actionpack 2.3.17 → 2.3.18

data/Rakefile

@@ -78,7 +78,7 @@ spec = Gem::Specification.new do |s|
 
   s.requirements << 'none'
 
-  s.add_dependency('activesupport', '= 2.3.17' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 2.3.18' + PKG_BUILD)
   s.add_dependency('rack', '~> 1.1.0')
 
   s.require_path = 'lib'

data/lib/action_controller/vendor/html-scanner/html/sanitizer.rb

@@ -62,8 +62,8 @@ module HTML
 
     # A regular expression of the valid characters used to separate protocols like
     # the ':' in 'http://foo.com'
-    self.protocol_separator     = /:|(&#0*58)|(&#x70)|(%|%)3A/
-    
+    self.protocol_separator     = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|%)3A/i
+
     # Specifies a Set of HTML attributes that can have URIs.
     self.uri_attributes         = Set.new(%w(href src cite action longdesc xlink:href lowsrc))
 
@@ -106,8 +106,8 @@ module HTML
       style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
 
       # gauntlet
-      if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
-          style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
+      if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
+          style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
         return ''
       end
 
@@ -117,8 +117,8 @@ module HTML
           clean <<  prop + ': ' + val + ';'
         elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) 
           unless val.split().any? do |keyword|
-            !allowed_css_keywords.include?(keyword) && 
-              keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
+            !allowed_css_keywords.include?(keyword) &&
+              keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
           end
             clean << prop + ': ' + val + ';'
           end
@@ -166,8 +166,8 @@ module HTML
     end
 
     def contains_bad_protocols?(attr_name, value)
-      uri_attributes.include?(attr_name) && 
-      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|&#37;)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first))
+      uri_attributes.include?(attr_name) &&
+      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
     end
   end
 end

data/lib/action_pack/version.rb

@@ -2,7 +2,7 @@ module ActionPack #:nodoc:
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 17
+    TINY  = 18
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

data/test/controller/html-scanner/sanitizer_test.rb

@@ -169,6 +169,7 @@ class SanitizerTest < ActionController::TestCase
    %(<IMG SRC="jav&#x0A;ascript:alert('XSS');">),
    %(<IMG SRC="jav&#x0D;ascript:alert('XSS');">),
    %(<IMG SRC=" &#14;  javascript:alert('XSS');">),
+   %(<IMG SRC="javascript&#x3a;alert('XSS');">),
    %(<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>)].each_with_index do |img_hack, i|
     define_method "test_should_not_fall_for_xss_image_hack_#{i+1}" do
       assert_sanitized img_hack, "<img>"
@@ -249,6 +250,11 @@ class SanitizerTest < ActionController::TestCase
     assert_equal '', sanitize_css(raw)
   end
 
+  def test_should_sanitize_across_newlines
+    raw = %(\nwidth:\nexpression(alert('XSS'));\n)
+    assert_equal '', sanitize_css(raw)
+  end
+
   def test_should_sanitize_img_vbscript
     assert_sanitized %(<img src='vbscript:msgbox("XSS")' />), '<img />'
   end
@@ -265,6 +271,19 @@ class SanitizerTest < ActionController::TestCase
      assert_sanitized %{<a href=\"http://www.domain.com?var1=1&amp;var2=2\">my link</a>}
   end
 
+  def test_should_sanitize_neverending_attribute
+    assert_sanitized "<span class=\"\\", "<span class=\"\\\">"
+  end
+
+  def test_x03a
+    assert_sanitized %(<a href="javascript&#x3a;alert('XSS');">), "<a>"
+    assert_sanitized %(<a href="javascript&#x003a;alert('XSS');">), "<a>"
+    assert_sanitized %(<a href="http&#x3a;//legit">), %(<a href="http://legit">)
+    assert_sanitized %(<a href="javascript&#x3A;alert('XSS');">), "<a>"
+    assert_sanitized %(<a href="javascript&#x003A;alert('XSS');">), "<a>"
+    assert_sanitized %(<a href="http&#x3A;//legit">), %(<a href="http://legit">)
+  end
+
 protected
   def assert_sanitized(input, expected = nil)
     @sanitizer ||= HTML::WhiteListSanitizer.new

metadata

@@ -1,51 +1,59 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: actionpack
-version: !ruby/object:Gem::Version
-  version: 2.3.17
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 2
+  - 3
+  - 18
+  version: 2.3.18
 platform: ruby
-authors:
+authors: 
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-02-11 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+
+date: 2013-03-18 00:00:00 -07:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
   name: activesupport
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 2.3.17
-  type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 2.3.17
-- !ruby/object:Gem::Dependency
-  name: rack
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.1.0
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - "="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 2
+        - 3
+        - 18
+        version: 2.3.18
   type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: rack
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 1
+        - 0
         version: 1.1.0
-description: Eases web-request routing, handling, and response as a half-way front,
-  half-way page controller. Implemented with specific emphasis on enabling easy unit/integration
-  testing that doesn't require a browser.
+  type: :runtime
+  version_requirements: *id002
+description: Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn't require a browser.
 email: david@loudthinking.com
 executables: []
+
 extensions: []
+
 extra_rdoc_files: []
-files:
+
+files: 
 - Rakefile
 - install.rb
 - README
@@ -486,28 +494,35 @@ files:
 - test/template/url_helper_test.rb
 - test/testing_sandbox.rb
 - test/view/test_case_test.rb
+has_rdoc: true
 homepage: http://www.rubyonrails.org
 licenses: []
-metadata: {}
+
 post_install_message: 
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
-  requirements:
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
   - - ">="
-    - !ruby/object:Gem::Version
-      version: '0'
-required_rubygems_version: !ruby/object:Gem::Requirement
-  requirements:
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
   - - ">="
-    - !ruby/object:Gem::Version
-      version: '0'
-requirements:
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: 
 - none
 rubyforge_project: actionpack
-rubygems_version: 2.0.0.rc.2
+rubygems_version: 1.3.6
 signing_key: 
-specification_version: 4
+specification_version: 3
 summary: Web-flow and rendering framework putting the VC in MVC.
 test_files: []
+

checksums.yaml

@@ -1,7 +0,0 @@
----
-SHA1:
-  metadata.gz: f172719f50d1647a8ff1b79399942bf0dea98eaa
-  data.tar.gz: 672ca9efadfd0f2b7b5143ec33070cf905751591
-SHA512:
-  metadata.gz: c06e97db2037ad4f9b1ad6d8aacf71889891604d1f704ca46eb2704937396c286b40d69c770162fbfb0db2e97189a641800e0941ee3e120e70ab0422a720baeb
-  data.tar.gz: d47aaa462ba919897ff310e49589054368925f85f2a364a28c37bbbc0a7ab0cb6c64ec1ccd134e278453e5695595626145940726d26f5102a1c96b76f11e8d32