packages/rubygem-actionview
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:0e5ca21301e1ab4c6cc39d7bee7cf6b321381767
Branches Tags
packages:main
..
compare: packages:254cf43f092dba776cb13a5ac34c2e33107c8122
Branches Tags
packages:main

No commits in common. "0e5ca21301e1ab4c6cc39d7bee7cf6b321381767" and "254cf43f092dba776cb13a5ac34c2e33107c8122" have entirely different histories.
0e5ca21301 ... 254cf43f09

7 changed files with 56 additions and 188 deletions
Show Stats Expand all files Collapse all files

132
CVE-2023-23913.patch
View File

@ -1,132 +0,0 @@
Refer:
https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd
https://build.opensuse.org/projects/SUSE:SLE-15:Update/packages/rubygem-actionview-5_1/files/rubygem-actionview-5_1-CVE-2023-23913.patch?expand=1
From 5037a13614di71727af8a175063bcf6ba1a74bdbd Mon Sep 17 00:00:00 2001
From: Zack Deveau <zack.ref@gmail.com>
Date: Mon, 16 Jan 2023 09:43:54 -0500
Subject: [PATCH] Ignore certain data-* attributes in rails-ujs when element is
contenteditable
There is a potential DOM based cross-site scripting issue in rails-ujs
which leverages the Clipboard API to target HTML elements that are
assigned the contenteditable attribute. This has the potential to occur
when pasting malicious HTML content from the clipboard that includes
a data-method, data-disable-with or data-remote attribute.
[CVE-2023-23913]
---
lib/assets/compiled/rails-ujs.js | 41 ++++++++++++++++++++++++++++----
1 file changed, 36 insertions(+), 5 deletions(-)
diff --git a/lib/assets/compiled/rails-ujs.js b/lib/assets/compiled/rails-ujs.js
index 2176247..d428163 100644
--- a/lib/assets/compiled/rails-ujs.js
+++ b/lib/assets/compiled/rails-ujs.js
@@ -73,6 +73,22 @@ Released under the MIT license
return element[expando][key] = value;
};
+ Rails.isContentEditable = function(element) {
+ var isEditable;
+ isEditable = false;
+ while (true) {
+ if (element.isContentEditable) {
+ isEditable = true;
+ break;
+ }
+ element = element.parentElement;
+ if (!element) {
+ break;
+ }
+ }
+ return isEditable;
+ };
+
Rails.$ = function(selector) {
return Array.prototype.slice.call(document.querySelectorAll(selector));
};
@@ -395,9 +411,9 @@ Released under the MIT license
}).call(this);
(function() {
- var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isXhrRedirect, matches, setData, stopEverything;
+ var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isContentEditable, isXhrRedirect, matches, setData, stopEverything;
- matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements;
+ matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements, isContentEditable = Rails.isContentEditable;
Rails.handleDisabledElement = function(e) {
var element;
@@ -417,6 +433,9 @@ Released under the MIT license
} else {
element = e;
}
+ if (isContentEditable(element)) {
+ return;
+ }
if (matches(element, Rails.linkDisableSelector)) {
return enableLinkElement(element);
} else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formEnableSelector)) {
@@ -429,6 +448,9 @@ Released under the MIT license
Rails.disableElement = function(e) {
var element;
element = e instanceof Event ? e.target : e;
+ if (isContentEditable(element)) {
+ return;
+ }
if (matches(element, Rails.linkDisableSelector)) {
return disableLinkElement(element);
} else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formDisableSelector)) {
@@ -513,10 +535,12 @@ Released under the MIT license
}).call(this);
(function() {
- var stopEverything;
+ var isContentEditable, stopEverything;
stopEverything = Rails.stopEverything;
+ isContentEditable = Rails.isContentEditable;
+
Rails.handleMethod = function(e) {
var csrfParam, csrfToken, form, formContent, href, link, method;
link = this;
@@ -524,6 +548,9 @@ Released under the MIT license
if (!method) {
return;
}
+ if (isContentEditable(this)) {
+ return;
+ }
href = Rails.href(link);
csrfToken = Rails.csrfToken();
csrfParam = Rails.csrfParam();
@@ -545,10 +572,10 @@ Released under the MIT license
}).call(this);
(function() {
- var ajax, fire, getData, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
+ var ajax, fire, getData, isContentEditable, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
slice = [].slice;
- matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement;
+ matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement, isContentEditable = Rails.isContentEditable;
isRemote = function(element) {
var value;
@@ -566,6 +593,10 @@ Released under the MIT license
fire(element, 'ajax:stopped');
return false;
}
+ if (isContentEditable(element)) {
+ fire(element, 'ajax:stopped');
+ return false;
+ }
withCredentials = element.getAttribute('data-with-credentials');
dataType = element.getAttribute('data-type') || 'script';
if (matches(element, Rails.formSubmitSelector)) {
--
2.33.0

BIN
actionview-6.0.3.4.gem Normal file
View File

Binary file not shown.

BIN
actionview-6.1.4.1-tests.txz
View File

Binary file not shown.

BIN
actionview-6.1.4.1.gem
View File

Binary file not shown.

BIN
rails-6.1.4.1-tools.txz
View File

Binary file not shown.

