rpms/rubygem-actionpack/F-10 rubygem-actionpack-2.1.x-CVE-2009-3009.patch, NONE, 1.1 rubygem-actionpack.spec, 1.7, 1.8
Mamoru Tasaka
mtasaka at fedoraproject.org
Sun Sep 20 19:54:10 UTC 2009
Author: mtasaka
Update of /cvs/extras/rpms/rubygem-actionpack/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5879
Modified Files:
rubygem-actionpack.spec
Added Files:
rubygem-actionpack-2.1.x-CVE-2009-3009.patch
Log Message:
* Mon Sep 21 2009 Mamoru Tasaka <mtasaka at ioa.s.u-tokyo.ac.jp> - 2.1.1-3
- Patch for CVE-2009-3009 (bug 520843)
rubygem-actionpack-2.1.x-CVE-2009-3009.patch:
tag_helper.rb | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- NEW FILE rubygem-actionpack-2.1.x-CVE-2009-3009.patch ---
>From 9af2823b32e001358babde7644e5cc1c0ec29d6e Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael at koziarski.com>
Date: Mon, 31 Aug 2009 12:07:30 -0700
Subject: [PATCH] Clean tag attributes before passing through the escape_once logic.
Addresses CVE-2009-3009
---
actionpack/lib/action_view/helpers/tag_helper.rb | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb
index ba43b5e..623b8f7 100644
--- a/actionpack/lib/action_view/helpers/tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/tag_helper.rb
@@ -101,7 +101,7 @@ module ActionView
# escape_once("<< Accept & Checkout")
# # => "<< Accept & Checkout"
def escape_once(html)
- html.to_s.gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
+ ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
end
private
--
1.6.0.1
Index: rubygem-actionpack.spec
===================================================================
RCS file: /cvs/extras/rpms/rubygem-actionpack/F-10/rubygem-actionpack.spec,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -p -r1.7 -r1.8
--- rubygem-actionpack.spec 27 Feb 2009 15:56:19 -0000 1.7
+++ rubygem-actionpack.spec 20 Sep 2009 19:54:09 -0000 1.8
@@ -7,12 +7,14 @@
Summary: Web-flow and rendering framework putting the VC in MVC
Name: rubygem-%{gemname}
Version: 2.1.1
-Release: 2%{?dist}
+Release: 3%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
Source0: http://gems.rubyforge.org/gems/%{gemname}-%{version}.tgz
Patch1: rubygem-actionpack-2.1.2-CVE-2008-5189.patch
+# http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails
+Patch2: rubygem-actionpack-2.1.x-CVE-2009-3009.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: rubygems
Requires: rubygem(activesupport) = %{version}
@@ -30,6 +32,7 @@ unit/integration testing that doesn't re
%prep
%setup -q -n %{gemname}-%{version}
%patch1 -p2
+%patch2 -p2
%build
rake gem
@@ -62,6 +65,9 @@ rm -rf %{buildroot}
%changelog
+* Mon Sep 21 2009 Mamoru Tasaka <mtasaka at ioa.s.u-tokyo.ac.jp> - 2.1.1-3
+- Patch for CVE-2009-3009 (bug 520843)
+
* Thu Feb 26 2009 Jeroen van Meeuwen <kanarip at fedoraproject.org> - 2.1.1-2
- Fix CVE-2008-5189
More information about the fedora-extras-commits
mailing list