diff --git a/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss-tests.patch b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss-tests.patch
new file mode 100644
index 0000000..dfc0ff8
--- /dev/null
+++ b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss-tests.patch
@@ -0,0 +1,21 @@
+diff --git a/actionview/test/template/tag_helper_test.rb b/actionview/test/template/tag_helper_test.rb
+index ce89d57..8332dd0 100644
+--- a/actionview/test/template/tag_helper_test.rb
++++ b/actionview/test/template/tag_helper_test.rb
+@@ -140,6 +140,16 @@ def test_tag_honors_html_safe_with_escaped_array_class
+ assert_equal '', str
+ end
+
++ def test_tag_does_not_honor_html_safe_double_quotes_as_attributes
++ assert_dom_equal 'content
',
++ content_tag('p', "content", title: '"'.html_safe)
++ end
++
++ def test_data_tag_does_not_honor_html_safe_double_quotes_as_attributes
++ assert_dom_equal 'content
',
++ content_tag('p', "content", data: { title: '"'.html_safe })
++ end
++
+ def test_skip_invalid_escaped_attributes
+ ['&1;', '�dfa3;', '& #123;'].each do |escaped|
+ assert_equal %(), tag('a', :href => escaped)
diff --git a/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss.patch b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss.patch
new file mode 100644
index 0000000..67b5529
--- /dev/null
+++ b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss.patch
@@ -0,0 +1,13 @@
+diff --git a/actionview/lib/action_view/helpers/tag_helper.rb b/actionview/lib/action_view/helpers/tag_helper.rb
+index b203857..f09595d 100644
+--- a/actionview/lib/action_view/helpers/tag_helper.rb
++++ b/actionview/lib/action_view/helpers/tag_helper.rb
+@@ -181,7 +181,7 @@ def tag_option(key, value, escape)
+ else
+ value = escape ? ERB::Util.unwrapped_html_escape(value) : value
+ end
+- %(#{key}="#{value}")
++ %(#{key}="#{value.gsub(/"/, '"'.freeze)}")
+ end
+ end
+ end
diff --git a/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values-tests.patch b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values-tests.patch
new file mode 100644
index 0000000..56bde8d
--- /dev/null
+++ b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values-tests.patch
@@ -0,0 +1,19 @@
+diff --git a/actionview/test/template/tag_helper_test.rb b/actionview/test/template/tag_helper_test.rb
+index 8332dd0..da48d7c 100644
+--- a/actionview/test/template/tag_helper_test.rb
++++ b/actionview/test/template/tag_helper_test.rb
+@@ -29,6 +29,14 @@ def test_tag_options_accepts_blank_option
+ assert_equal "", tag("p", :included => '')
+ end
+
++ def test_tag_options_accepts_symbol_option_when_not_escaping
++ assert_equal "", tag("p", { value: :symbol }, false, false)
++ end
++
++ def test_tag_options_accepts_integer_option_when_not_escaping
++ assert_equal "", tag("p", { value: 42 }, false, false)
++ end
++
+ def test_tag_options_converts_boolean_option
+ assert_dom_equal '',
+ tag("p", :disabled => true, :itemscope => true, :multiple => true, :readonly => true, :allowfullscreen => true, :seamless => true, :typemustmatch => true, :sortable => true, :default => true, :inert => true, :truespeed => true)
diff --git a/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values.patch b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values.patch
new file mode 100644
index 0000000..939d82d
--- /dev/null
+++ b/SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values.patch
@@ -0,0 +1,13 @@
+diff --git a/actionview/lib/action_view/helpers/tag_helper.rb b/actionview/lib/action_view/helpers/tag_helper.rb
+index f09595d..ac60cfd 100644
+--- a/actionview/lib/action_view/helpers/tag_helper.rb
++++ b/actionview/lib/action_view/helpers/tag_helper.rb
+@@ -179,7 +179,7 @@ def tag_option(key, value, escape)
+ if value.is_a?(Array)
+ value = escape ? safe_join(value, " ") : value.join(" ")
+ else
+- value = escape ? ERB::Util.unwrapped_html_escape(value) : value
++ value = escape ? ERB::Util.unwrapped_html_escape(value) : value.to_s
+ end
+ %(#{key}="#{value.gsub(/"/, '"'.freeze)}")
+ end
diff --git a/SPECS/rubygem-actionview.spec b/SPECS/rubygem-actionview.spec
index 9a990d1..ae447a4 100644
--- a/SPECS/rubygem-actionview.spec
+++ b/SPECS/rubygem-actionview.spec
@@ -6,7 +6,7 @@
Name: %{?scl_prefix}rubygem-%{gem_name}
Version: 4.2.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Rendering framework putting the V in MVC (part of Rails)
Group: Development/Languages
License: MIT
@@ -17,6 +17,12 @@ Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
# git checkout v4.2.6
# tar czvf actionview-4.2.6-tests.tgz test/
Source1: %{gem_name}-%{version}-tests.tgz
+# Fix CVE-2016-6316 cross-site scripting flaw in Action View
+# https://bugzilla.redhat.com/show_bug.cgi?id=1365008
+Patch0: rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss.patch
+Patch1: rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss-tests.patch
+Patch2: rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values.patch
+Patch3: rubygem-actionview-4.2.7.1-CVE-2016-6316-ensure-values-tests.patch
Requires: %{?scl_prefix_ruby}ruby(release)
Requires: %{?scl_prefix_ruby}ruby(rubygems)
@@ -62,6 +68,11 @@ Documentation for %{pkg_name}.
%{?scl:EOF}
+pushd .%{gem_instdir}
+%patch0 -p2
+%patch2 -p2
+popd
+
%build
%install
@@ -80,6 +91,9 @@ tar xzvf %{SOURCE1} -C .
sed -i "s|require File.expand_path('../../../load_paths', __FILE__)||" ./test/abstract_unit.rb
sed -i '16,18d' ./test/active_record_unit.rb
+patch -p2 < %{PATCH1}
+patch -p2 < %{PATCH3}
+
# Run separately as we need to avoid superclass mismatch errors
%{?scl:scl enable %{scl} - << \EOF}
ruby -Ilib:test -e "Dir.glob('./test/{actionpack,activerecord,lib}/*_test.rb').each {|t| require t}"
@@ -102,6 +116,10 @@ popd
%doc %{gem_instdir}/CHANGELOG.md
%changelog
+* Tue Aug 16 2016 Jun Aruga - 4.2.6-3
+- Fix for CVE-2016-6316
+ Resolves: rhbz#1365008
+
* Tue Apr 05 2016 Pavel Valena - 4.2.6-2
- Enable tests