Hello community, here is the log from the commit of package rubygem-actionpack-2_3.1538 for openSUSE:12.1:Update checked in at 2013-04-10 22:41:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update/rubygem-actionpack-2_3.1538 (Old) and /work/SRC/openSUSE:12.1:Update/.rubygem-actionpack-2_3.1538.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionpack-2_3.1538", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-04-05 00:01:41.916011506 +0200 +++ /work/SRC/openSUSE:12.1:Update/.rubygem-actionpack-2_3.1538.new/rubygem-actionpack-2_3.changes 2013-04-10 22:41:20.000000000 +0200 @@ -0,0 +1,183 @@ +------------------------------------------------------------------- +Tue Apr 2 11:33:01 UTC 2013 - jmassaguer...@suse.com + +- add 2 patches to fix security issues: + - bug-809935_2-3-css_sanitize.patch: + CVE-2013-1855: rubygem-actionpack*: XSS vulnerability in + sanitize_css in Action Pack (bnc#809935) + - bug-809940_2-3-sanitize_protocol.patch: + CVE-2013-1857: rubygem-actionpack*: XSS Vulnerability in the + `sanitize` helper of Ruby on Rails (bnc#809940) + +------------------------------------------------------------------- +Wed Feb 13 23:13:00 UTC 2013 - mrueck...@suse.de + +- update to version 2.3.17 (bnc#803336, bnc#803339) + CVE-2013-0276 CVE-2013-0277: + - testsuite updates for the active support single quote change + +------------------------------------------------------------------- +Wed Jan 30 16:20:09 UTC 2013 - mrueck...@suse.de + +- update to 2.3.16 (bnc#800320) CVE-2013-0333 + - backporting deep_munge + - removing [nil] from the params + - Do not mark strip_tags result as html_safe +- this obsoletes all our patches: + 2-3-null_array_param.patch + 2-3-null_param.patch + 3-0-strip_tags.patch + +------------------------------------------------------------------- +Thu Jan 17 11:22:43 UTC 2013 - mrueck...@suse.de + +- update to 2.3.15: (bnc#796712, bnc#797449, bnc#797452) + - handle missing 'HTTP_X_FORWARDED_FOR' + - added test suite for RCE bug + +------------------------------------------------------------------- +Fri Sep 7 18:50:59 UTC 2012 - mrueck...@suse.de + +- added 3-0-strip_tags.patch: (bnc#775649) + Do not mark strip_tags result as html_safe CVE-2012-3465 + +------------------------------------------------------------------- +Wed Jul 18 14:57:18 UTC 2012 - mrueck...@suse.de + +- added 2 patches to fix security issues: + 2-3-null_param.patch (CVE-2012-2660) (bnc#765097) + 2-3-null_array_param.patch (CVE-2012-2694) (bnc#766791) +- track series file from quilt for easier handling + +------------------------------------------------------------------- +Wed Aug 17 12:02:42 UTC 2011 - mrueck...@suse.de + +- update to version 2.3.14 + - fix fixing strip tags vulnerability (bnc#712057) + - fixing response splitting problem (bnc#712058) + +------------------------------------------------------------------- +Mon Jun 20 16:27:43 UTC 2011 - mrueck...@suse.de + +- update to version 2.3.12 + - dont call destroy on a session if it doesnt respond to destroy + - fix session timeout handling + +------------------------------------------------------------------- +Wed Feb 16 11:09:20 UTC 2011 - mrueck...@suse.de + +- update to version 2.3.11: (bnc#668817) + - XSS Risk in mail_to :encode=>:javascript CVE-2011-0446 + - CSRF Bypass Risk CVE-2011-0447 + - Filter Problems on Case Insensitive Filesystems CVE-2011-0449 + - Potential SQL Injection with limit() CVE-2011-0448 + +------------------------------------------------------------------- +Mon Jan 17 13:21:21 UTC 2011 - mvid...@suse.cz + +- Split off doc and testsuite subpackages. + +------------------------------------------------------------------- +Wed Oct 27 11:34:50 UTC 2010 - mrueck...@suse.de + +- update to version 2.3.10 + * Version bump. + +------------------------------------------------------------------- +Sun Sep 5 11:07:19 UTC 2010 - mrueck...@suse.de + +- update to version 2.3.9 + * Version bump. + +------------------------------------------------------------------- +Tue May 25 16:08:12 UTC 2010 - mrueck...@suse.de + +- use rubygems_requires macro + +------------------------------------------------------------------- +Tue May 25 15:07:19 UTC 2010 - mrueck...@suse.de + +- update to version 2.3.8 + * HTML safety: fix compatibility *without* the optional rails_xss + plugin. +- additional changes from version 2.3.7 + * HTML safety: fix compatibility with the optional rails_xss + plugin. [Nathan Weizenbaum, Santiago Pastorino] +- additional changes from version 2.3.6 + * JSON: set Base.include_root_in_json = true to include a root + value in the JSON: {"post": {"title": ...