rpms/rubygem-actionpack/F-11 rubygem-actionpack-2.3.x-CVE-2009-3009.patch, NONE, 1.1 rubygem-actionpack.spec, 1.10, 1.11
Mamoru Tasaka
mtasaka at fedoraproject.org
Tue Sep 22 18:23:12 UTC 2009
Author: mtasaka
Update of /cvs/extras/rpms/rubygem-actionpack/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23038
Modified Files:
rubygem-actionpack.spec
Added Files:
rubygem-actionpack-2.3.x-CVE-2009-3009.patch
Log Message:
* Wed Sep 23 2009 Mamoru Tasaka <mtasaka at ioa.s.u-tokyo.ac.jp> - 2.3.3-2
- Patch for CVE-2009-3009 (bug 520843)
rubygem-actionpack-2.3.x-CVE-2009-3009.patch:
tag_helper.rb | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- NEW FILE rubygem-actionpack-2.3.x-CVE-2009-3009.patch ---
>From b066ffe93fb88af3b1e4795783bb71a7b8095ac5 Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael at koziarski.com>
Date: Mon, 31 Aug 2009 12:07:30 -0700
Subject: [PATCH] Clean tag attributes before passing through the escape_once logic.
Addresses CVE-2009-3009
---
actionpack/lib/action_view/helpers/tag_helper.rb | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb
index af8c4d5..db99a0e 100644
--- a/actionpack/lib/action_view/helpers/tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/tag_helper.rb
@@ -103,7 +103,7 @@ module ActionView
# escape_once("<< Accept & Checkout")
# # => "<< Accept & Checkout"
def escape_once(html)
- html.to_s.gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
+ ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
end
private
--
1.6.0.1
Index: rubygem-actionpack.spec
===================================================================
RCS file: /cvs/extras/rpms/rubygem-actionpack/F-11/rubygem-actionpack.spec,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -p -r1.10 -r1.11
--- rubygem-actionpack.spec 28 Jul 2009 21:20:58 -0000 1.10
+++ rubygem-actionpack.spec 22 Sep 2009 18:23:12 -0000 1.11
@@ -7,11 +7,12 @@
Summary: Web-flow and rendering framework putting the VC in MVC
Name: rubygem-%{gemname}
Version: 2.3.3
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
Source0: http://gems.rubyforge.org/gems/%{gemname}-%{version}.gem
+Patch0: rubygem-actionpack-2.3.x-CVE-2009-3009.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: rubygems
Requires: rubygem(activesupport) = %{version}
@@ -35,6 +36,10 @@ mkdir -p %{buildroot}%{gemdir}
gem install --local --install-dir %{buildroot}%{gemdir} \
--force --rdoc %{SOURCE0}
+pushd %{buildroot}%{geminstdir}
+cat %{PATCH0} | patch -s -p2
+popd
+
# Remove backup files
find %{buildroot}/%{geminstdir} -type f -name "*~" -delete
@@ -71,6 +76,9 @@ rm -rf %{buildroot}
%changelog
+* Wed Sep 23 2009 Mamoru Tasaka <mtasaka at ioa.s.u-tokyo.ac.jp> - 2.3.3-2
+- Patch for CVE-2009-3009 (bug 520843)
+
* Tue Jul 28 2009 Jeroen van Meeuwen <j.van.meeuwen at ogd.nl> - 2.3.3-1
- New upstream version
More information about the fedora-extras-commits
mailing list