roda 3.14.0 → 3.14.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fc2076279138faeeae9396e6cb397e5661de1ebe90517dc8bfcc0ab69c1c6a66
-  data.tar.gz: dbbd9323a8b414de60b4d2f4a6c5ca63ca7fbbf0cd4f9015fbbf82973500a8d6
+  metadata.gz: 32418c43dd47ff54b3e1d3d79b295735d7218e51aa902303bf01bef035aeb049
+  data.tar.gz: 45ea8f26e268865fc8d958496782f0bf23e02a2168e32edb29229840a80de99c
 SHA512:
-  metadata.gz: ad3f3d6d15bdcf8d146a8f44f3f3a4e1599dd7ec15e0aa3b7a912e61fea72a7cb3d1d631f9c9943abf43a796bfd38c18a44184579f13456c2b943cdf3cf3f272
-  data.tar.gz: affb16c92264210bbbe62a4f059012a4242f821bef661c308050bb36815f5885eaa3c0dc0c59d312390330dcda91de511a8413be109608e1f39bce641d97c78b
+  metadata.gz: 1b0e1b07e0e163a1557800e3d5023f05c84e3e80d39f90fba944ec8a147a0edb4bc411100a069a5f52d498603a8b22955793b56ac676c0e8d02d246f4870f7dd
+  data.tar.gz: 446371d8436c08d79cb4947f005877514471f02bfa700c519715fd64f1e5c851c9865b281bbf24e267cf03cbfd7d3670601b72b8d4fcabc44dbb4a23b0e4549b

data/CHANGELOG

@@ -1,3 +1,7 @@
+= 3.14.1 (2018-11-29)
+
+* SECURITY: content_for plugin no longer post-processes block result with template engine (jeremyevans)
+
 = 3.14.0 (2018-11-16)
 
 * Add :raise option to convert!/convert_each! in the typecast_params plugin to support not raising for missing keys (celsworth) (#153)

data/doc/release_notes/3.14.1.txt

@@ -0,0 +1,43 @@
+= Security Fix
+  
+* Do not post-process content_for block result with template engine
+  
+  Since 2.8.0, the content_for block result was post-processed with the
+  template engine.  There is no actual need to do so, as content_for is
+  not designed to render output, it is designed to store already
+  rendered output.  This post-processing was introduced when support for
+  haml templates was added in 2.8.0.
+  
+  Post-processing the output with the template engine is generally a
+  no-op for most usage as most output does not contain template
+  metaprogramming characters, which is why this went undetected for so
+  long.  However, if a content_for block return value contained
+  unescaped user input, it was probably vulnerable to remote code
+  execution if the default ERB template engine is used, the same as if
+  the user input was passed directly to the render or view method.
+  
+  Example of a vulnerable usage (assuming automatic escaping is not
+  enabled) would be:
+  
+    <% content_for :foo do %>
+      User name: <%= request.params['user_name'] %>
+    <% end %>
+  
+  Such usage is likely vulnerable to cross site scripting unless the
+  content_for output is escaped before being displayed, even without
+  the content_for template post-processing. However, the post-processing
+  turned it from a cross site scripting vulnerability into a remote code
+  execution vulnerability.  For non-ERB template engines, whether the
+  post-processing introduced a vulnerability depends on the template
+  engine.
+  
+  Note that if you were correctly escaping user input in your ERB
+  templates (either automatically or manually), you are unlikely to be
+  vulnerable as the escaping escaped the ERB template metacharacters
+  (< and >).  For non-ERB templates, escaping the output may not have
+  mitigated the vulnerability, depending on what metacharacters
+  the template engine uses and whether the escaping will modify them.
+  
+  Calling content_for with an argument was not vulnerable as no
+  post-processing was done on the argument, it was only done on
+  the block result.

data/lib/roda/plugins/content_for.rb

@@ -17,16 +17,37 @@ class Roda
     #     Some content here.
     #   <% end %>
     #
+    # or:
+    #
+    #   <% content_for :foo do "Some content here." end %>
+    #
     # You can also set the raw content as the second argument,
     # instead of passing a block:
     #
     #   <% content_for :foo, "Some content" %>
     #
     # In the template in which you want to retrieve content,
-    # call content_for without the block:
+    # call content_for without the block or argument:
     #
     #   <%= content_for :foo %>
     #
+    # Note that when storing content by calling content_for
+    # with a block and embedding template code, the return
+    # value of the block is used as the content (after being
+    # converted to a string).  This can cause issues in some
+    # cases, such as:
+    #
+    #   <% content_for :foo do %>
+    #     <% [1,2,3].each do |i| %>
+    #       Content <%= i %>
+    #     <% end %>
+    #   <% end %>
+    #
+    # In the above example, the return value of the block is
+    # <tt>[1,2,3]</tt>, as Array#each returns the receiver.
+    # If whitespace is not important, you can work around this by
+    # adding an empty line before the end of the content_for block.
+    #
     # If content_for is used multiple times with the same key,
     # by default, the last call will append previous calls.
     # If you want to overwrite the previous content, pass the
@@ -62,7 +83,7 @@ class Roda
 
               # Use temporary output buffer for ERB-based rendering systems
               instance_variable_set(outvar, String.new)
-              value = Tilt[render_opts[:engine]].new{yield.to_s}.render
+              value = yield.to_s
               instance_variable_set(outvar, buf_was)
             end
 

data/lib/roda/version.rb

@@ -8,7 +8,7 @@ class Roda
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.
-  RodaPatchVersion = 0
+  RodaPatchVersion = 1
 
   # The full version of Roda as a string.
   RodaVersion = "#{RodaMajorVersion}.#{RodaMinorVersion}.#{RodaPatchVersion}".freeze

data/spec/plugin/content_for_spec.rb

@@ -24,6 +24,12 @@ describe "content_for plugin with erb" do
         r.get 'e' do
           view(:inline => 'a<% content_for :foo do %><% end %>b', :layout => { :inline => 'c<%= yield %>d<%= content_for(:foo) %>e' })
         end
+        r.get 'f' do
+          view(:inline => 'a<% content_for :foo do "f" end %>b', :layout => { :inline => 'c<%= yield %>d<%= content_for(:foo) %>e' })
+        end
+        r.get 'g' do
+          view(:inline => 'a<% content_for :foo do "<" + "%= 1 %" + ">" end %>b', :layout => { :inline => 'c<%= yield %>d<%= content_for(:foo) %>e' })
+        end
       end
     end
   end
@@ -43,6 +49,14 @@ describe "content_for plugin with erb" do
   it "should work for an empty content_for" do
     body('/e').strip.must_equal "cabde"
   end
+
+  it "should work when content_for uses a regular block" do
+    body('/f').strip.must_equal "cabdfe"
+  end
+
+  it "should use content_for output directly" do
+    body('/g').strip.must_equal "cabd<%= 1 %>e"
+  end
 end
 
 describe "content_for plugin with multiple calls to the same key" do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.14.0
+  version: 3.14.1
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-11-16 00:00:00.000000000 Z
+date: 2018-11-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -210,6 +210,7 @@ extra_rdoc_files:
 - doc/release_notes/3.12.0.txt
 - doc/release_notes/3.13.0.txt
 - doc/release_notes/3.14.0.txt
+- doc/release_notes/3.14.1.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -258,6 +259,7 @@ files:
 - doc/release_notes/3.12.0.txt
 - doc/release_notes/3.13.0.txt
 - doc/release_notes/3.14.0.txt
+- doc/release_notes/3.14.1.txt
 - doc/release_notes/3.2.0.txt
 - doc/release_notes/3.3.0.txt
 - doc/release_notes/3.4.0.txt