}}. Mirrors the Active + Record option. #2584 [Matthew Moore, Joe Martinez, Elad + Meidar, Santiago Pastorino] + * Ruby 1.9: ERB template encoding using a magic comment at the + top of the file. [Jeremy Kemper] <%# encoding: utf-8 %> + * Fixed that default locale templates should be used if the + current locale template is missing [DHH] + * Fixed that PrototypeHelper#update_page should return html_safe + [DHH] + * Fixed that much of DateHelper wouldn't return html_safe? + strings [DHH] + * Fixed that fragment caching should return a cache hit as + html_safe (or it would all just get escaped) [DHH] + * Introduce String#html_safe for rails_xss plugin and + forward-compatibility with Rails 3. [Michael Koziarski, + Santiago Pastorino, José Ignacio Costa] + * Added :alert, :notice, and :flash as options to + ActionController::Base#redirect_to that'll automatically set + the proper flash before the redirection [DHH]. + * Added ActionController::Base#notice/= and + ActionController::Base#alert/= as a convenience accessors in + both the controller and the view for flash[:notice]/= and + flash[:alert]/= [DHH] + * Added cookies.permanent, cookies.signed, and + cookies.permanent.signed accessor for common cookie actions + [DHH]. +- removed actionpack-2.3.5_button_to.patch: + included in update + +------------------------------------------------------------------- +Thu Feb 18 14:09:24 UTC 2010 - aduff...@novell.com + +- add a patch to fix (bnc#581792): + https://rails.lighthouseapp.com/projects/8994/tickets/3448-button_to-does-not-return-an-html-safe-string + +------------------------------------------------------------------- +Fri Jan 15 14:21:37 UTC 2010 - mrueck...@suse.de + +- fix requires on rack. gem spec and code disagree with each other. + +------------------------------------------------------------------- +Tue Dec 1 18:19:07 UTC 2009 - ch...@computersalat.de + +- update to version 2.3.5 + - Minor Bug Fixes and deprecation warnings + - Ruby 1.9 Support + - Fix filtering parameters when there are Fixnum or other + un-dupable values. + - Improvements to ActionView::TestCase + - Compatiblity with the rails_xss plugin +- removed actionpack-2.3.4_number_to_human_size_fix_eb30c695444b904d7937c8c12c59da9a8c4d60e5.patch: + included in update + +------------------------------------------------------------------- +Fri Nov 20 13:53:22 UTC 2009 - mrueck...@suse.de + +- added actionpack-2.3.4_number_to_human_size_fix_eb30c695444b904d7937c8c12c59da9a8c4d60e5.patch + fix number_to_human_size (bnc#545720) + +------------------------------------------------------------------- +Thu Sep 10 12:03:08 UTC 2009 - adr...@suse.de + +- update to version 2.3.4 + +------------------------------------------------------------------- +Fri Jun 5 16:58:30 CEST 2009 - mrueck...@suse.de + +- add rails-2.3.2_http_auth_digest_nil_check.patch: + do not allow authentication with a missing password (bnc#509914) + +------------------------------------------------------------------- +Mon Mar 16 20:34:36 CET 2009 - mrueck...@suse.de + +- starting package for the rails 2.3 series + +------------------------------------------------------------------- New: ---- actionpack-2.3.17.gem bug-809935_2-3-css_sanitize.patch bug-809940_2-3-sanitize_protocol.patch rubygem-actionpack-2_3.changes rubygem-actionpack-2_3.spec series ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-actionpack-2_3.spec ++++++ # # spec file for package rubygem-actionpack-2_3 # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: rubygem-actionpack-2_3 Version: 2.3.17 Release: 0 %define mod_name actionpack %define mod_full_name %{mod_name}-%{version} # # BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: rubygems_with_buildroot_patch %rubygems_requires Provides: rubygem-%{mod_name} = %{version}-%{release} # # activesupport = 2.3.15 BuildRequires: rubygem-activesupport-2_3 = %{version} Requires: rubygem-activesupport-2_3 = %{version} # rack ~> 1.1.0 BuildRequires: rubygem-rack-1_1 >= 1.1.3 Requires: rubygem-rack-1_1 >= 1.1.3 # Url: http://rubyforge.org/projects/actionpack Source: %{mod_full_name}.gem Source1: bug-809935_2-3-css_sanitize.patch Source2: bug-809940_2-3-sanitize_protocol.patch Source99: series # Summary: Web-flow and rendering framework putting the VC in MVC License: MIT Group: Development/Languages/Ruby %description Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn't require a browser. %package doc Summary: RDoc documentation for %{mod_name} Group: Development/Languages/Ruby Requires: %{name} = %{version} %description doc Documentation generated at gem installation time. Usually in RDoc and RI formats. %package testsuite Summary: Test suite for %{mod_name} Group: Development/Languages/Ruby Requires: %{name} = %{version} %description testsuite Test::Unit or RSpec files, useful for developers. %prep %build %install %gem_install %{S:0} pushd %{buildroot}%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_name}-%{version} patch -p2 < %{S:1} patch -p2 < %{S:2} popd find %{buildroot}%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_name}-%{version}/ -name \*\~ -print -delete %clean %{__rm} -rf %{buildroot} %files %defattr(-,root,root,-) %{_libdir}/ruby/gems/%{rb_ver}/cache/%{mod_full_name}.gem %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/ %exclude %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/test %{_libdir}/ruby/gems/%{rb_ver}/specifications/%{mod_full_name}.gemspec %files doc %defattr(-,root,root,-) %doc %{_libdir}/ruby/gems/%{rb_ver}/doc/%{mod_full_name}/ %files testsuite %defattr(-,root,root,-) %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/test %changelog ++++++ bug-809935_2-3-css_sanitize.patch ++++++ diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb index ae20f99..a05ea0b 100644 --- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb @@ -106,8 +106,8 @@ module HTML style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ') # gauntlet - if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ || - style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/ + if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ || + style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/ return '' end @@ -117,8 +117,8 @@ module HTML clean << prop + ': ' + val + ';' elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) unless val.split().any? do |keyword| - !allowed_css_keywords.include?(keyword) && - keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/ + !allowed_css_keywords.include?(keyword) && + keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/ end clean << prop + ': ' + val + ';' end diff --git a/actionpack/test/controller/html-scanner/sanitizer_test.rb b/actionpack/test/controller/html-scanner/sanitizer_test.rb index 9203251..561ebc5 100644 --- a/actionpack/test/controller/html-scanner/sanitizer_test.rb +++ b/actionpack/test/controller/html-scanner/sanitizer_test.rb @@ -249,6 +249,11 @@ class SanitizerTest < ActionController::TestCase assert_equal '', sanitize_css(raw) end + def test_should_sanitize_across_newlines + raw = %(\nwidth:\nexpression(alert('XSS'));\n) + assert_equal '', sanitize_css(raw) + end + def test_should_sanitize_img_vbscript assert_sanitized %(<img src='vbscript:msgbox("XSS")' />), '<img />' end -- 1.8.1.1 ++++++ bug-809940_2-3-sanitize_protocol.patch ++++++ diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb index a05ea0b..0fb82cb 100644 --- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb @@ -62,8 +62,8 @@ module HTML # A regular expression of the valid characters used to separate protocols like # the ':' in 'http://foo.com' - self.protocol_separator = /:|(�*58)|(p)|(%|%)3A/ - + self.protocol_separator = /:|(�*58)|(p)|(�*3a)|(%|%)3A/i + # Specifies a Set of HTML attributes that can have URIs. self.uri_attributes = Set.new(%w(href src cite action longdesc xlink:href lowsrc)) @@ -166,8 +166,8 @@ module HTML end def contains_bad_protocols?(attr_name, value) - uri_attributes.include?(attr_name) && - (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first)) + uri_attributes.include?(attr_name) && + (value =~ /(^[^\/:]*):|(�*58)|(p)|(�*3a)|(%|%)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip)) end end end diff --git a/actionpack/test/controller/html-scanner/sanitizer_test.rb b/actionpack/test/controller/html-scanner/sanitizer_test.rb index 561ebc5..f72f66e 100644 --- a/actionpack/test/controller/html-scanner/sanitizer_test.rb +++ b/actionpack/test/controller/html-scanner/sanitizer_test.rb @@ -169,6 +169,7 @@ class SanitizerTest < ActionController::TestCase %(<IMG SRC="jav
ascript:alert('XSS');">), %(<IMG SRC="jav
ascript:alert('XSS');">), %(<IMG SRC="  javascript:alert('XSS');">), + %(<IMG SRC="javascript:alert('XSS');">), %(<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>)].each_with_index do |img_hack, i| define_method "test_should_not_fall_for_xss_image_hack_#{i+1}" do assert_sanitized img_hack, "<img>" @@ -270,6 +271,19 @@ class SanitizerTest < ActionController::TestCase assert_sanitized %{<a href=\"http://www.domain.com?var1=1&var2=2\">my link</a>} end + def test_should_sanitize_neverending_attribute + assert_sanitized "<span class=\"\\", "<span class=\"\\\">" + end + + def test_x03a + assert_sanitized %(<a href="javascript:alert('XSS');">), "<a>" + assert_sanitized %(<a href="javascript:alert('XSS');">), "<a>" + assert_sanitized %(<a href="http://legit">), %(<a href="http://legit">) + assert_sanitized %(<a href="javascript:alert('XSS');">), "<a>" + assert_sanitized %(<a href="javascript:alert('XSS');">), "<a>" + assert_sanitized %(<a href="http://legit">), %(<a href="http://legit">) + end + protected def assert_sanitized(input, expected = nil) @sanitizer ||= HTML::WhiteListSanitizer.new -- 1.8.1.1 ++++++ series ++++++ # 2-3-null_param.patch -p0 # 2-3-null_array_param.patch -p0 # 3-0-strip_tags.patch -p0 -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org