rpms/rubygem-actionpack/F-10 rubygem-actionpack-2.1.x-verify-also-text.patch, NONE, 1.1 rubygem-actionpack-2.2.x-strip_tag-for-nonprintable.patch, NONE, 1.1 rubygem-actionpack.spec, 1.8, 1.9

Sun Dec 6 16:57:21 UTC 2009

Author: mtasaka

Update of /cvs/extras/rpms/rubygem-actionpack/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv26307

Modified Files:
	rubygem-actionpack.spec 
Added Files:
	rubygem-actionpack-2.1.x-verify-also-text.patch 
	rubygem-actionpack-2.2.x-strip_tag-for-nonprintable.patch 
Log Message:
* Mon Dec  7 2009 Mamoru Tasaka <mtasaka at ioa.s.u-tokyo.ac.jp> - 2.1.1-4
- Fix for potential CSRF protection circumvention (bug 544329)
- Fix for XSS weakness in strip_tags (bug 542786)


rubygem-actionpack-2.1.x-verify-also-text.patch:
 mime_type.rb |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE rubygem-actionpack-2.1.x-verify-also-text.patch ---
commit 099a98e9b7108dae3e0f78b207e0a7dc5913bd1a
Author: Michael Koziarski <michael at koziarski.com>
Date:   Sun Nov 16 20:35:25 2008 +0100

    Verify form submissions for text/plain posts too.
    
    Some browsers can POST requests with text/plain encoding, allowing attackers to  potentially subvert the request forgery prevention.
    
    http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/

diff --git a/actionpack/lib/action_controller/mime_type.rb b/actionpack/lib/action_controller/mime_type.rb
index fa123f7..453fc67 100644
--- a/actionpack/lib/action_controller/mime_type.rb
+++ b/actionpack/lib/action_controller/mime_type.rb
@@ -18,7 +18,7 @@ module Mime
   #   end
   class Type
     @@html_types = Set.new [:html, :all]
-    @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml]
+    @@unverifiable_types = Set.new [:json, :csv, :xml, :rss, :atom, :yaml]
     cattr_reader :html_types, :unverifiable_types
 
     # A simple helper class used in parsing the accept header

rubygem-actionpack-2.2.x-strip_tag-for-nonprintable.patch:
 node.rb |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- NEW FILE rubygem-actionpack-2.2.x-strip_tag-for-nonprintable.patch ---
>From 785281ade8c2347614525e9aceb5e62c80eec6f8 Mon Sep 17 00:00:00 2001
From: Gabe da Silveira <gabe at websaviour.com>
Date: Mon, 16 Nov 2009 21:17:35 -0800
Subject: [PATCH] Make sure strip_tags removes tags which start with a non-printable character

Signed-off-by: Michael Koziarski <michael at koziarski.com>
---
 .../vendor/html-scanner/html/node.rb               |    2 +-
 2 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
index 6c03316..0cd05d8 100644
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
@@ -162,7 +162,7 @@ module HTML #:nodoc:
           end
           
           closing = ( scanner.scan(/\//) ? :close : nil )
-          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
+          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[-:\w\x00-\x09\x0b-\x0c\x0e-\x1f]+/)
           name.downcase!
   
           unless closing
index bae0f5c..51baba6 100644
@@ -19,6 +19,7 @@ class SanitizerTest < Test::Unit::TestCase
     assert_equal "This has a  here.", sanitizer.sanitize("This has a <!-- comment --> here.")
     assert_equal "This has a  here.", sanitizer.sanitize("This has a <![CDATA[<section>]]> here.")
     assert_equal "This has an unclosed ", sanitizer.sanitize("This has an unclosed <![CDATA[<section>]] here...")
+    assert_equal "non printable char is a tag", sanitizer.sanitize("<\x07a href='/hello'>non printable char is a tag</a>")
     [nil, '', '   '].each { |blank| assert_equal blank, sanitizer.sanitize(blank) }
   end
 
-- 
1.6.0.1



Index: rubygem-actionpack.spec
===================================================================
RCS file: /cvs/extras/rpms/rubygem-actionpack/F-10/rubygem-actionpack.spec,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -p -r1.8 -r1.9
--- rubygem-actionpack.spec	20 Sep 2009 19:54:09 -0000	1.8
+++ rubygem-actionpack.spec	6 Dec 2009 16:57:21 -0000	1.9
@@ -7,7 +7,7 @@
 Summary: Web-flow and rendering framework putting the VC in MVC
 Name: rubygem-%{gemname}
 Version: 2.1.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -15,6 +15,10 @@ Source0: http://gems.rubyforge.org/gems/
 Patch1: rubygem-actionpack-2.1.2-CVE-2008-5189.patch
 # http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails
 Patch2: rubygem-actionpack-2.1.x-CVE-2009-3009.patch
+# bug 544329
+Patch3: rubygem-actionpack-2.1.x-verify-also-text.patch
+# bug 542786
+Patch4: rubygem-actionpack-2.2.x-strip_tag-for-nonprintable.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: rubygems
 Requires: rubygem(activesupport) = %{version}
@@ -33,6 +37,8 @@ unit/integration testing that doesn't re
 %setup -q -n %{gemname}-%{version}
 %patch1 -p2
 %patch2 -p2
+%patch3 -p2
+%patch4 -p2
 
 %build
 rake gem
@@ -65,6 +71,10 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Mon Dec  7 2009 Mamoru Tasaka <mtasaka at ioa.s.u-tokyo.ac.jp> - 2.1.1-4
+- Fix for potential CSRF protection circumvention (bug 544329)
+- Fix for XSS weakness in strip_tags (bug 542786)
+
 * Mon Sep 21 2009 Mamoru Tasaka <mtasaka at ioa.s.u-tokyo.ac.jp> - 2.1.1-3
 - Patch for CVE-2009-3009 (bug 520843)
 


