graaff 15/07/10 06:45:26 Added: redcloth-4.2.9-cve-2012-6684.patch Log: Add debian patch for bug 536008. (Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key 0x8883FA56A308A8D7!)
Revision Changes Path 1.1 dev-ruby/redcloth/files/redcloth-4.2.9-cve-2012-6684.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-ruby/redcloth/files/redcloth-4.2.9-cve-2012-6684.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-ruby/redcloth/files/redcloth-4.2.9-cve-2012-6684.patch?rev=1.1&content-type=text/plain Index: redcloth-4.2.9-cve-2012-6684.patch =================================================================== Patch taken from Debian (via upstream pull request that is still pending) http://sources.debian.net/src/ruby-redcloth/4.2.9-4/debian/patches/0001-Filter-out-javascript-links-when-using-filter_html-o.patch/ https://github.com/jgarber/redcloth/pull/20/commits >From b3d82f0c3a354a2f589e1fd43f5f1d7e427b530e Mon Sep 17 00:00:00 2001 From: Antonio Terceiro <terce...@debian.org> Date: Sat, 7 Feb 2015 23:27:39 -0200 Subject: [PATCH] Filter out 'javascript:' links when using filter_html or sanitize_html This is a fix for CVE-2012-6684 --- lib/redcloth/formatters/html.rb | 6 +++++- spec/security/CVE-2012-6684_spec.rb | 14 ++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 spec/security/CVE-2012-6684_spec.rb diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb index bfadfb7..b8793b2 100644 --- a/lib/redcloth/formatters/html.rb +++ b/lib/redcloth/formatters/html.rb @@ -111,7 +111,11 @@ module RedCloth::Formatters::HTML end def link(opts) - "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>" + if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/ + opts[:name] + else + "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>" + end end def image(opts) diff --git a/spec/security/CVE-2012-6684_spec.rb b/spec/security/CVE-2012-6684_spec.rb new file mode 100644 index 0000000..05219fd --- /dev/null +++ b/spec/security/CVE-2012-6684_spec.rb @@ -0,0 +1,14 @@ +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6684 + +require 'redcloth' + +describe 'CVE-2012-6684' do + + it 'should not let javascript links pass through' do + # PoC from http://co3k.org/blog/redcloth-unfixed-xss-en + output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html + expect(output).to_not match(/href=.javascript:alert/) + end + + +end -- 2.1.4
