packages/rubygem-actionview
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!22 Fix CVE-2023-23913

Browse Source 
From: @wk333 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
This commit is contained in:
openeuler-ci-bot 2024-06-25 08:40:54 +00:00 committed by Gitee
commit 0e5ca21301
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 138 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
CVE-2023-23913.patch Normal file
View File

@ -0,0 +1,132 @@
Refer:
https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd
https://build.opensuse.org/projects/SUSE:SLE-15:Update/packages/rubygem-actionview-5_1/files/rubygem-actionview-5_1-CVE-2023-23913.patch?expand=1
From 5037a13614di71727af8a175063bcf6ba1a74bdbd Mon Sep 17 00:00:00 2001
From: Zack Deveau <zack.ref@gmail.com>
Date: Mon, 16 Jan 2023 09:43:54 -0500
Subject: [PATCH] Ignore certain data-* attributes in rails-ujs when element is
contenteditable
There is a potential DOM based cross-site scripting issue in rails-ujs
which leverages the Clipboard API to target HTML elements that are
assigned the contenteditable attribute. This has the potential to occur
when pasting malicious HTML content from the clipboard that includes
a data-method, data-disable-with or data-remote attribute.
[CVE-2023-23913]
---
lib/assets/compiled/rails-ujs.js | 41 ++++++++++++++++++++++++++++----
1 file changed, 36 insertions(+), 5 deletions(-)
diff --git a/lib/assets/compiled/rails-ujs.js b/lib/assets/compiled/rails-ujs.js
index 2176247..d428163 100644
--- a/lib/assets/compiled/rails-ujs.js
+++ b/lib/assets/compiled/rails-ujs.js
@@ -73,6 +73,22 @@ Released under the MIT license
return element[expando][key] = value;
};
+ Rails.isContentEditable = function(element) {
+ var isEditable;
+ isEditable = false;
+ while (true) {
+ if (element.isContentEditable) {
+ isEditable = true;
+ break;
+ }
+ element = element.parentElement;
+ if (!element) {
+ break;
+ }
+ }
+ return isEditable;
+ };
+
Rails.$ = function(selector) {
return Array.prototype.slice.call(document.querySelectorAll(selector));
};
@@ -395,9 +411,9 @@ Released under the MIT license
}).call(this);
(function() {
- var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isXhrRedirect, matches, setData, stopEverything;
+ var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isContentEditable, isXhrRedirect, matches, setData, stopEverything;
- matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements;
+ matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements, isContentEditable = Rails.isContentEditable;
Rails.handleDisabledElement = function(e) {
var element;
@@ -417,6 +433,9 @@ Released under the MIT license
} else {
element = e;
}
+ if (isContentEditable(element)) {
+ return;
+ }
if (matches(element, Rails.linkDisableSelector)) {
return enableLinkElement(element);
} else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formEnableSelector)) {
@@ -429,6 +448,9 @@ Released under the MIT license
Rails.disableElement = function(e) {
var element;
element = e instanceof Event ? e.target : e;
+ if (isContentEditable(element)) {
+ return;
+ }
if (matches(element, Rails.linkDisableSelector)) {
return disableLinkElement(element);
} else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formDisableSelector)) {
@@ -513,10 +535,12 @@ Released under the MIT license
}).call(this);
(function() {
- var stopEverything;
+ var isContentEditable, stopEverything;
stopEverything = Rails.stopEverything;
+ isContentEditable = Rails.isContentEditable;
+
Rails.handleMethod = function(e) {
var csrfParam, csrfToken, form, formContent, href, link, method;
link = this;
@@ -524,6 +548,9 @@ Released under the MIT license
if (!method) {
return;
}
+ if (isContentEditable(this)) {
+ return;
+ }
href = Rails.href(link);
csrfToken = Rails.csrfToken();
csrfParam = Rails.csrfParam();
@@ -545,10 +572,10 @@ Released under the MIT license
}).call(this);
(function() {
- var ajax, fire, getData, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
+ var ajax, fire, getData, isContentEditable, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
slice = [].slice;
- matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement;
+ matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement, isContentEditable = Rails.isContentEditable;
isRemote = function(element) {
var value;
@@ -566,6 +593,10 @@ Released under the MIT license
fire(element, 'ajax:stopped');
return false;
}
+ if (isContentEditable(element)) {
+ fire(element, 'ajax:stopped');
+ return false;
+ }
withCredentials = element.getAttribute('data-with-credentials');
dataType = element.getAttribute('data-type') || 'script';
if (matches(element, Rails.formSubmitSelector)) {
--
2.33.0

7
rubygem-actionview.spec
View File

@ -3,13 +3,14 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Version: 6.1.4.1 Version: 6.1.4.1
Release: 1 Release: 2
Summary: Rendering framework putting the V in MVC (part of Rails) Summary: Rendering framework putting the V in MVC (part of Rails)
License: MIT License: MIT
URL: http://rubyonrails.org URL: http://rubyonrails.org
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
Source1: %{gem_name}-%{version}-tests.txz Source1: %{gem_name}-%{version}-tests.txz
Source2: rails-%{version}-tools.txz Source2: rails-%{version}-tools.txz
Patch3000: CVE-2023-23913.patch
BuildRequires: ruby(release) BuildRequires: ruby(release)
BuildRequires: rubygems-devel BuildRequires: rubygems-devel
@ -36,6 +37,7 @@ Documentation for %{name}.
%prep %prep
%setup -q -n %{gem_name}-%{version} -b1 -b2 %setup -q -n %{gem_name}-%{version} -b1 -b2
%patch3000 -p1
%build %build
gem build ../%{gem_name}-%{version}.gemspec gem build ../%{gem_name}-%{version}.gemspec
@ -76,6 +78,9 @@ popd
%doc %{gem_instdir}/CHANGELOG.md %doc %{gem_instdir}/CHANGELOG.md
%changelog %changelog
* Tue Jun 25 2024 wangkai <13474090681@163.com> - 6.1.4.1-2
- Fix CVE-2023-23913
* Mon May 02 2022 wangkerong <wangkerong@h-partners.com>- 6.1.4.1-1 * Mon May 02 2022 wangkerong <wangkerong@h-partners.com>- 6.1.4.1-1
- Upgrade to 6.1.4.1 - Upgrade to 6.1.4.1