roda 3.14.0 → 3.14.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG +4 -0
- data/doc/release_notes/3.14.1.txt +43 -0
- data/lib/roda/plugins/content_for.rb +23 -2
- data/lib/roda/version.rb +1 -1
- data/spec/plugin/content_for_spec.rb +14 -0
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 32418c43dd47ff54b3e1d3d79b295735d7218e51aa902303bf01bef035aeb049
|
4
|
+
data.tar.gz: 45ea8f26e268865fc8d958496782f0bf23e02a2168e32edb29229840a80de99c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1b0e1b07e0e163a1557800e3d5023f05c84e3e80d39f90fba944ec8a147a0edb4bc411100a069a5f52d498603a8b22955793b56ac676c0e8d02d246f4870f7dd
|
7
|
+
data.tar.gz: 446371d8436c08d79cb4947f005877514471f02bfa700c519715fd64f1e5c851c9865b281bbf24e267cf03cbfd7d3670601b72b8d4fcabc44dbb4a23b0e4549b
|
data/CHANGELOG
CHANGED
@@ -1,3 +1,7 @@
|
|
1
|
+
= 3.14.1 (2018-11-29)
|
2
|
+
|
3
|
+
* SECURITY: content_for plugin no longer post-processes block result with template engine (jeremyevans)
|
4
|
+
|
1
5
|
= 3.14.0 (2018-11-16)
|
2
6
|
|
3
7
|
* Add :raise option to convert!/convert_each! in the typecast_params plugin to support not raising for missing keys (celsworth) (#153)
|
@@ -0,0 +1,43 @@
|
|
1
|
+
= Security Fix
|
2
|
+
|
3
|
+
* Do not post-process content_for block result with template engine
|
4
|
+
|
5
|
+
Since 2.8.0, the content_for block result was post-processed with the
|
6
|
+
template engine. There is no actual need to do so, as content_for is
|
7
|
+
not designed to render output, it is designed to store already
|
8
|
+
rendered output. This post-processing was introduced when support for
|
9
|
+
haml templates was added in 2.8.0.
|
10
|
+
|
11
|
+
Post-processing the output with the template engine is generally a
|
12
|
+
no-op for most usage as most output does not contain template
|
13
|
+
metaprogramming characters, which is why this went undetected for so
|
14
|
+
long. However, if a content_for block return value contained
|
15
|
+
unescaped user input, it was probably vulnerable to remote code
|
16
|
+
execution if the default ERB template engine is used, the same as if
|
17
|
+
the user input was passed directly to the render or view method.
|
18
|
+
|
19
|
+
Example of a vulnerable usage (assuming automatic escaping is not
|
20
|
+
enabled) would be:
|
21
|
+
|
22
|
+
<% content_for :foo do %>
|
23
|
+
User name: <%= request.params['user_name'] %>
|
24
|
+
<% end %>
|
25
|
+
|
26
|
+
Such usage is likely vulnerable to cross site scripting unless the
|
27
|
+
content_for output is escaped before being displayed, even without
|
28
|
+
the content_for template post-processing. However, the post-processing
|
29
|
+
turned it from a cross site scripting vulnerability into a remote code
|
30
|
+
execution vulnerability. For non-ERB template engines, whether the
|
31
|
+
post-processing introduced a vulnerability depends on the template
|
32
|
+
engine.
|
33
|
+
|
34
|
+
Note that if you were correctly escaping user input in your ERB
|
35
|
+
templates (either automatically or manually), you are unlikely to be
|
36
|
+
vulnerable as the escaping escaped the ERB template metacharacters
|
37
|
+
(< and >). For non-ERB templates, escaping the output may not have
|
38
|
+
mitigated the vulnerability, depending on what metacharacters
|
39
|
+
the template engine uses and whether the escaping will modify them.
|
40
|
+
|
41
|
+
Calling content_for with an argument was not vulnerable as no
|
42
|
+
post-processing was done on the argument, it was only done on
|
43
|
+
the block result.
