From 774e1c249b2a396a23f193ed064dab9f16e88926 Mon Sep 17 00:00:00 2001
From: Mo Morsi <mmorsi@redhat.com>
Date: Aug 22 2011 20:05:41 +0000
Subject: fixes for bugzillas #731432 and #731436


---

diff --git a/actionpack-bz-731432-fix.patch b/actionpack-bz-731432-fix.patch
new file mode 100644
index 0000000..558372e
--- /dev/null
+++ b/actionpack-bz-731432-fix.patch
@@ -0,0 +1,64 @@
+diff --git lib/action_view/template/resolver.rb.orig lib/action_view/template/resolver.rb
+index a508a68..4fda93f 100644
+--- lib/action_view/template/resolver.rb.orig
++++ lib/action_view/template/resolver.rb
+@@ -63,7 +63,7 @@ module ActionView
+     end
+ 
+     def query(path, exts, formats)
+-      query = File.join(@path, path)
++      query = escape_entry File.join(@path, path)
+ 
+       exts.each do |ext|
+         query << '{' << ext.map {|e| e && ".#{e}" }.join(',') << ',}'
+@@ -88,6 +88,10 @@ module ActionView
+       templates
+     end
+ 
++    def escape_entry(entry)
++      entry.gsub(/(\*|\[|\]|\{|\}|\?)/, "\\\\\\1")
++    end
++
+     # Extract handler and formats from path. If a format cannot be a found neither
+     # from the path, or the handler, we should return the array of formats given
+     # to the resolver.
+diff --git test/controller/render_test.rb.orig test/controller/render_test.rb
+index c5c79c1..69112f0 100644
+--- test/controller/render_test.rb.orig
++++ test/controller/render_test.rb
+@@ -396,6 +396,14 @@ class TestController < ActionController::Base
+     render :template => "test/hello_world"
+   end
+ 
++  def render_with_explicit_unescaped_template
++    render :template => "test/h*llo_world"
++  end
++
++  def render_with_explicit_escaped_template
++    render :template => "test/hello_w*rld"
++  end
++
+   def render_with_explicit_string_template
+     render "test/hello_world"
+   end
+@@ -1057,6 +1065,12 @@ class RenderTest < ActionController::TestCase
+     assert_response :success
+   end
+ 
++  def test_render_with_explicit_unescaped_template
++    assert_raise(ActionView::MissingTemplate) { get :render_with_explicit_unescaped_template }
++    get :render_with_explicit_escaped_template
++    assert_equal "Hello w*rld!", @response.body
++  end
++
+   def test_render_with_explicit_string_template
+     get :render_with_explicit_string_template
+     assert_equal "<html>Hello world!</html>", @response.body
+diff --git test/fixtures/test/hello_w*rld.erb test/fixtures/test/hello_w*rld.erb
+new file mode 100644
+index 0000000..bc8fa5e
+--- /dev/null
++++ test/fixtures/test/hello_w*rld.erb
+@@ -0,0 +1 @@
++Hello w*rld!
+\ No newline at end of file
diff --git a/actionpack-bz-731436-fix.patch b/actionpack-bz-731436-fix.patch
new file mode 100644
index 0000000..d6ed3e1
--- /dev/null
+++ b/actionpack-bz-731436-fix.patch
@@ -0,0 +1,31 @@
+diff --git lib/action_controller/vendor/html-scanner/html/node.rb.orig lib/action_controller/vendor/html-scanner/html/node.rb
+index 8525072..74c381b 100644
+--- lib/action_controller/vendor/html-scanner/html/node.rb.orig
++++ lib/action_controller/vendor/html-scanner/html/node.rb
+@@ -156,7 +156,7 @@ module HTML #:nodoc:
+           end
+ 
+           closing = ( scanner.scan(/\//) ? :close : nil )
+-          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
++          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[^\s!>\/]+/)
+           name.downcase!
+ 
+           unless closing
+diff --git test/template/html-scanner/sanitizer_test.rb.orig test/template/html-scanner/sanitizer_test.rb
+index 3e80317..889a0f7 100644
+--- test/template/html-scanner/sanitizer_test.rb
++++ test/template/html-scanner/sanitizer_test.rb
+@@ -5,6 +5,13 @@ class SanitizerTest < ActionController::TestCase
+     @sanitizer = nil # used by assert_sanitizer
+   end
+ 
++  def test_strip_tags_with_quote
++    sanitizer = HTML::FullSanitizer.new
++    string    = '<" <img src="trollface.gif" onload="alert(1)"> hi'
++
++    assert_equal ' hi', sanitizer.sanitize(string)
++  end
++
+   def test_strip_tags
+     sanitizer = HTML::FullSanitizer.new
+     assert_equal("<<<bad html", sanitizer.sanitize("<<<bad html"))
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index 20d8077..c662626 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -9,7 +9,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
 Name: rubygem-%{gemname}
 Epoch: 1
 Version: 3.0.5
-Release: 3%{?dist}
+Release: 4%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -47,6 +47,12 @@ Patch4: actionpack-add-rack-mount-deps.patch
 #        https://github.com/rails/rails/commit/2e757bc298cef715e5c56945161bbd84f2610729
 Patch5: cve-2011-2197-actionpack-fix.patch
 
+# Fixes for:
+#  https://bugzilla.redhat.com/show_bug.cgi?id=731432
+#  https://bugzilla.redhat.com/show_bug.cgi?id=731436
+Patch6: actionpack-bz-731432-fix.patch
+Patch7: actionpack-bz-731436-fix.patch
+
 Requires: rubygems
 Requires: rubygem(activesupport) = %{version}
 Requires: rubygem(activemodel) = %{version}
@@ -105,6 +111,8 @@ pushd .%{geminstdir}
 %patch1 -p0
 %patch2 -p0
 %patch5 -p0
+%patch6 -p0
+%patch7 -p0
 
 # create missing symlink
 pushd test/fixtures/layout_tests/layouts/
@@ -176,6 +184,9 @@ rake test --trace
 
 
 %changelog
+* Mon Aug 22 2011 Mo Morsi <mmorsi@redhat.com> - 1:3.0.5-4
+- Include fixes for BZ#731432 and BZ#731436
+
 * Thu Jun 16 2011 Mo Morsi <mmorsi@redhat.com> - 1:3.0.5-3
 - Include fix for CVE-2011-2197