actionpack 2.3.17 → 2.3.18

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

data/Rakefile CHANGED
@@ -78,7 +78,7 @@ spec = Gem::Specification.new do |s|
78
78
 
79
79
  s.requirements << 'none'
80
80
 
81
- s.add_dependency('activesupport', '= 2.3.17' + PKG_BUILD)
81
+ s.add_dependency('activesupport', '= 2.3.18' + PKG_BUILD)
82
82
  s.add_dependency('rack', '~> 1.1.0')
83
83
 
84
84
  s.require_path = 'lib'
@@ -62,8 +62,8 @@ module HTML
62
62
 
63
63
  # A regular expression of the valid characters used to separate protocols like
64
64
  # the ':' in 'http://foo.com'
65
- self.protocol_separator = /:|(&#0*58)|(&#x70)|(%|&#37;)3A/
66
-
65
+ self.protocol_separator = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i
66
+
67
67
  # Specifies a Set of HTML attributes that can have URIs.
68
68
  self.uri_attributes = Set.new(%w(href src cite action longdesc xlink:href lowsrc))
69
69
 
@@ -106,8 +106,8 @@ module HTML
106
106
  style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
107
107
 
108
108
  # gauntlet
109
- if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
110
- style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
109
+ if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
110
+ style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
111
111
  return ''
112
112
  end
113
113
 
@@ -117,8 +117,8 @@ module HTML
117
117
  clean << prop + ': ' + val + ';'
118
118
  elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
119
119
  unless val.split().any? do |keyword|
120
- !allowed_css_keywords.include?(keyword) &&
121
- keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
120
+ !allowed_css_keywords.include?(keyword) &&
121
+ keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
122
122
  end
123
123
  clean << prop + ': ' + val + ';'
124
124
  end
@@ -166,8 +166,8 @@ module HTML
166
166
  end
167
167
 
168
168
  def contains_bad_protocols?(attr_name, value)
169
- uri_attributes.include?(attr_name) &&
170
- (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|&#37;)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first))
169
+ uri_attributes.include?(attr_name) &&
170
+ (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
171
171
  end
172
172
  end
173
173
  end
@@ -2,7 +2,7 @@ module ActionPack #:nodoc:
2
2
  module VERSION #:nodoc:
3
3
  MAJOR = 2
4
4
  MINOR = 3
5
- TINY = 17
5
+ TINY = 18
6
6
 
7
7
  STRING = [MAJOR, MINOR, TINY].join('.')
8
8
  end
@@ -169,6 +169,7 @@ class SanitizerTest < ActionController::TestCase
169
169
  %(<IMG SRC="jav&#x0A;ascript:alert('XSS');">),
170
170
  %(<IMG SRC="jav&#x0D;ascript:alert('XSS');">),
171
171
  %(<IMG SRC=" &#14; javascript:alert('XSS');">),
172
+ %(<IMG SRC="javascript&#x3a;alert('XSS');">),
172
173
  %(<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>)].each_with_index do |img_hack, i|
173
174
  define_method "test_should_not_fall_for_xss_image_hack_#{i+1}" do
174
175
  assert_sanitized img_hack, "<img>"
@@ -249,6 +250,11 @@ class SanitizerTest < ActionController::TestCase
249
250
  assert_equal '', sanitize_css(raw)
250
251
  end
251
252
 
253
+ def test_should_sanitize_across_newlines
254
+ raw = %(\nwidth:\nexpression(alert('XSS'));\n)
255
+ assert_equal '', sanitize_css(raw)
256
+ end
257
+
252
258
  def test_should_sanitize_img_vbscript
253
259
  assert_sanitized %(<img src='vbscript:msgbox("XSS")' />), '<img />'
254
260
  end
@@ -265,6 +271,19 @@ class SanitizerTest < ActionController::TestCase
265
271
  assert_sanitized %{<a href=\"http://www.domain.com?var1=1&amp;var2=2\">my link</a>}
266
272
  end
267
273
 
