Fix CVE-2023-23913
This commit is contained in:
wk333
parent
7e5eaacfad
commit
0d9523c284
132
CVE-2023-23913.patch
Normal file
132
CVE-2023-23913.patch
Normal file
@ -0,0 +1,132 @@
|
||||
Refer:
|
||||
https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd
|
||||
https://build.opensuse.org/projects/SUSE:SLE-15:Update/packages/rubygem-actionview-5_1/files/rubygem-actionview-5_1-CVE-2023-23913.patch?expand=1
|
||||
|
||||
From 5037a13614di71727af8a175063bcf6ba1a74bdbd Mon Sep 17 00:00:00 2001
|
||||
From: Zack Deveau <zack.ref@gmail.com>
|
||||
Date: Mon, 16 Jan 2023 09:43:54 -0500
|
||||
Subject: [PATCH] Ignore certain data-* attributes in rails-ujs when element is
|
||||
contenteditable
|
||||
|
||||
There is a potential DOM based cross-site scripting issue in rails-ujs
|
||||
which leverages the Clipboard API to target HTML elements that are
|
||||
assigned the contenteditable attribute. This has the potential to occur
|
||||
when pasting malicious HTML content from the clipboard that includes
|
||||
a data-method, data-disable-with or data-remote attribute.
|
||||
|
||||
[CVE-2023-23913]
|
||||
|
||||
---
|
||||
lib/assets/compiled/rails-ujs.js | 41 ++++++++++++++++++++++++++++----
|
||||
1 file changed, 36 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib/assets/compiled/rails-ujs.js b/lib/assets/compiled/rails-ujs.js
|
||||
index 2176247..d428163 100644
|
||||
--- a/lib/assets/compiled/rails-ujs.js
|
||||
+++ b/lib/assets/compiled/rails-ujs.js
|
||||
@@ -73,6 +73,22 @@ Released under the MIT license
|
||||
return element[expando][key] = value;
|
||||
};
|
||||
|
||||
+ Rails.isContentEditable = function(element) {
|
||||
+ var isEditable;
|
||||
+ isEditable = false;
|
||||
+ while (true) {
|
||||
+ if (element.isContentEditable) {
|
||||
+ isEditable = true;
|
||||
+ break;
|
||||
+ }
|
||||
+ element = element.parentElement;
|
||||
+ if (!element) {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ return isEditable;
|
||||
+ };
|
||||
+
|
||||
Rails.$ = function(selector) {
|
||||
return Array.prototype.slice.call(document.querySelectorAll(selector));
|
||||
};
|
||||
@@ -395,9 +411,9 @@ Released under the MIT license
|
||||
|
||||
}).call(this);
|
||||
(function() {
|
||||
- var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isXhrRedirect, matches, setData, stopEverything;
|
||||
+ var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isContentEditable, isXhrRedirect, matches, setData, stopEverything;
|
||||
|
||||
- matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements;
|
||||
+ matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements, isContentEditable = Rails.isContentEditable;
|
||||
|
||||
Rails.handleDisabledElement = function(e) {
|
||||
var element;
|
||||
@@ -417,6 +433,9 @@ Released under the MIT license
|
||||
} else {
|
||||
element = e;
|
||||
}
|
||||
+ if (isContentEditable(element)) {
|
||||
+ return;
|
||||
+ }
|
||||
if (matches(element, Rails.linkDisableSelector)) {
|
||||
return enableLinkElement(element);
|
||||
} else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formEnableSelector)) {
|
||||
@@ -429,6 +448,9 @@ Released under the MIT license
|
||||
Rails.disableElement = function(e) {
|
||||
var element;
|
||||
element = e instanceof Event ? e.target : e;
|
||||
+ if (isContentEditable(element)) {
|
||||
+ return;
|
||||
+ }
|
||||
if (matches(element, Rails.linkDisableSelector)) {
|
||||
return disableLinkElement(element);
|
||||
} else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formDisableSelector)) {
|
||||
@@ -513,10 +535,12 @@ Released under the MIT license
|
||||
|
||||
}).call(this);
|
||||
(function() {
|
||||
- var stopEverything;
|
||||
+ var isContentEditable, stopEverything;
|
||||
|
||||
stopEverything = Rails.stopEverything;
|
||||
|
||||
+ isContentEditable = Rails.isContentEditable;
|
||||
+
|
||||
Rails.handleMethod = function(e) {
|
||||
var csrfParam, csrfToken, form, formContent, href, link, method;
|
||||
link = this;
|
||||
@@ -524,6 +548,9 @@ Released under the MIT license
|
||||
if (!method) {
|
||||
return;
|
||||
}
|
||||
+ if (isContentEditable(this)) {
|
||||
+ return;
|
||||
+ }
|
||||
href = Rails.href(link);
|
||||
csrfToken = Rails.csrfToken();
|
||||
csrfParam = Rails.csrfParam();
|
||||
@@ -545,10 +572,10 @@ Released under the MIT license
|
||||
|
||||
}).call(this);
|
||||
(function() {
|
||||
- var ajax, fire, getData, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
|
||||
+ var ajax, fire, getData, isContentEditable, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
|
||||
slice = [].slice;
|
||||
|
||||
- matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement;
|
||||
+ matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement, isContentEditable = Rails.isContentEditable;
|
||||
|
||||
isRemote = function(element) {
|
||||
var value;
|
||||
@@ -566,6 +593,10 @@ Released under the MIT license
|
||||
fire(element, 'ajax:stopped');
|
||||
return false;
|
||||
}
|
||||
+ if (isContentEditable(element)) {
|
||||
+ fire(element, 'ajax:stopped');
|
||||
+ return false;
|
||||
+ }
|
||||
withCredentials = element.getAttribute('data-with-credentials');
|
||||
dataType = element.getAttribute('data-type') || 'script';
|
||||
if (matches(element, Rails.formSubmitSelector)) {
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -3,13 +3,14 @@
|
||||
|
||||
Name: rubygem-%{gem_name}
|
||||
Version: 6.1.4.1
|
||||
Release: 1
|
||||
Release: 2
|
||||
Summary: Rendering framework putting the V in MVC (part of Rails)
|
||||
License: MIT
|
||||
URL: http://rubyonrails.org
|
||||
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
|
||||
Source1: %{gem_name}-%{version}-tests.txz
|
||||
Source2: rails-%{version}-tools.txz
|
||||
Patch3000: CVE-2023-23913.patch
|
||||
|
||||
BuildRequires: ruby(release)
|
||||
BuildRequires: rubygems-devel
|
||||
@ -36,6 +37,7 @@ Documentation for %{name}.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{gem_name}-%{version} -b1 -b2
|
||||
%patch3000 -p1
|
||||
|
||||
%build
|
||||
gem build ../%{gem_name}-%{version}.gemspec
|
||||
@ -76,6 +78,9 @@ popd
|
||||
%doc %{gem_instdir}/CHANGELOG.md
|
||||
|
||||
%changelog
|
||||
* Tue Jun 25 2024 wangkai <13474090681@163.com> - 6.1.4.1-2
|
||||
- Fix CVE-2023-23913
|
||||
|
||||
* Mon May 02 2022 wangkerong <wangkerong@h-partners.com>- 6.1.4.1-1
|
||||
- Upgrade to 6.1.4.1
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user