diff --git a/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss-tests.patch b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss-tests.patch new file mode 100644 index 0000000..dfc0ff8 --- /dev/null +++ b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss-tests.patch @@ -0,0 +1,21 @@ +diff --git a/actionview/test/template/tag_helper_test.rb b/actionview/test/template/tag_helper_test.rb +index ce89d57..8332dd0 100644 +--- a/actionview/test/template/tag_helper_test.rb ++++ b/actionview/test/template/tag_helper_test.rb +@@ -140,6 +140,16 @@ def test_tag_honors_html_safe_with_escaped_array_class + assert_equal '
', str + end + ++ def test_tag_does_not_honor_html_safe_double_quotes_as_attributes ++ assert_dom_equal 'content
', ++ content_tag('p', "content", title: '"'.html_safe) ++ end ++ ++ def test_data_tag_does_not_honor_html_safe_double_quotes_as_attributes ++ assert_dom_equal 'content
', ++ content_tag('p', "content", data: { title: '"'.html_safe }) ++ end ++ + def test_skip_invalid_escaped_attributes + ['&1;', 'dfa3;', '& #123;'].each do |escaped| + assert_equal %(), tag('a', :href => escaped) diff --git a/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss.patch b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss.patch new file mode 100644 index 0000000..67b5529 --- /dev/null +++ b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss.patch @@ -0,0 +1,13 @@ +diff --git a/actionview/lib/action_view/helpers/tag_helper.rb b/actionview/lib/action_view/helpers/tag_helper.rb +index b203857..f09595d 100644 +--- a/actionview/lib/action_view/helpers/tag_helper.rb ++++ b/actionview/lib/action_view/helpers/tag_helper.rb +@@ -181,7 +181,7 @@ def tag_option(key, value, escape) + else + value = escape ? ERB::Util.unwrapped_html_escape(value) : value + end +- %(#{key}="#{value}") ++ %(#{key}="#{value.gsub(/"/, '"'.freeze)}") + end + end + end diff --git a/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values-tests.patch b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values-tests.patch new file mode 100644 index 0000000..56bde8d --- /dev/null +++ b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values-tests.patch @@ -0,0 +1,19 @@ +diff --git a/actionview/test/template/tag_helper_test.rb b/actionview/test/template/tag_helper_test.rb +index 8332dd0..da48d7c 100644 +--- a/actionview/test/template/tag_helper_test.rb ++++ b/actionview/test/template/tag_helper_test.rb +@@ -29,6 +29,14 @@ def test_tag_options_accepts_blank_option + assert_equal "", tag("p", :included => '') + end + ++ def test_tag_options_accepts_symbol_option_when_not_escaping ++ assert_equal "", tag("p", { value: :symbol }, false, false) ++ end ++ ++ def test_tag_options_accepts_integer_option_when_not_escaping ++ assert_equal "", tag("p", { value: 42 }, false, false) ++ end ++ + def test_tag_options_converts_boolean_option + assert_dom_equal '', + tag("p", :disabled => true, :itemscope => true, :multiple => true, :readonly => true, :allowfullscreen => true, :seamless => true, :typemustmatch => true, :sortable => true, :default => true, :inert => true, :truespeed => true) diff --git a/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values.patch b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values.patch new file mode 100644 index 0000000..939d82d --- /dev/null +++ b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values.patch @@ -0,0 +1,13 @@ +diff --git a/actionview/lib/action_view/helpers/tag_helper.rb b/actionview/lib/action_view/helpers/tag_helper.rb +index f09595d..ac60cfd 100644 +--- a/actionview/lib/action_view/helpers/tag_helper.rb ++++ b/actionview/lib/action_view/helpers/tag_helper.rb +@@ -179,7 +179,7 @@ def tag_option(key, value, escape) + if value.is_a?(Array) + value = escape ? safe_join(value, " ") : value.join(" ") + else +- value = escape ? ERB::Util.unwrapped_html_escape(value) : value ++ value = escape ? ERB::Util.unwrapped_html_escape(value) : value.to_s + end + %(#{key}="#{value.gsub(/"/, '"'.freeze)}") + end diff --git a/SPECS/rubygem-actionview.spec b/SPECS/rubygem-actionview.spec index 9a990d1..ae447a4 100644 --- a/SPECS/rubygem-actionview.spec +++ b/SPECS/rubygem-actionview.spec @@ -6,7 +6,7 @@ Name: %{?scl_prefix}rubygem-%{gem_name} Version: 4.2.6 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Rendering framework putting the V in MVC (part of Rails) Group: Development/Languages License: MIT @@ -17,6 +17,12 @@ Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem # git checkout v4.2.6 # tar czvf actionview-4.2.6-tests.tgz test/ Source1: %{gem_name}-%{version}-tests.tgz +# Fix CVE-2016-6316 cross-site scripting flaw in Action View +# https://bugzilla.redhat.com/show_bug.cgi?id=1365008 +Patch0: rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss.patch +Patch1: rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss-tests.patch +Patch2: rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values.patch +Patch3: rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values-tests.patch Requires: %{?scl_prefix_ruby}ruby(release) Requires: %{?scl_prefix_ruby}ruby(rubygems) @@ -62,6 +68,11 @@ Documentation for %{pkg_name}. %{?scl:EOF} +pushd .%{gem_instdir} +%patch0 -p2 +%patch2 -p2 +popd + %build %install @@ -80,6 +91,9 @@ tar xzvf %{SOURCE1} -C . sed -i "s|require File.expand_path('../../../load_paths', __FILE__)||" ./test/abstract_unit.rb sed -i '16,18d' ./test/active_record_unit.rb +patch -p2 < %{PATCH1} +patch -p2 < %{PATCH3} + # Run separately as we need to avoid superclass mismatch errors %{?scl:scl enable %{scl} - << \EOF} ruby -Ilib:test -e "Dir.glob('./test/{actionpack,activerecord,lib}/*_test.rb').each {|t| require t}" @@ -102,6 +116,10 @@ popd %doc %{gem_instdir}/CHANGELOG.md %changelog +* Tue Aug 16 2016 Jun Aruga