|
@@ -17,16 +17,37 @@ class Roda
|
|
17
17
|
# Some content here.
|
18
18
|
# <% end %>
|
19
19
|
#
|
20
|
+
# or:
|
21
|
+
#
|
22
|
+
# <% content_for :foo do "Some content here." end %>
|
23
|
+
#
|
20
24
|
# You can also set the raw content as the second argument,
|
21
25
|
# instead of passing a block:
|
22
26
|
#
|
23
27
|
# <% content_for :foo, "Some content" %>
|
24
28
|
#
|
25
29
|
# In the template in which you want to retrieve content,
|
26
|
-
# call content_for without the block:
|
30
|
+
# call content_for without the block or argument:
|
27
31
|
#
|
28
32
|
# <%= content_for :foo %>
|
29
33
|
#
|
34
|
+
# Note that when storing content by calling content_for
|
35
|
+
# with a block and embedding template code, the return
|
36
|
+
# value of the block is used as the content (after being
|
37
|
+
# converted to a string). This can cause issues in some
|
38
|
+
# cases, such as:
|
39
|
+
#
|
40
|
+
# <% content_for :foo do %>
|
41
|
+
# <% [1,2,3].each do |i| %>
|
42
|
+
# Content <%= i %>
|
43
|
+
# <% end %>
|
44
|
+
# <% end %>
|
45
|
+
#
|
46
|
+
# In the above example, the return value of the block is
|
47
|
+
# <tt>[1,2,3]</tt>, as Array#each returns the receiver.
|
48
|
+
# If whitespace is not important, you can work around this by
|
49
|
+
# adding an empty line before the end of the content_for block.
|
50
|
+
#
|
30
51
|
# If content_for is used multiple times with the same key,
|
31
52
|
# by default, the last call will append previous calls.
|
32
53
|
# If you want to overwrite the previous content, pass the
|
@@ -62,7 +83,7 @@ class Roda
|
|
62
83
|
|
63
84
|
# Use temporary output buffer for ERB-based rendering systems
|
64
85
|
instance_variable_set(outvar, String.new)
|
65
|
-
value =
|
86
|
+
value = yield.to_s
|
66
87
|
instance_variable_set(outvar, buf_was)
|
67
88
|
end
|
68
89
|
|
data/lib/roda/version.rb
CHANGED
@@ -8,7 +8,7 @@ class Roda
|
|
8
8
|
|
9
9
|
# The patch version of Roda, updated only for bug fixes from the last
|
10
10
|
# feature release.
|
11
|
-
RodaPatchVersion =
|
11
|
+
RodaPatchVersion = 1
|
12
12
|
|
13
13
|
# The full version of Roda as a string.
|
14
14
|
RodaVersion = "#{RodaMajorVersion}.#{RodaMinorVersion}.#{RodaPatchVersion}".freeze
|
@@ -24,6 +24,12 @@ describe "content_for plugin with erb" do
|
|
24
24
|
r.get 'e' do
|
25
25
|
view(:inline => 'a<% content_for :foo do %><% end %>b', :layout => { :inline => 'c<%= yield %>d<%= content_for(:foo) %>e' })
|
26
26
|
end
|
27
|
+
r.get 'f' do
|
28
|
+
view(:inline => 'a<% content_for :foo do "f" end %>b', :layout => { :inline => 'c<%= yield %>d<%= content_for(:foo) %>e' })
|
29
|
+
end
|
30
|
+
r.get 'g' do
|
31
|
+
view(:inline => 'a<% content_for :foo do "<" + "%= 1 %" + ">" end %>b', :layout => { :inline => 'c<%= yield %>d<%= content_for(:foo) %>e' })
|
32
|
+
end
|
27
33
|
end
|
28
34
|
end
|
29
35
|
end
|
@@ -43,6 +49,14 @@ describe "content_for plugin with erb" do
|
|
43
49
|
it "should work for an empty content_for" do
|
44
50
|
body('/e').strip.must_equal "cabde"
|
45
51
|
end
|
52
|
+
|
53
|
+
it "should work when content_for uses a regular block" do
|
54
|
+
body('/f').strip.must_equal "cabdfe"
|
55
|
+
end
|
56
|
+
|
57
|
+
it "should use content_for output directly" do
|
58
|
+
body('/g').strip.must_equal "cabd<%= 1 %>e"
|
59
|
+
end
|
46
60
|
end
|
47
61
|
|
48
62
|
describe "content_for plugin with multiple calls to the same key" do
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: roda
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.14.
|
4
|
+
version: 3.14.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jeremy Evans
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-11-
|
11
|
+
date: 2018-11-29 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rack
|
@@ -210,6 +210,7 @@ extra_rdoc_files:
|
|
210
210
|
- doc/release_notes/3.12.0.txt
|
211
211
|
- doc/release_notes/3.13.0.txt
|
212
212
|
- doc/release_notes/3.14.0.txt
|
213
|
+
- doc/release_notes/3.14.1.txt
|
213
214
|
files:
|
214
215
|
- CHANGELOG
|
215
216
|
- MIT-LICENSE
|
@@ -258,6 +259,7 @@ files:
|
|
258
259
|
- doc/release_notes/3.12.0.txt
|
259
260
|
- doc/release_notes/3.13.0.txt
|
260
261
|
- doc/release_notes/3.14.0.txt
|
262
|
+
- doc/release_notes/3.14.1.txt
|
261
263
|
- doc/release_notes/3.2.0.txt
|
262
264
|
- doc/release_notes/3.3.0.txt
|
263
265
|
- doc/release_notes/3.4.0.txt
|