rdoc 4.0.0.preview2.1 → 4.0.0.rc.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: be465a9f7229b4fa46271d90e7102066498c0b4d
-  data.tar.gz: f5297b952027d39046fcea6d3c4ead0fe569f40c
-!binary "U0hBNTEy":
-  metadata.gz: a4bbe645b202903651d0b3fa0d79bd331c2b7becd9d7feed0d24d215821a6625c27f6db475d3c495ddc3652651afe00c75d7c3a7dadad7c97948c7934c7d675a
-  data.tar.gz: 297ea3814b07df111090a99500b10f9f9a4e99448e9626b1f304d659e4b5d1fdf03a8f60562ecb25448e74e661efeae87d982f67a84f857c06db8ca9319cc527
+SHA1:
+  metadata.gz: d63ee2bd18438ed61f20690a074f2851e1c78453
+  data.tar.gz: 75312953f9b1c4430bebd2a3d9a1911e1e505a1e
+SHA512:
+  metadata.gz: 7d2643d503c3908a72bbb242066390f27c5f123e5c3db1ebc0989d90ff160ce599cd3d18db8fa4ca05f2f51e0f76a51ea8321ec024f5709adbba2faaddc8c90a
+  data.tar.gz: da8ae787c4c627055b7dccc2167fd58e031f69ce95ee74e4d51524bb977c72efb357b3d1f1c74b4a35935fadde46e57fe6a30b23af699f3e5b9dfffb78913fce

data/CVE-2013-0256.rdoc

@@ -0,0 +1,49 @@
+= RDoc 2.3.0 through 3.12 XSS Exploit
+
+RDoc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases up
+to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit.  This exploit may
+lead to cookie disclosure to third parties.
+
+The exploit exists in darkfish.js which is copied from the RDoc install
+location to the generated documentation.
+
+RDoc is a static documentation generation tool.  Patching the library itself
+is insufficient to correct this exploit.  Those hosting rdoc documentation will
+need to apply the following patch.  If applied while ignoring whitespace, this
+patch will correct all affected versions:
+
+  diff --git darkfish.js darkfish.js
+  index 4be722f..f26fd45 100644
+  --- darkfish.js
+  +++ darkfish.js
+  @@ -109,13 +109,15 @@ function hookSearch() {
+   function highlightTarget( anchor ) {
+     console.debug( "Highlighting target '%s'.", anchor );
+   
+  -  $("a[name=" + anchor + "]").each( function() {
+  -    if ( !$(this).parent().parent().hasClass('target-section') ) {
+  -      console.debug( "Wrapping the target-section" );
+  -      $('div.method-detail').unwrap( 'div.target-section' );
+  -      $(this).parent().wrap( '<div class="target-section"></div>' );
+  -    } else {
+  -      console.debug( "Already wrapped." );
+  +  $("a[name]").each( function() {
+  +    if ( $(this).attr("name") == anchor ) {
+  +      if ( !$(this).parent().parent().hasClass('target-section') ) {
+  +        console.debug( "Wrapping the target-section" );
+  +        $('div.method-detail').unwrap( 'div.target-section' );
+  +        $(this).parent().wrap( '<div class="target-section"></div>' );
+  +      } else {
+  +        console.debug( "Already wrapped." );
+  +      }
+       }
+     });
+   };
+
+RDoc 3.9.5, 3.12.1 and RDoc 4.0.0.rc.2 and newer are not vulnerable to this
+exploit.
+
+This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.
+
+This vulnerability has been assigned the CVE identifier CVE-2013-0256.
+

data/History.rdoc

@@ -1,4 +1,4 @@
-=== 4.0.0.preview2.1 / 2012-12-14
+=== 4.0.0.rc.2 / 2013-02-05
 
 As a preview release, please file bugs for any problems you have with rdoc at
 https://github.com/rdoc/rdoc/issues
@@ -10,6 +10,38 @@ Notable feature additions are markdown support and an WEBrick servlet that can
 serve HTML from an ri store.  (This means that RubyGems 2.0+ no longer needs
 to build HTML documentation when installing gems.)
 
