RedCloth 4.3.1 → 4.3.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of RedCloth might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: f4dab006159116d5844e7b36a71a8f91137b348d
4
- data.tar.gz: df7575fcd69f0277ea3bb4be5fc9a7d2e40fc2e4
3
+ metadata.gz: cb8013b7856c3d48cf999269f6e5ace370d013e0
4
+ data.tar.gz: 7de8b1d1218414598ebf7a0c89421a14679fa034
5
5
  SHA512:
6
- metadata.gz: ff442c6bdda870628086f27ac426a365d219ca66b62be13da42ad56e1ed71de93eede49766a3bbf94944988aa971c99cc46c4055521945116154f9ca72dbf8ae
7
- data.tar.gz: 44ab0803ef262e6ed09c58a181720a8a625653001e9b98ebf92d715f375646344d72f7af1e74e85f1788417274bc9e8fae1ecceede466c2728d045e0eef229a0
6
+ metadata.gz: 7e2a5a2be89e930fd388c0432413b41981d8862f27edf32bc32529db441e8b7380185d3dd221439ab3cb9cf2a89ff3cd1eb3f93d1577646ed07d7a264cbad4f7
7
+ data.tar.gz: 0a28c28367cc94dbb0a256bfae245fe75257cf5e821813b4f802ee79158771b0627e60ea70796b02118b31eb9b6d712473c70a0d4dd58d80d08dbb9921c53289
data/CHANGELOG CHANGED
@@ -1,3 +1,7 @@
1
+ == 4.3.2 / May 23rd, 2016
2
+
3
+ * Fix additional case for CVE-2012-6684 [Joshua Siler]
4
+
1
5
  == 4.3.1 / May 17th, 2016
2
6
 
3
7
  * Fix additional case for CVE-2012-6684 [Joshua Siler]
@@ -111,7 +111,7 @@ module RedCloth::Formatters::HTML
111
111
  end
112
112
 
113
113
  def link(opts)
114
- if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/
114
+ if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/i
115
115
  opts[:name]
116
116
  else
117
117
  "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
@@ -119,7 +119,7 @@ module RedCloth::Formatters::HTML
119
119
  end
120
120
 
121
121
  def image(opts)
122
- if (filter_html || sanitize_html) && ( opts[:src] =~ /^\s*javascript:/ || opts[:href] =~ /^\s*javascript:/ )
122
+ if (filter_html || sanitize_html) && ( opts[:src] =~ /^\s*javascript:/i || opts[:href] =~ /^\s*javascript:/i )
123
123
  opts[:title]
124
124
  else
125
125
  opts.delete(:align)
@@ -2,7 +2,7 @@ module RedCloth
2
2
  module VERSION
3
3
  MAJOR = 4
4
4
  MINOR = 3
5
- TINY = 1
5
+ TINY = 2
6
6
  # RELEASE_CANDIDATE = 0
7
7
 
8
8
  STRING = [MAJOR, MINOR, TINY].compact.join('.')
@@ -8,6 +8,9 @@ describe 'CVE-2012-6684' do
8
8
  # PoC from http://co3k.org/blog/redcloth-unfixed-xss-en
9
9
  output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
10
10
  expect(output).to_not match(/href=.javascript:alert/)
11
+
12
+ output = RedCloth.new('["clickme":jAvascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
13
+ expect(output).to_not match(/href=.jAvascript:alert/)
11
14
  end
12
15
 
13
16
  it 'should not let javascript links pass through on images' do
@@ -18,5 +21,13 @@ describe 'CVE-2012-6684' do
18
21
  output = RedCloth.new('"!<javascript:alert(1)(2)!:javascript:prompt(document.domain)"', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
19
22
  expect(output).to_not match(/src=.javascript:alert/)
20
23
  expect(output).to_not match(/href=.javascript:prompt/)
24
+
25
+ output = RedCloth.new('"!<jAvascript:alert(1)(2)!:jAvascript:prompt(document.domain)"').to_html
26
+ expect(output).to match(/src=.jAvascript:alert/)
27
+ expect(output).to match(/href=.jAvascript:prompt/)
28
+
29
+ output = RedCloth.new('"!<jAvascript:alert(1)(2)!:jAvascript:prompt(document.domain)"', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
30
+ expect(output).to_not match(/src=.jAvascript:alert/)
31
+ expect(output).to_not match(/href=.jAvascript:prompt/)
21
32
  end
22
33
  end
@@ -1,14 +1,14 @@
1
1
  namespace :release do
2
2
  desc 'Push all gems to rubygems.org'
3
3
  # git tag and push tag
4
+ # git tag vx.x.x
5
+ # git push --follow-tags
4
6
  # branch into stable vx.x branch
5
7
  # change version in version.rb
6
8
  # update changelog
7
9
  # run rake test
8
10
 
9
11
  task :gem do
10
- puts "Did you git tag and git push the tag for this release yet?"
11
- #sh("rm *.gem")
12
12
  sh("gem build redcloth.gemspec")
13
13
  sh("gem push RedCloth-*.gem")
14
14
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: RedCloth
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.3.1
4
+ version: 4.3.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jason Garber
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2016-05-17 00:00:00.000000000 Z
13
+ date: 2016-05-24 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: bundler
@@ -174,7 +174,7 @@ rubyforge_project: redcloth
174
174
  rubygems_version: 2.4.8
175
175
  signing_key:
176
176
  specification_version: 4
177
- summary: RedCloth-4.3.1
177
+ summary: RedCloth-4.3.2
178
178
  test_files:
179
179
  - spec/benchmark_spec.rb
180
180
  - spec/parser_spec.rb