From 3df8499c27f162464e856a5c9f2dcd2d74b48a5b Mon Sep 17 00:00:00 2001 From: Bohuslav Kabrda Date: Mar 16 2012 07:00:20 +0000 Subject: The CVE patches names now contain the CVE id. --- diff --git a/actionpack-3.0.5-XSS-flaw-fix.patch b/actionpack-3.0.5-XSS-flaw-fix.patch deleted file mode 100644 index 6c371bf..0000000 --- a/actionpack-3.0.5-XSS-flaw-fix.patch +++ /dev/null @@ -1,105 +0,0 @@ -# backported from 3.0.10 to 3.0.5 -diff --git a/actionpack/lib/action_view/helpers/translation_helper.rb b/actionpack/lib/action_view/helpers/translation_helper.rb -index 3d3df01..00963cd 100644 ---- a/actionpack/lib/action_view/helpers/translation_helper.rb -+++ b/actionpack/lib/action_view/helpers/translation_helper.rb -@@ -24,11 +24,18 @@ module ActionView - # naming convention helps to identify translations that include HTML tags so that - # you know what kind of output to expect when you call translate in a template. - def translate(key, options = {}) -- translation = I18n.translate(scope_key_by_partial(key), options.merge!(:raise => true)) -- if html_safe_translation_key?(key) && translation.respond_to?(:html_safe) -- translation.html_safe -+ options.merge!(:raise => true) -+ options.merge!(:rescue_format => :html) unless options.key?(:rescue_format) -+ if html_safe_translation_key?(key) -+ html_safe_options = options.dup -+ options.except(*I18n::RESERVED_KEYS).each do |name, value| -+ html_safe_options[name] = ERB::Util.html_escape(value.to_s) -+ end -+ translation = I18n.translate(scope_key_by_partial(key), html_safe_options) -+ -+ translation.respond_to?(:html_safe) ? translation.html_safe : translation - else -- translation -+ I18n.translate(scope_key_by_partial(key), options) - end - rescue I18n::MissingTranslationData => e - keys = I18n.normalize_keys(e.locale, e.key, e.options[:scope]) - -diff --git a/actionpack/test/template/translation_helper_test.rb b/actionpack/test/template/translation_helper_test.rb -index cd9f54e..cabb29c 100644 ---- a/actionpack/test/template/translation_helper_test.rb -+++ b/actionpack/test/template/translation_helper_test.rb -@@ -6,10 +6,15 @@ - - attr_reader :request - def setup -+ I18n.backend.store_translations(:en, -+ :translations => { -+ :interpolated_html => 'Hello %{word}', -+ } -+ ) - end - - def test_delegates_to_i18n_setting_the_raise_option -- I18n.expects(:translate).with(:foo, :locale => 'en', :raise => true).returns("") -+ I18n.expects(:translate).with(:foo, :locale => 'en', :raise => true, :rescue_format => :html).returns("") - translate :foo, :locale => 'en' - end - -@@ -19,7 +24,7 @@ - end - - def test_translation_returning_an_array -- I18n.expects(:translate).with(:foo, :raise => true).returns(["foo", "bar"]) -+ I18n.expects(:translate).with(:foo, :raise => true, :rescue_format => :html).returns(["foo", "bar"]) - assert_equal ["foo", "bar"], translate(:foo) - end - -@@ -30,34 +35,39 @@ - end - - def test_scoping_by_partial -- I18n.expects(:translate).with("test.translation.helper", :raise => true).returns("helper") -+ I18n.expects(:translate).with("test.translation.helper", :raise => true, :rescue_format => :html).returns("helper") - @view = ActionView::Base.new(ActionController::Base.view_paths, {}) - assert_equal "helper", @view.render(:file => "test/translation") - end - - def test_scoping_by_partial_of_an_array -- I18n.expects(:translate).with("test.scoped_translation.foo.bar", :raise => true).returns(["foo", "bar"]) -+ I18n.expects(:translate).with("test.scoped_translation.foo.bar", :raise => true, :rescue_format => :html).returns(["foo", "bar"]) - @view = ActionView::Base.new(ActionController::Base.view_paths, {}) - assert_equal "foobar", @view.render(:file => "test/scoped_translation") - end - - def test_translate_does_not_mark_plain_text_as_safe_html -- I18n.expects(:translate).with("hello", :raise => true).returns("Hello World") -+ I18n.expects(:translate).with("hello", :raise => true, :rescue_format => :html).returns("Hello World") - assert_equal false, translate("hello").html_safe? - end - - def test_translate_marks_translations_named_html_as_safe_html -- I18n.expects(:translate).with("html", :raise => true).returns("Hello World") -+ I18n.expects(:translate).with("html", :raise => true, :rescue_format => :html).returns("Hello World") - assert translate("html").html_safe? - end - - def test_translate_marks_translations_with_a_html_suffix_as_safe_html -- I18n.expects(:translate).with("hello_html", :raise => true).returns("Hello World") -+ I18n.expects(:translate).with("hello_html", :raise => true, :rescue_format => :html).returns("Hello World") - assert translate("hello_html").html_safe? - end - -+ def test_translate_escapes_interpolations_in_translations_with_a_html_suffix -+ assert_equal 'Hello <World>', translate(:'translations.interpolated_html', :word => '', :raise => true, :rescue_format => :html) -+ assert_equal 'Hello <World>', translate(:'translations.interpolated_html', :word => stub(:to_s => "")) -+ end -+ - def test_translation_returning_an_array_ignores_html_suffix -- I18n.expects(:translate).with(:foo_html, :raise => true).returns(["foo", "bar"]) -+ I18n.expects(:translate).with(:foo_html, :raise => true, :rescue_format => :html).returns(["foo", "bar"]) - assert_equal ["foo", "bar"], translate(:foo_html) - end - end diff --git a/actionpack-CVE-2011-4319-XSS-flaw.patch b/actionpack-CVE-2011-4319-XSS-flaw.patch new file mode 100644 index 0000000..6c371bf --- /dev/null +++ b/actionpack-CVE-2011-4319-XSS-flaw.patch @@ -0,0 +1,105 @@ +# backported from 3.0.10 to 3.0.5 +diff --git a/actionpack/lib/action_view/helpers/translation_helper.rb b/actionpack/lib/action_view/helpers/translation_helper.rb +index 3d3df01..00963cd 100644 +--- a/actionpack/lib/action_view/helpers/translation_helper.rb ++++ b/actionpack/lib/action_view/helpers/translation_helper.rb +@@ -24,11 +24,18 @@ module ActionView + # naming convention helps to identify translations that include HTML tags so that + # you know what kind of output to expect when you call translate in a template. + def translate(key, options = {}) +- translation = I18n.translate(scope_key_by_partial(key), options.merge!(:raise => true)) +- if html_safe_translation_key?(key) && translation.respond_to?(:html_safe) +- translation.html_safe ++ options.merge!(:raise => true) ++ options.merge!(:rescue_format => :html) unless options.key?(:rescue_format) ++ if html_safe_translation_key?(key) ++ html_safe_options = options.dup ++ options.except(*I18n::RESERVED_KEYS).each do |name, value| ++ html_safe_options[name] = ERB::Util.html_escape(value.to_s) ++ end ++ translation = I18n.translate(scope_key_by_partial(key), html_safe_options) ++ ++ translation.respond_to?(:html_safe) ? translation.html_safe : translation + else +- translation ++ I18n.translate(scope_key_by_partial(key), options) + end + rescue I18n::MissingTranslationData => e + keys = I18n.normalize_keys(e.locale, e.key, e.options[:scope]) + +diff --git a/actionpack/test/template/translation_helper_test.rb b/actionpack/test/template/translation_helper_test.rb +index cd9f54e..cabb29c 100644 +--- a/actionpack/test/template/translation_helper_test.rb ++++ b/actionpack/test/template/translation_helper_test.rb +@@ -6,10 +6,15 @@ + + attr_reader :request + def setup ++ I18n.backend.store_translations(:en, ++ :translations => { ++ :interpolated_html => 'Hello %{word}', ++ } ++ ) + end + + def test_delegates_to_i18n_setting_the_raise_option +- I18n.expects(:translate).with(:foo, :locale => 'en', :raise => true).returns("") ++ I18n.expects(:translate).with(:foo, :locale => 'en', :raise => true, :rescue_format => :html).returns("") + translate :foo, :locale => 'en' + end + +@@ -19,7 +24,7 @@ + end + + def test_translation_returning_an_array +- I18n.expects(:translate).with(:foo, :raise => true).returns(["foo", "bar"]) ++ I18n.expects(:translate).with(:foo, :raise => true, :rescue_format => :html).returns(["foo", "bar"]) + assert_equal ["foo", "bar"], translate(:foo) + end + +@@ -30,34 +35,39 @@ + end + + def test_scoping_by_partial +- I18n.expects(:translate).with("test.translation.helper", :raise => true).returns("helper") ++ I18n.expects(:translate).with("test.translation.helper", :raise => true, :rescue_format => :html).returns("helper") + @view = ActionView::Base.new(ActionController::Base.view_paths, {}) + assert_equal "helper", @view.render(:file => "test/translation") + end + + def test_scoping_by_partial_of_an_array +- I18n.expects(:translate).with("test.scoped_translation.foo.bar", :raise => true).returns(["foo", "bar"]) ++ I18n.expects(:translate).with("test.scoped_translation.foo.bar", :raise => true, :rescue_format => :html).returns(["foo", "bar"]) + @view = ActionView::Base.new(ActionController::Base.view_paths, {}) + assert_equal "foobar", @view.render(:file => "test/scoped_translation") + end + + def test_translate_does_not_mark_plain_text_as_safe_html +- I18n.expects(:translate).with("hello", :raise => true).returns("Hello World") ++ I18n.expects(:translate).with("hello", :raise => true, :rescue_format => :html).returns("Hello World") + assert_equal false, translate("hello").html_safe? + end + + def test_translate_marks_translations_named_html_as_safe_html +- I18n.expects(:translate).with("html", :raise => true).returns("Hello World") ++ I18n.expects(:translate).with("html", :raise => true, :rescue_format => :html).returns("Hello World") + assert translate("html").html_safe? + end + + def test_translate_marks_translations_with_a_html_suffix_as_safe_html +- I18n.expects(:translate).with("hello_html", :raise => true).returns("Hello World") ++ I18n.expects(:translate).with("hello_html", :raise => true, :rescue_format => :html).returns("Hello World") + assert translate("hello_html").html_safe? + end + ++ def test_translate_escapes_interpolations_in_translations_with_a_html_suffix ++ assert_equal 'Hello <World>', translate(:'translations.interpolated_html', :word => '', :raise => true, :rescue_format => :html) ++ assert_equal 'Hello <World>', translate(:'translations.interpolated_html', :word => stub(:to_s => "")) ++ end ++ + def test_translation_returning_an_array_ignores_html_suffix +- I18n.expects(:translate).with(:foo_html, :raise => true).returns(["foo", "bar"]) ++ I18n.expects(:translate).with(:foo_html, :raise => true, :rescue_format => :html).returns(["foo", "bar"]) + assert_equal ["foo", "bar"], translate(:foo_html) + end + end diff --git a/actionpack-CVE-2012-1099-select-options-XSS.patch b/actionpack-CVE-2012-1099-select-options-XSS.patch new file mode 100644 index 0000000..f0211c0 --- /dev/null +++ b/actionpack-CVE-2012-1099-select-options-XSS.patch @@ -0,0 +1,61 @@ +From 5b4082fddf3412aef6c085fbb2a13fd3bbc75f4e Mon Sep 17 00:00:00 2001 +From: Sergey Nartimov +Date: Mon, 20 Feb 2012 15:41:17 -0800 +Subject: [PATCH] fix output safety issue with select options + +--- + .../lib/action_view/helpers/form_options_helper.rb | 6 +++--- + .../test/template/form_options_helper_test.rb | 9 ++++++++- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/actionpack/lib/action_view/helpers/form_options_helper.rb b/actionpack/lib/action_view/helpers/form_options_helper.rb +index 082647f..949b02a 100644 +--- a/actionpack/lib/action_view/helpers/form_options_helper.rb ++++ b/actionpack/lib/action_view/helpers/form_options_helper.rb +@@ -596,13 +596,13 @@ module ActionView + private + def add_options(option_tags, options, value = nil) + if options[:include_blank] +- option_tags = "\n" + option_tags ++ option_tags = content_tag('option', options[:include_blank].kind_of?(String) ? options[:include_blank] : nil, :value => '') + "\n" + option_tags + end + if value.blank? && options[:prompt] + prompt = options[:prompt].kind_of?(String) ? options[:prompt] : I18n.translate('helpers.select.prompt', :default => 'Please select') +- option_tags = "\n" + option_tags ++ option_tags = content_tag('option', prompt, :value => '') + "\n" + option_tags + end +- option_tags.html_safe ++ option_tags + end + end + +diff --git a/actionpack/test/template/form_options_helper_test.rb b/actionpack/test/template/form_options_helper_test.rb +index 6656420..9ca4bf6 100644 +--- a/actionpack/test/template/form_options_helper_test.rb ++++ b/actionpack/test/template/form_options_helper_test.rb +@@ -432,7 +432,7 @@ class FormOptionsHelperTest < ActionView::TestCase + + def