+* Minor enhancements
+  * Added current heading and page-top links to HTML headings.
+
+* Bug fixes
+  * Fixed an XSS exploit in darkfish.js.  This could lead to cookie disclosure
+    to third parties.  See CVE-2013-0256[rdoc-ref:CVE-2013-0256.rdoc] for full
+    details including a patch you can apply to generated RDoc documentation.
+  * Fixed parsing of multibyte files with incomplete characters at byte 1024.
+    Ruby bug #6393 by nobu, patch by Nobuyoshi Nakada and Yui NARUSE.
+  * Fixed rdoc -E.  Ruby Bug #6392 and (modified) patch by Nobuyoshi Nakada
+  * Added link handling to Markdown output.  Bug #160 by burningTyger.
+  * Fixed HEREDOC output for the limited case of a heredoc followed by a line
+    end.  When a HEREDOC is not followed by a line end RDoc is not currently
+    smart enough to restore the source correctly.  Bug #162 by Zachary Scott.
+  * Fixed parsing of executables with shebang and encoding comments.  Bug #161
+    by Marcus Stollsteimer
+  * RDoc now ignores methods defined on constants instead of creating a fake
+    module.  Bug #163 by Zachary Scott.
+  * Fixed ChangeLog parsing for FFI gem.  Bug #165 by Zachary Scott.
+  * RDoc now links \#=== methods.  Bug #164 by Zachary Scott.
+  * Allow [] following argument names for TomDoc.  Bug #167 by Ellis Berner.
+  * Fixed the RDoc servlet for home and site directories.  Bug #170 by Thomas
+    Leitner.
+  * Fixed references to methods in the RDoc servlet.  Bug #171 by Thomas
+    Leitner.
+  * Fixed debug message when generating the darkfish root page.  Pull Request
+    #174 by Thomas Leitner.
+  * Fixed deletion of attribute ri data when a class was loaded then saved.
+    Issue #171 by Thomas Leitner.
+
+=== 4.0.0.preview2.1 / 2012-12-14
+
 * Minor enhancements
   * Added --page-dir option to give pretty names for a FAQ, guides, or other
     documentation you write that is not stored in the project root.  For

data/Manifest.txt

@@ -1,5 +1,6 @@
 .autotest
 .document
+CVE-2013-0256.rdoc
 DEVELOPERS.rdoc
 History.rdoc
 LEGAL.rdoc
@@ -85,6 +86,7 @@ lib/rdoc/generator/template/darkfish/rdoc.css
 lib/rdoc/generator/template/darkfish/servlet_not_found.rhtml
 lib/rdoc/generator/template/darkfish/servlet_root.rhtml
 lib/rdoc/generator/template/darkfish/table_of_contents.rhtml
+lib/rdoc/generator/template/json_index/.document
 lib/rdoc/generator/template/json_index/js/navigation.js
 lib/rdoc/generator/template/json_index/js/searcher.js
 lib/rdoc/ghost_method.rb
@@ -202,7 +204,7 @@ test/MarkdownTest_1.0.3/Tidyness.text
 test/README
 test/binary.dat
 test/hidden.zip.txt
-test/test.ja.large.rdoc
+test/test.ja.largedoc
 test/test.ja.rdoc
 test/test.ja.txt
 test/test.txt

data/Rakefile

@@ -48,6 +48,7 @@ Depending on your version of ruby, you may need to install ruby rdoc/ri data:
   self.testlib = :minitest
   self.extra_rdoc_files += %w[
     DEVELOPERS.rdoc
+    CVE-2013-0256.rdoc
     History.rdoc
     LICENSE.rdoc
     LEGAL.rdoc
@@ -62,7 +63,7 @@ Depending on your version of ruby, you may need to install ruby rdoc/ri data:
   require_ruby_version '>= 1.8.7'
   extra_deps     << ['json',     '~> 1.4']
   extra_dev_deps << ['racc',     '~> 1.4']
-  extra_dev_deps << ['minitest', '~> 2']
+  extra_dev_deps << ['minitest', '~> 4']
   extra_dev_deps << ['ZenTest',  '~> 4']
 
   extra_rdoc_files << 'Rakefile'

data/lib/rdoc.rb

@@ -64,7 +64,7 @@ module RDoc
   ##
   # RDoc version you are using
 
-  VERSION = '4.0.0.preview2.1'
+  VERSION = '4.0.0.rc.2'
 