274
+ def test_should_sanitize_neverending_attribute
275
+ assert_sanitized "<span class=\"\\", "<span class=\"\\\">"
276
+ end
277
+
278
+ def test_x03a
279
+ assert_sanitized %(<a href="javascript&#x3a;alert('XSS');">), "<a>"
280
+ assert_sanitized %(<a href="javascript&#x003a;alert('XSS');">), "<a>"
281
+ assert_sanitized %(<a href="http&#x3a;//legit">), %(<a href="http://legit">)
282
+ assert_sanitized %(<a href="javascript&#x3A;alert('XSS');">), "<a>"
283
+ assert_sanitized %(<a href="javascript&#x003A;alert('XSS');">), "<a>"
284
+ assert_sanitized %(<a href="http&#x3A;//legit">), %(<a href="http://legit">)
285
+ end
286
+
268
287
  protected
269
288
  def assert_sanitized(input, expected = nil)
270
289
  @sanitizer ||= HTML::WhiteListSanitizer.new
metadata CHANGED
@@ -1,51 +1,59 @@
1
- --- !ruby/object:Gem::Specification
1
+ --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
- version: !ruby/object:Gem::Version
4
- version: 2.3.17
3
+ version: !ruby/object:Gem::Version
4
+ prerelease: false
5
+ segments:
6
+ - 2
7
+ - 3
8
+ - 18
9
+ version: 2.3.18
5
10
  platform: ruby
6
- authors:
11
+ authors:
7
12
  - David Heinemeier Hansson
8
13
  autorequire:
9
14
  bindir: bin
10
15
  cert_chain: []
11
- date: 2013-02-11 00:00:00.000000000 Z
12
- dependencies:
13
- - !ruby/object:Gem::Dependency
16
+
17
+ date: 2013-03-18 00:00:00 -07:00
18
+ default_executable:
19
+ dependencies:
20
+ - !ruby/object:Gem::Dependency
14
21
  name: activesupport
15
- requirement: !ruby/object:Gem::Requirement
16
- requirements:
17
- - - '='
18
- - !ruby/object:Gem::Version
19
- version: 2.3.17
20
- type: :runtime
21
22
  prerelease: false
22
- version_requirements: !ruby/object:Gem::Requirement
23
- requirements:
24
- - - '='
25
- - !ruby/object:Gem::Version
26
- version: 2.3.17
27
- - !ruby/object:Gem::Dependency
28
- name: rack
29
- requirement: !ruby/object:Gem::Requirement
30
- requirements:
31
- - - "~>"
32
- - !ruby/object:Gem::Version
33
- version: 1.1.0
23
+ requirement: &id001 !ruby/object:Gem::Requirement
24
+ requirements:
25
+ - - "="
26
+ - !ruby/object:Gem::Version
27
+ segments:
28
+ - 2
29
+ - 3
30
+ - 18
31
+ version: 2.3.18
34
32
  type: :runtime
33
+ version_requirements: *id001
34
+ - !ruby/object:Gem::Dependency
35
+ name: rack
35
36
  prerelease: false
36
- version_requirements: !ruby/object:Gem::Requirement
37
- requirements:
38
- - - "~>"
39
- - !ruby/object:Gem::Version
37
+ requirement: &id002 !ruby/object:Gem::Requirement
38
+ requirements:
39
+ - - ~>
40
+ - !ruby/object:Gem::Version
41
+ segments:
42
+ - 1
43
+ - 1
44
+ - 0
40
45
  version: 1.1.0
41
- description: Eases web-request routing, handling, and response as a half-way front,
42
- half-way page controller. Implemented with specific emphasis on enabling easy unit/integration
43
- testing that doesn't require a browser.
46
+ type: :runtime
47
+ version_requirements: *id002
48
+ description: Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn't require a browser.
44
49
  email: david@loudthinking.com
45
50
  executables: []
51
+
46
52
  extensions: []
53
+
47
54
  extra_rdoc_files: []
48
- files:
55
+
56
+ files:
49
57
  - Rakefile
50
58
  - install.rb
51
59
  - README
@@ -486,28 +494,35 @@ files:
486
494
  - test/template/url_helper_test.rb
487
495
  - test/testing_sandbox.rb
488
496
  - test/view/test_case_test.rb
497
+ has_rdoc: true
489
498
  homepage: http://www.rubyonrails.org
490
499
  licenses: []
491
- metadata: {}
500
+
492
501
  post_install_message:
493
502
  rdoc_options: []
494
- require_paths:
503
+
504
+ require_paths:
495
505
  - lib
496
- required_ruby_version: !ruby/object:Gem::Requirement
497
- requirements:
506
+ required_ruby_version: !ruby/object:Gem::Requirement
507
+ requirements:
498
508
  - - ">="
499
- - !ruby/object:Gem::Version
500
- version: '0'
501
- required_rubygems_version: !ruby/object:Gem::Requirement
502
- requirements:
509
+ - !ruby/object:Gem::Version
510
+ segments:
511
+ - 0
512
+ version: "0"
513
+ required_rubygems_version: !ruby/object:Gem::Requirement
514
+ requirements:
503
515
  - - ">="
504
- - !ruby/object:Gem::Version
505
- version: '0'
506
- requirements:
516
+ - !ruby/object:Gem::Version
517
+ segments:
518
+ - 0
519
+ version: "0"
520
+ requirements:
507
521
  - none
508
522
  rubyforge_project: actionpack
509
- rubygems_version: 2.0.0.rc.2
523
+ rubygems_version: 1.3.6
510
524
  signing_key:
511
- specification_version: 4
525
+ specification_version: 3
512
526
  summary: Web-flow and rendering framework putting the VC in MVC.
513
527
  test_files: []
528
+
checksums.yaml DELETED
@@ -1,7 +0,0 @@
1
- ---
2
- SHA1:
3
- metadata.gz: f172719f50d1647a8ff1b79399942bf0dea98eaa
4
- data.tar.gz: 672ca9efadfd0f2b7b5143ec33070cf905751591
5
- SHA512:
6
- metadata.gz: c06e97db2037ad4f9b1ad6d8aacf71889891604d1f704ca46eb2704937396c286b40d69c770162fbfb0db2e97189a641800e0941ee3e120e70ab0422a720baeb
7
- data.tar.gz: d47aaa462ba919897ff310e49589054368925f85f2a364a28c37bbbc0a7ab0cb6c64ec1ccd134e278453e5695595626145940726d26f5102a1c96b76f11e8d32