From 1846e015b6717cfea68708e7b73fecd158f419ff Mon Sep 17 00:00:00 2001 From: Mamoru Tasaka Date: Sep 20 2009 20:02:37 +0000 Subject: - Patch for CVE-2009-3009 (bug 520843) --- diff --git a/rubygem-actionpack-2.1.x-CVE-2009-3009.patch b/rubygem-actionpack-2.1.x-CVE-2009-3009.patch new file mode 100644 index 0000000..d3676c4 --- /dev/null +++ b/rubygem-actionpack-2.1.x-CVE-2009-3009.patch @@ -0,0 +1,26 @@ +From 9af2823b32e001358babde7644e5cc1c0ec29d6e Mon Sep 17 00:00:00 2001 +From: Michael Koziarski +Date: Mon, 31 Aug 2009 12:07:30 -0700 +Subject: [PATCH] Clean tag attributes before passing through the escape_once logic. + +Addresses CVE-2009-3009 +--- + actionpack/lib/action_view/helpers/tag_helper.rb | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb +index ba43b5e..623b8f7 100644 +--- a/actionpack/lib/action_view/helpers/tag_helper.rb ++++ b/actionpack/lib/action_view/helpers/tag_helper.rb +@@ -101,7 +101,7 @@ module ActionView + # escape_once("<< Accept & Checkout") + # # => "<< Accept & Checkout" + def escape_once(html) +- html.to_s.gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] } ++ ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] } + end + + private +-- +1.6.0.1 + diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index a46e76a..7492097 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -7,12 +7,14 @@ Summary: Web-flow and rendering framework putting the VC in MVC Name: rubygem-%{gemname} Version: 2.1.1 -Release: 2%{?dist} +Release: 3%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org Source0: http://gems.rubyforge.org/gems/%{gemname}-%{version}.tgz Patch1: rubygem-actionpack-2.1.2-CVE-2008-5189.patch +# http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails +Patch2: rubygem-actionpack-2.1.x-CVE-2009-3009.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: rubygems Requires: rubygem(activesupport) = %{version} @@ -30,6 +32,7 @@ unit/integration testing that doesn't require a browser. %prep %setup -q -n %{gemname}-%{version} %patch1 -p2 +%patch2 -p2 %build rake gem @@ -62,6 +65,9 @@ rm -rf %{buildroot} %changelog +* Mon Sep 21 2009 Mamoru Tasaka - 2.1.1-3 +- Patch for CVE-2009-3009 (bug 520843) + * Thu Feb 26 2009 Jeroen van Meeuwen - 2.1.1-2 - Fix CVE-2008-5189