   ##
   # Method visibilities

data/lib/rdoc/any_method.rb

@@ -123,6 +123,8 @@ class RDoc::AnyMethod < RDoc::MethodAttr
   # * #parent_name
 
   def marshal_load array
+    initialize_visibility
+
     @dont_rename_initialize = nil
     @is_alias_for           = nil
     @token_stream           = nil

data/lib/rdoc/attr.rb

@@ -121,6 +121,8 @@ class RDoc::Attr < RDoc::MethodAttr
   # * #parent_name
 
   def marshal_load array
+    initialize_visibility
+
     @aliases      = []
     @parent       = nil
     @parent_name  = nil

data/lib/rdoc/class_module.rb

@@ -323,6 +323,7 @@ class RDoc::ClassModule < RDoc::Context
   end
 
   def marshal_load array # :nodoc:
+    initialize_visibility
     initialize_methods_etc
     @current_section   = nil
     @document_self     = true

data/lib/rdoc/code_object.rb

@@ -116,6 +116,13 @@ class RDoc::CodeObject
     @full_name     = nil
     @store         = nil
 
+    initialize_visibility
+  end
+
+  ##
+  # Initializes state for visibility of this CodeObject and its children.
+
+  def initialize_visibility # :nodoc:
     @document_children   = true
     @document_self       = true
     @done_documenting    = false

data/lib/rdoc/cross_reference.rb

@@ -18,7 +18,7 @@ class RDoc::CrossReference
   #
   # See CLASS_REGEXP_STR
 
-  METHOD_REGEXP_STR = '([a-z]\w*[!?=]?|%)(?:\([\w.+*/=<>-]*\))?'
+  METHOD_REGEXP_STR = '([a-z]\w*[!?=]?|%|===)(?:\([\w.+*/=<>-]*\))?'
 
   ##
   # Regular expressions matching text that should potentially have

data/lib/rdoc/encoding.rb

@@ -75,7 +75,9 @@ module RDoc::Encoding
   # Sets the encoding of +string+ based on the magic comment
 
   def self.set_encoding string
-    first_line = string[/\A(?:#!.*\n)?.*\n/]
+    string =~ /\A(?:#!.*\n)?(.*\n)/
+
+    first_line = $1
 
     name = case first_line
            when /^<\?xml[^?]*encoding=(["'])(.*?)\1/ then $2

data/lib/rdoc/generator/darkfish.rb

@@ -453,7 +453,7 @@ class RDoc::Generator::Darkfish
     template_file = @template_dir + 'servlet_not_found.rhtml'
     return unless template_file.exist?
 
-    debug_msg "Rendering the servlet root page..."
+    debug_msg "Rendering the servlet 404 Not Found page..."
 
     rel_prefix = rel_prefix = ''
     search_index_rel_prefix = rel_prefix

data/lib/rdoc/generator/template/darkfish/js/darkfish.js

@@ -109,13 +109,15 @@ function hookSearch() {
 function highlightTarget( anchor ) {
   console.debug( "Highlighting target '%s'.", anchor );
 
