? ? '' : '?' + html_escape(extras.join('&')) - -- email_address_obfuscated = email_address.dup -+ email_address_obfuscated = email_address.to_str - email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.has_key?("replace_at") - email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.has_key?("replace_dot") - -@@ -491,7 +491,7 @@ module ActionView - - if encode == "javascript" - html = content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe)) -- html = escape_javascript(html) -+ html = escape_javascript(html.to_str) - "document.write('#{html}');".each_byte do |c| - string << sprintf("%%%x", c) - end ---- lib/action_view/helpers/cache_helper.rb.orig 2011-06-16 22:38:31.000000000 -0400 -+++ lib/action_view/helpers/cache_helper.rb 2011-06-16 22:39:35.000000000 -0400 -@@ -53,7 +53,13 @@ module ActionView - # This dance is needed because Builder can't use capture - pos = output_buffer.length - yield -- fragment = output_buffer.slice!(pos..-1) -+ if output_buffer.is_a?(ActionView::OutputBuffer) -+ safe_output_buffer = output_buffer.to_str -+ fragment = safe_output_buffer.slice!(pos..-1) -+ self.output_buffer = ActionView::OutputBuffer.new(safe_output_buffer) -+ else -+ fragment = output_buffer.slice!(pos..-1) -+ end - controller.write_fragment(name, fragment, options) - end - end ---- test/template/text_helper_test.rb.orig 2011-06-17 08:28:21.000000000 -0400 -+++ test/template/text_helper_test.rb 2011-06-17 08:30:42.000000000 -0400 -@@ -324,16 +324,20 @@ class TextHelperTest < ActionView::TestC - %{#{text}} - end - -- def test_auto_link_should_be_html_safe -+ def test_auto_link_should_no_be_html_safe - email_raw = 'santiago@wyeworks.com' - link_raw = 'http://www.rubyonrails.org' - -- assert auto_link(nil).html_safe? -- assert auto_link('').html_safe? -- assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe? -- assert auto_link("hello #{email_raw}").html_safe? -- assert !auto_link(link_raw.html_safe).html_safe?, 'should not be html safe' -- assert !auto_link(email_raw.html_safe).html_safe?, 'should not be html safe' -+ assert !auto_link(nil).html_safe?, 'should not be html safe' -+ assert !auto_link('').html_safe?, 'should not be html safe' -+ assert !auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?, 'should not be html safe' -+ assert !auto_link("hello #{email_raw}").html_safe?, 'should not be html safe' -+ end -+ -+ def test_auto_link_email_address -+ email_raw = 'aaron@tenderlovemaking.com' -+ email_result = %{#{email_raw}} -+ assert !auto_link_email_addresses(email_result).html_safe?, 'should not be html safe' - end - - def test_auto_link ---- lib/action_view/helpers/text_helper.rb.orig 2011-06-17 08:29:06.000000000 -0400 -+++ lib/action_view/helpers/text_helper.rb 2011-06-17 08:29:25.000000000 -0400 -@@ -300,7 +300,7 @@ module ActionView - # # => "Welcome to my new blog at http://www.myblog.com. - # Please e-mail me at me@email.com." - def auto_link(text, *args, &block)#link = :all, html = {}, &block) -- return ''.html_safe if text.blank? -+ return '' if text.blank? - - options = args.size == 2 ? {} : args.extract_options! # this is necessary because the old auto_link API has a Hash as its last parameter - unless args.empty? -@@ -502,7 +502,7 @@ module ActionView - content_tag(:a, link_text, link_attributes.merge('href' => href), sanitize) + punctuation.reverse.join('') - - end -- end.html_safe -+ end - end - - # Turns all email addresses into clickable links. If a block is given, diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index befe029..0e709ae 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -1,15 +1,16 @@ # Generated from actionpack-1.13.5.gem by gem2rpm -*- rpm-spec -*- -%define gemdir %(ruby -rubygems -e 'puts Gem::dir' 2>/dev/null) -%define gemname actionpack -%define geminstdir %{gemdir}/gems/%{gemname}-%{version} +%global gemname actionpack -%define rubyabi 1.8 +%global gemdir %(ruby -rubygems -e 'puts Gem::dir' 2>/dev/null) +%global geminstdir %{gemdir}/gems/%{gemname}-%{version} + +%global rubyabi 1.8 Summary: Web-flow and rendering framework putting the VC in MVC Name: rubygem-%{gemname} Epoch: 1 -Version: 3.0.5 -Release: 3%{?dist} +Version: 3.0.9 +Release: 1%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org @@ -22,9 +23,9 @@ Source1: http://github.com/rails/rails/raw/v%{version}/%{gemname}/Rakefile # You may check it out like so # git clone http://github.com/rails/rails.git # cd rails/actionpack/ -# git checkout v3.0.5 -# tar czvf actionpack-tests.tgz test/ -Source2: actionpack-tests.tgz +# git checkout v3.0.9 +# tar czvf actionpack-3.0.9-tests.tgz test/ +Source2: actionpack-3.0.9-tests.tgz Patch0: rubygem-actionpack-enable-test.patch @@ -36,15 +37,6 @@ Patch1: actionpack-rakefile-fix.patch # dependency on a file in the greater rails proj Patch2: actionpack-tests-fix.patch -Patch3: actionpack-downgrade-dependencies.patch - -# CVE-2011-2197 -# http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications -# FIXES: https://gist.github.com/b2ceb626fc2bcdfe497f -# https://github.com/rails/rails/commit/c6503f48bd13c696fcc81f2a4a87b8cd7c009657 -# https://github.com/rails/rails/commit/2e757bc298cef715e5c56945161bbd84f2610729 -Patch4: cve-2011-2197-actionpack-fix.patch - Requires: rubygems Requires: rubygem(activesupport) = %{version} Requires: rubygem(activemodel) = %{version} @@ -102,7 +94,6 @@ pushd .%{geminstdir} %patch0 -p0 %patch1 -p0 %patch2 -p0 -%patch4 -p0 # create missing symlink pushd test/fixtures/layout_tests/layouts/ @@ -111,9 +102,6 @@ popd popd -pushd .%{gemdir} -%patch3 -p0 - # Remove backup files # No! these are needed for rake test # find ./%{geminstdir} -type f -name "*~" -delete @@ -173,6 +161,9 @@ rake test --trace %changelog +* Mon Jul 04 2011 Vít Ondruch - 1:3.0.9-1 +- Update to ActionPack 3.0.9 + * Thu Jun 16 2011 Mo Morsi - 1:3.0.5-3 - Include fix for CVE-2011-2197 diff --git a/sources b/sources index 2bc6203..91c106a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -af25980a393ab111f9fcef3d65f73c89 actionpack-3.0.5.gem -00cb87071ba9ad6de3327a347b22e836 actionpack-tests.tgz +0844368eaac33d7c4bc9cfe68f8336a0 actionpack-3.0.9-tests.tgz +1c06974f4b81d38284d36e88ca7f95aa actionpack-3.0.9.gem -- cgit