!22 Fix CVE-2023-23913

From: @wk333 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

CVE-2023-23913.patch

@@ -0,0 +1,132 @@
+Refer:
+https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd
+https://build.opensuse.org/projects/SUSE:SLE-15:Update/packages/rubygem-actionview-5_1/files/rubygem-actionview-5_1-CVE-2023-23913.patch?expand=1
+
+From 5037a13614di71727af8a175063bcf6ba1a74bdbd Mon Sep 17 00:00:00 2001
+From: Zack Deveau <zack.ref@gmail.com>
+Date: Mon, 16 Jan 2023 09:43:54 -0500
+Subject: [PATCH] Ignore certain data-* attributes in rails-ujs when element is
+ contenteditable
+
+There is a potential DOM based cross-site scripting issue in rails-ujs
+which leverages the Clipboard API to target HTML elements that are
+assigned the contenteditable attribute. This has the potential to occur
+when pasting malicious HTML content from the clipboard that includes
+a data-method, data-disable-with or data-remote attribute.
+
+[CVE-2023-23913]
+
+---
+ lib/assets/compiled/rails-ujs.js | 41 ++++++++++++++++++++++++++++----
+ 1 file changed, 36 insertions(+), 5 deletions(-)
+
+diff --git a/lib/assets/compiled/rails-ujs.js b/lib/assets/compiled/rails-ujs.js
+index 2176247..d428163 100644
+--- a/lib/assets/compiled/rails-ujs.js
++++ b/lib/assets/compiled/rails-ujs.js
+@@ -73,6 +73,22 @@ Released under the MIT license
+         return element[expando][key] = value;
+       };
+ 
++      Rails.isContentEditable = function(element) {
++        var isEditable;
++        isEditable = false;
++        while (true) {
++          if (element.isContentEditable) {
++            isEditable = true;
++            break;
++          }
++          element = element.parentElement;
++          if (!element) {
++            break;
++          }
++        }
++        return isEditable;
++      };
++
+       Rails.$ = function(selector) {
+         return Array.prototype.slice.call(document.querySelectorAll(selector));
+       };
+@@ -395,9 +411,9 @@ Released under the MIT license
+ 
+     }).call(this);
+     (function() {
+-      var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isXhrRedirect, matches, setData, stopEverything;
++      var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isContentEditable, isXhrRedirect, matches, setData, stopEverything;
+ 
+-      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements;
++      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements, isContentEditable = Rails.isContentEditable;
+ 
+       Rails.handleDisabledElement = function(e) {
+         var element;
+@@ -417,6 +433,9 @@ Released under the MIT license
+         } else {
+           element = e;
+         }
++        if (isContentEditable(element)) {
++          return;
++        }
+         if (matches(element, Rails.linkDisableSelector)) {
+           return enableLinkElement(element);
+         } else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formEnableSelector)) {
+@@ -429,6 +448,9 @@ Released under the MIT license
+       Rails.disableElement = function(e) {
+         var element;
+         element = e instanceof Event ? e.target : e;
++        if (isContentEditable(element)) {
++          return;
++        }
+         if (matches(element, Rails.linkDisableSelector)) {
+           return disableLinkElement(element);
+         } else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formDisableSelector)) {
+@@ -513,10 +535,12 @@ Released under the MIT license
+ 
+     }).call(this);
+     (function() {
+-      var stopEverything;
++      var isContentEditable, stopEverything;
+ 
+       stopEverything = Rails.stopEverything;
+ 
++      isContentEditable = Rails.isContentEditable;
++
+       Rails.handleMethod = function(e) {
+         var csrfParam, csrfToken, form, formContent, href, link, method;
+         link = this;
+@@ -524,6 +548,9 @@ Released under the MIT license
+         if (!method) {
+           return;
+         }
++        if (isContentEditable(this)) {
++          return;
++        }
+         href = Rails.href(link);
+         csrfToken = Rails.csrfToken();
+         csrfParam = Rails.csrfParam();
+@@ -545,10 +572,10 @@ Released under the MIT license
+ 
+     }).call(this);
+     (function() {
+-      var ajax, fire, getData, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
++      var ajax, fire, getData, isContentEditable, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
+         slice = [].slice;
+ 
+-      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement;
++      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement, isContentEditable = Rails.isContentEditable;
+ 
+       isRemote = function(element) {
+         var value;
+@@ -566,6 +593,10 @@ Released under the MIT license
+           fire(element, 'ajax:stopped');
+           return false;
+         }
++        if (isContentEditable(element)) {
++          fire(element, 'ajax:stopped');
++          return false;
++        }
+         withCredentials = element.getAttribute('data-with-credentials');
+         dataType = element.getAttribute('data-type') || 'script';
+         if (matches(element, Rails.formSubmitSelector)) {
+-- 
+2.33.0
+

rubygem-actionview.spec

@@ -1,99 +1,99 @@
-%global pkg_name %{name}
+%global		gem_name actionview
+%bcond_with bootstrap
 
-%global gem_name actionview
-%global gem_require_name %{gem_name}
+Name:		rubygem-%{gem_name}
+Version:	6.1.4.1
+Release:	2
+Summary:	Rendering framework putting the V in MVC (part of Rails)
+License:	MIT
+URL:		http://rubyonrails.org
+Source0:	https://rubygems.org/gems/%{gem_name}-%{version}.gem
+Source1:	%{gem_name}-%{version}-tests.txz
+Source2:	rails-%{version}-tools.txz
+Patch3000:	CVE-2023-23913.patch
 