-  $("a[name=" + anchor + "]").each( function() {
-    if ( !$(this).parent().parent().hasClass('target-section') ) {
-      console.debug( "Wrapping the target-section" );
-      $('div.method-detail').unwrap( 'div.target-section' );
-      $(this).parent().wrap( '<div class="target-section"></div>' );
-    } else {
-      console.debug( "Already wrapped." );
+  $("a[name]").each( function() {
+    if ( $(this).attr("name") == anchor ) {
+      if ( !$(this).parent().parent().hasClass('target-section') ) {
+        console.debug( "Wrapping the target-section" );
+        $('div.method-detail').unwrap( 'div.target-section' );
+        $(this).parent().wrap( '<div class="target-section"></div>' );
+      } else {
+        console.debug( "Already wrapped." );
+      }
     }
   });
 };

data/lib/rdoc/generator/template/darkfish/rdoc.css

@@ -28,6 +28,27 @@ h1 {
 }
 h2,h3,h4 { margin-top: 1.5em; }
 
+h1 span,
+h2 span,
+h3 span,
+h4 span,
+h5 span,
+h6 span {
+  display: none;
+  padding-left: 1em;
+  font-size: 50%;
+  vertical-align: super;
+}
+
+h1:hover span,
+h2:hover span,
+h3:hover span,
+h4:hover span,
+h5:hover span,
+h6:hover span {
+  display: inline;
+}
+
 :link,
 :visited {
   color: #6C8C22;

data/lib/rdoc/generator/template/json_index/.document

@@ -0,0 +1 @@
+# ignore all files in this directory

data/lib/rdoc/markup/attribute_manager.rb

@@ -168,15 +168,13 @@ class RDoc::Markup::AttributeManager
   # Converts special sequences to RDoc attributes
 
   def convert_specials str, attrs
-    unless @special.empty?
-      @special.each do |regexp, attribute|
-        str.scan(regexp) do
-          capture = $~.size == 1 ? 0 : 1
+    @special.each do |regexp, attribute|
+      str.scan(regexp) do
+        capture = $~.size == 1 ? 0 : 1
 
-          s, e = $~.offset capture
+        s, e = $~.offset capture
 
-          attrs.set_attrs s, e - s, attribute | @attributes.special
-        end
+        attrs.set_attrs s, e - s, attribute | @attributes.special
       end
     end
   end

data/lib/rdoc/markup/formatter.rb

@@ -17,6 +17,30 @@ class RDoc::Markup::Formatter
 
   InlineTag = Struct.new(:bit, :on, :off)
 
+  ##
+  # Converts a target url to one that is relative to a given path
+
+  def self.gen_relative_url path, target
+    from        = File.dirname path
+    to, to_file = File.split target
+
+    from = from.split "/"
+    to   = to.split "/"
+
+    from.delete '.'
+    to.delete '.'
+
+    while from.size > 0 and to.size > 0 and from[0] == to[0] do
+      from.shift
+      to.shift
+    end
+
+    from.fill ".."
+    from.concat to
+    from << to_file
+    File.join(*from)
+  end
+
   ##
   # Creates a new Formatter
 
@@ -35,6 +59,7 @@ class RDoc::Markup::Formatter
     @tt_bit = @attributes.bitmap_for :TT
 
     @hard_break = ''
+    @from_path = '.'
   end
 
   ##
@@ -51,6 +76,26 @@ class RDoc::Markup::Formatter
     end
   end
 
+  ##
+  # Adds a special for links of the form rdoc-...:
+
+  def add_special_RDOCLINK
+    @markup.add_special(/rdoc-[a-z]+:\S+/, :RDOCLINK)
+  end
+
+  ##
+  # Adds a special for links of the form {<text>}[<url>] and <word>[<url>]
+
+  def add_special_TIDYLINK
+    @markup.add_special(/(?:
+                          \{.*?\} |   # multi-word label
+                          \b[^\s{}]+? # single-word label
+                         )
+
+                         \[\S+?\]     # link target
+                        /x, :TIDYLINK)
+  end
+
   ##
   # Add a new set of tags for an attribute. We allow separate start and end
   # tags for flexibility
@@ -178,6 +223,36 @@ class RDoc::Markup::Formatter
     end
   end
 