112
rubygem-actionview.spec
View File

@ -1,99 +1,99 @@
%global gem_name actionview
%bcond_with bootstrap
%global pkg_name %{name}
Name: rubygem-%{gem_name}
Version: 6.1.4.1
Release: 2
Summary: Rendering framework putting the V in MVC (part of Rails)
License: MIT
URL: http://rubyonrails.org
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
Source1: %{gem_name}-%{version}-tests.txz
Source2: rails-%{version}-tools.txz
Patch3000: CVE-2023-23913.patch
%global gem_name actionview
%global gem_require_name %{gem_name}
BuildRequires: ruby(release)
BuildRequires: rubygems-devel
%if %{without bootstrap}
BuildRequires: rubygem(activesupport) = %{version}
BuildRequires: rubygem(activerecord) = %{version}
BuildRequires: rubygem(actionpack) = %{version}
BuildRequires: rubygem(railties) = %{version}
BuildRequires: rubygem(sqlite3)
%endif
BuildArch: noarch
Name: rubygem-%{gem_name}
Version: 6.0.3.4
Release: 2
Summary: Rendering framework putting the V in MVC (part of Rails)
Group: Development/Languages
License: MIT
URL: https://rubyonrails.org
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
Source1: https://github.com/rails/rails/archive/refs/tags/v%{version}.tar.gz
Requires: ruby(release)
Requires: ruby >= 2.5.0
Requires: ruby(rubygems)
Requires: rubygem(activesupport) = 6.0.3.4
Requires: rubygem(builder) >= 3.1
Requires: rubygem(builder) < 4
Requires: rubygem(erubi) >= 1.4
Requires: rubygem(erubi) < 2
Requires: rubygem(rails-html-sanitizer) >= 1.1
Requires: rubygem(rails-html-sanitizer) < 2
Requires: rubygem(rails-html-sanitizer) >= 1.2.0
Requires: rubygem(rails-dom-testing) >= 2.0
Requires: rubygem(rails-dom-testing) < 3
BuildRequires: ruby(release)
BuildRequires: ruby >= 2.5.0
BuildRequires: rubygems-devel
BuildArch: noarch
Provides: rubygem(%{gem_name}) = %{version}
Obsoletes: tfm-ror52-rubygem-%{gem_name} <= 5.2.1
%description
Simple, battle-tested conventions and helpers for building web pages.
%package doc
Summary: Documentation for %{name}
Requires: %{name} = %{version}-%{release}
BuildArch: noarch
%package doc
Summary: Documentation for %{pkg_name}
Group: Documentation
Requires: %{pkg_name} = %{version}-%{release}
BuildArch: noarch
%description doc
Documentation for %{name}.
%description doc
Documentation for %{pkg_name}.
%prep
%setup -q -n %{gem_name}-%{version} -b1 -b2
%patch3000 -p1
gem unpack %{SOURCE0}
%setup -q -D -T -n %{gem_name}-%{version}
gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec
%build
gem build ../%{gem_name}-%{version}.gemspec
gem build %{gem_name}.gemspec
%gem_install
%install
mkdir -p %{buildroot}%{gem_dir}
cp -pa .%{gem_dir}/* \
cp -a .%{gem_dir}/* \
%{buildroot}%{gem_dir}/
%if %{without bootstrap}
%check
ln -s %{gem_dir}/gems/activerecord-%{version}/ .%{gem_dir}/gems/activerecord
pushd .%{gem_instdir}
ln -s %{_builddir}/tools ..
mv %{_builddir}/test .
mv test/activerecord/controller_runtime_test.rb{,.disable}
find test -type f -name '*_test.rb' -print0 | \
sort -z | \
xargs -0 -n1 -i sh -c "echo '* Test file: {}'; ruby -Itest -- '{}' || exit 255"
tar xzvf %{SOURCE1} -C .
cd rails-%{version}/%{gem_name}
for t in {actionpack,activerecord,template}; do
ruby -Ilib:test -e "Dir.glob('./test/$t/**/*_test.rb')"
done
popd
%endif
%files
%dir %{gem_instdir}
%license %{gem_instdir}/MIT-LICENSE
%{gem_libdir}
%exclude %{gem_cache}
%{gem_spec}
%license %{gem_instdir}/MIT-LICENSE
%files doc
%doc %{gem_docdir}
%doc %{gem_instdir}/README.rdoc
%doc %{gem_instdir}/CHANGELOG.md
%doc %{gem_instdir}/README.rdoc
%changelog
* Tue Jun 25 2024 wangkai <13474090681@163.com> - 6.1.4.1-2
- Fix CVE-2023-23913
* Mon May 02 2022 wangkerong <wangkerong@h-partners.com>- 6.1.4.1-1
- Upgrade to 6.1.4.1
* Wed Aug 04 2021 wangyue <wangyue92@huawei.com> - 5.2.4.4-2
- revert to 5.2.4.4
* Fri Jun 25 2021 jiangxinyu <jiangxinyu@kylinos.cn> - 6.0.3.4-2
- Add code testing
* Mon Jun 07 2021 jiangxinyu <jiangxinyu@kylinos.cn> - 6.0.3.4-1
- Update to 6.0.3.4
* Mon Feb 8 2021 sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1
* Mon Feb 8 2021sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1
- Upgrade to 5.2.4.4
* Sat Aug 8 2020 chengzihan <chengzihan2@huawei.com> - 5.2.3-1

BIN
v6.0.3.4.tar.gz Normal file
View File

Binary file not shown.