-Name: rubygem-%{gem_name}
-Version: 6.0.3.4
-Release: 2
-Summary: Rendering framework putting the V in MVC (part of Rails)
-Group: Development/Languages
-License: MIT
-URL: https://rubyonrails.org
-Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
-Source1: https://github.com/rails/rails/archive/refs/tags/v%{version}.tar.gz
-
-Requires: ruby(release)
-Requires: ruby >= 2.5.0
-Requires: ruby(rubygems)
-Requires: rubygem(activesupport) = 6.0.3.4
-Requires: rubygem(builder) >= 3.1
-Requires: rubygem(builder) < 4
-Requires: rubygem(erubi) >= 1.4
-Requires: rubygem(erubi) < 2
-Requires: rubygem(rails-html-sanitizer) >= 1.1
-Requires: rubygem(rails-html-sanitizer) < 2
-Requires: rubygem(rails-html-sanitizer) >= 1.2.0
-Requires: rubygem(rails-dom-testing) >= 2.0
-Requires: rubygem(rails-dom-testing) < 3
-BuildRequires: ruby(release)
-BuildRequires: ruby >= 2.5.0
-BuildRequires: rubygems-devel
-BuildArch: noarch
-Provides: rubygem(%{gem_name}) = %{version}
-
-Obsoletes: tfm-ror52-rubygem-%{gem_name} <= 5.2.1
+BuildRequires:	ruby(release)
+BuildRequires:	rubygems-devel
+%if %{without bootstrap}
+BuildRequires:	rubygem(activesupport) = %{version}
+BuildRequires:	rubygem(activerecord) = %{version}
+BuildRequires:	rubygem(actionpack) = %{version}
+BuildRequires:	rubygem(railties) = %{version}
+BuildRequires:	rubygem(sqlite3)
+%endif
+BuildArch:	noarch
 
 %description
 Simple, battle-tested conventions and helpers for building web pages.
 
 
-%package doc
-Summary: Documentation for %{pkg_name}
-Group: Documentation
-Requires: %{pkg_name} = %{version}-%{release}
-BuildArch: noarch
+%package	doc
+Summary:	Documentation for %{name}
+Requires:	%{name} = %{version}-%{release}
+BuildArch:	noarch
 
-%description doc
-Documentation for %{pkg_name}.
+%description	doc
+Documentation for %{name}.
 
 %prep
-gem unpack %{SOURCE0}
-
-%setup -q -D -T -n  %{gem_name}-%{version}
-
-gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec
+%setup -q -n %{gem_name}-%{version} -b1 -b2
+%patch3000 -p1
 
 %build
-gem build %{gem_name}.gemspec
-
+gem build ../%{gem_name}-%{version}.gemspec
 %gem_install
 
 %install
 mkdir -p %{buildroot}%{gem_dir}
-cp -a .%{gem_dir}/* \
+cp -pa .%{gem_dir}/* \
         %{buildroot}%{gem_dir}/
 
+%if %{without bootstrap}
 %check
 ln -s %{gem_dir}/gems/activerecord-%{version}/ .%{gem_dir}/gems/activerecord
+
 pushd .%{gem_instdir}
-tar xzvf %{SOURCE1} -C .
-cd rails-%{version}/%{gem_name}
-for t in {actionpack,activerecord,template}; do
-  ruby -Ilib:test -e "Dir.glob('./test/$t/**/*_test.rb')"
-done
+ln -s %{_builddir}/tools ..
+mv %{_builddir}/test .
+
+mv test/activerecord/controller_runtime_test.rb{,.disable}
+
+find test -type f -name '*_test.rb' -print0 | \
+  sort -z | \
+  xargs -0 -n1 -i sh -c "echo '* Test file: {}'; ruby -Itest -- '{}' || exit 255"
+
 popd
+%endif
 
 %files
 %dir %{gem_instdir}
-%license %{gem_instdir}/MIT-LICENSE
 %{gem_libdir}
 %exclude %{gem_cache}
 %{gem_spec}
+%license %{gem_instdir}/MIT-LICENSE
 
 %files doc
 %doc %{gem_docdir}
-%doc %{gem_instdir}/CHANGELOG.md
 %doc %{gem_instdir}/README.rdoc
+%doc %{gem_instdir}/CHANGELOG.md
 
 %changelog
+* Tue Jun 25 2024 wangkai <13474090681@163.com> - 6.1.4.1-2
+- Fix CVE-2023-23913
+
+* Mon May 02 2022 wangkerong <wangkerong@h-partners.com>- 6.1.4.1-1
+- Upgrade to 6.1.4.1
+
+* Wed Aug 04 2021 wangyue <wangyue92@huawei.com> - 5.2.4.4-2
+- revert to 5.2.4.4
+
 * Fri Jun 25 2021 jiangxinyu <jiangxinyu@kylinos.cn> - 6.0.3.4-2
 - Add code testing
 
 * Mon Jun 07 2021 jiangxinyu <jiangxinyu@kylinos.cn> - 6.0.3.4-1
 - Update to 6.0.3.4
 
-* Mon Feb  8 2021sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1
+* Mon Feb 8 2021 sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1
 - Upgrade to 5.2.4.4
 
 * Sat Aug 8 2020 chengzihan <chengzihan2@huawei.com> - 5.2.3-1