+  ##
+  # Extracts and a scheme, url and an anchor id from +url+ and returns them.
+
+  def parse_url url
+    case url
+    when /^rdoc-label:([^:]*)(?::(.*))?/ then
+      scheme = 'link'
+      path   = "##{$1}"
+      id     = " id=\"#{$2}\"" if $2
+    when /([A-Za-z]+):(.*)/ then
+      scheme = $1.downcase
+      path   = $2
+    when /^#/ then
+    else
+      scheme = 'http'
+      path   = url
+      url    = "http://#{url}"
+    end
+
+    if scheme == 'link' then
+      url = if path[0, 1] == '#' then # is this meaningful?
+              path
+            else
+              self.class.gen_relative_url @from_path, path
+            end
+    end
+
+    [scheme, url, id]
+  end
+
   ##
   # Is +tag+ a tt tag?
 

data/lib/rdoc/markup/to_html.rb

@@ -36,30 +36,6 @@ class RDoc::Markup::ToHtml < RDoc::Markup::Formatter
 
   attr_accessor :from_path
 
-  ##
-  # Converts a target url to one that is relative to a given path
-
-  def self.gen_relative_url(path, target)
-    from        = File.dirname path
-    to, to_file = File.split target
-
-    from = from.split "/"
-    to   = to.split "/"
-
-    from.delete '.'
-    to.delete '.'
-
-    while from.size > 0 and to.size > 0 and from[0] == to[0] do
-      from.shift
-      to.shift
-    end
-
-    from.fill ".."
-    from.concat to
-    from << to_file
-    File.join(*from)
-  end
-
   # :section:
 
   ##
@@ -79,17 +55,8 @@ class RDoc::Markup::ToHtml < RDoc::Markup::Formatter
     @markup.add_special(/(?:link:|https?:|mailto:|ftp:|irc:|www\.)\S+\w/,
                         :HYPERLINK)
 
-    # internal links
-    @markup.add_special(/rdoc-[a-z]+:\S+/, :RDOCLINK)
-
-    # and links of the form  <text>[<url>]
-    @markup.add_special(/(?:
-                          \{.*?\} |   # multi-word label
-                          \b[^\s{}]+? # single-word label
-                         )
-
-                         \[\S+?\]     # link target
-                        /x, :TIDYLINK)
+    add_special_RDOCLINK
+    add_special_TIDYLINK
 
     init_tags
   end
@@ -301,6 +268,10 @@ class RDoc::Markup::ToHtml < RDoc::Markup::Formatter
 
     @res << "\n<h#{level} id=\"#{label}\">"
     @res << to_html(heading.text)
+    unless @options.pipe then
+      @res << "<span><a href=\"##{label}\">&para;</a>"
+      @res << " <a href=\"#documentation\">&uarr;</a></span>"
+    end
     @res << "</h#{level}>\n"
   end
 
@@ -325,32 +296,13 @@ class RDoc::Markup::ToHtml < RDoc::Markup::Formatter
   # for img: and link: described under handle_special_HYPERLINK
 
   def gen_url url, text
-    if url =~ /^rdoc-label:([^:]*)(?::(.*))?/ then
-      type = "link"
-      path = "##{$1}"
-      id   = " id=\"#{$2}\"" if $2
-    elsif url =~ /([A-Za-z]+):(.*)/ then
-      type = $1
-      path = $2
-    else
-      type = "http"
-      path = url
-      url  = "http://#{url}"
-    end
-
-    if type == "link" then
-      url = if path[0, 1] == '#' then # is this meaningful?
-              path
-            else
-              self.class.gen_relative_url @from_path, path
-            end
-    end
+    scheme, url, id = parse_url url
 
-    if (type == "http" or type == "https" or type == "link") and
+    if %w[http https link].include?(scheme) and
        url =~ /\.(gif|png|jpg|jpeg|bmp)$/ then
       "<img src=\"#{url}\" />"
     else
-      "<a#{id} href=\"#{url}\">#{text.sub(%r{^#{type}:/*}, '')}</a>"
+      "<a#{id} href=\"#{url}\">#{text.sub(%r{^#{scheme}:/*}i, '')}</a>"
     end
   end