test_select_under_fields_for_with_string_and_given_prompt + @post = Post.new +- options = "" ++ options = "".html_safe + + output_buffer = fields_for :post, @post do |f| + concat f.select(:category, options, :prompt => 'The prompt') +@@ -536,6 +536,13 @@ class FormOptionsHelperTest < ActionView::TestCase + ) + end + ++ def test_select_escapes_options ++ assert_dom_equal( ++ '', ++ select('post', 'title', '') ++ ) ++ end ++ + def test_select_with_selected_nil + @post = Post.new + @post.category = "" +-- +1.7.6 + diff --git a/actionpack-select-options-XSS-fix.patch b/actionpack-select-options-XSS-fix.patch deleted file mode 100644 index f0211c0..0000000 --- a/actionpack-select-options-XSS-fix.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 5b4082fddf3412aef6c085fbb2a13fd3bbc75f4e Mon Sep 17 00:00:00 2001 -From: Sergey Nartimov -Date: Mon, 20 Feb 2012 15:41:17 -0800 -Subject: [PATCH] fix output safety issue with select options - ---- - .../lib/action_view/helpers/form_options_helper.rb | 6 +++--- - .../test/template/form_options_helper_test.rb | 9 ++++++++- - 2 files changed, 11 insertions(+), 4 deletions(-) - -diff --git a/actionpack/lib/action_view/helpers/form_options_helper.rb b/actionpack/lib/action_view/helpers/form_options_helper.rb -index 082647f..949b02a 100644 ---- a/actionpack/lib/action_view/helpers/form_options_helper.rb -+++ b/actionpack/lib/action_view/helpers/form_options_helper.rb -@@ -596,13 +596,13 @@ module ActionView - private - def add_options(option_tags, options, value = nil) - if options[:include_blank] -- option_tags = "\n" + option_tags -+ option_tags = content_tag('option', options[:include_blank].kind_of?(String) ? options[:include_blank] : nil, :value => '') + "\n" + option_tags - end - if value.blank? && options[:prompt] - prompt = options[:prompt].kind_of?(String) ? options[:prompt] : I18n.translate('helpers.select.prompt', :default => 'Please select') -- option_tags = "\n" + option_tags -+ option_tags = content_tag('option', prompt, :value => '') + "\n" + option_tags - end -- option_tags.html_safe -+ option_tags - end - end - -diff --git a/actionpack/test/template/form_options_helper_test.rb b/actionpack/test/template/form_options_helper_test.rb -index 6656420..9ca4bf6 100644 ---- a/actionpack/test/template/form_options_helper_test.rb -+++ b/actionpack/test/template/form_options_helper_test.rb -@@ -432,7 +432,7 @@ class FormOptionsHelperTest < ActionView::TestCase - - def test_select_under_fields_for_with_string_and_given_prompt - @post = Post.new -- options = "" -+ options = "".html_safe - - output_buffer = fields_for :post, @post do |f| - concat f.select(:category, options, :prompt => 'The prompt') -@@ -536,6 +536,13 @@ class FormOptionsHelperTest < ActionView::TestCase - ) - end - -+ def test_select_escapes_options -+ assert_dom_equal( -+ '', -+ select('post', 'title', '') -+ ) -+ end -+ - def test_select_with_selected_nil - @post = Post.new - @post.category = "" --- -1.7.6 - diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index deb0ed4..bccb8c3 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -9,7 +9,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC Name: rubygem-%{gemname} Epoch: 1 Version: 3.0.5 -Release: 6%{?dist} +Release: 7%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org @@ -54,14 +54,14 @@ Patch6: actionpack-bz-731432-fix.patch Patch7: actionpack-bz-731436-fix.patch # Fixes RHBZ #755007 -Patch8: actionpack-%{version}-XSS-flaw-fix.patch +Patch8: actionpack-CVE-2011-4319-XSS-flaw.patch # Fixes tests failing with Ruby-1.8.7.p357 Patch9: actionpack-%{version}-fix-tests-failing-with-ruby-1.8.7.p357.patch # Fixes CVE-2012-1099 # https://bugzilla.redhat.com/show_bug.cgi?id=799276 -Patch10: actionpack-select-options-XSS-fix.patch +Patch10: actionpack-CVE-2012-1099-select-options-XSS.patch Requires: rubygems Requires: rubygem(activesupport) = %{version} @@ -197,6 +197,9 @@ rake test --trace %changelog +* Fri Mar 16 2012 Bohuslav Kabrda - 1:3.0.5-7 +- The CVE patches names now contain the CVE id. + * Tue Mar 06 2012 Bohuslav Kabrda - 1:3.0.5-6 - Fix for CVE-2012-1099.