!22 Fix CVE-2023-23913

From: @wk333 Reviewed-by: @jxy_git Signed-off-by: @jxy_git
Fix CVE-2023-23913
2024-06-25 08:40:54 +00:00 · 2024-06-25 16:00:49 +08:00 · 2022-06-20 01:55:03 +00:00 · 2022-06-17 06:20:21 +00:00 · 2022-06-09 09:30:10 +00:00 · 2022-06-09 13:48:15 +08:00
7 changed files with 188 additions and 56 deletions
--- a/CVE-2023-23913.patch
+++ b/CVE-2023-23913.patch
@ -0,0 +1,132 @@
 Refer:
 https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd
 https://build.opensuse.org/projects/SUSE:SLE-15:Update/packages/rubygem-actionview-5_1/files/rubygem-actionview-5_1-CVE-2023-23913.patch?expand=1
 From 5037a13614di71727af8a175063bcf6ba1a74bdbd Mon Sep 17 00:00:00 2001
 From: Zack Deveau <zack.ref@gmail.com>
 Date: Mon, 16 Jan 2023 09:43:54 -0500
 Subject: [PATCH] Ignore certain data-* attributes in rails-ujs when element is
 contenteditable
 There is a potential DOM based cross-site scripting issue in rails-ujs
 which leverages the Clipboard API to target HTML elements that are
 assigned the contenteditable attribute. This has the potential to occur
 when pasting malicious HTML content from the clipboard that includes
 a data-method, data-disable-with or data-remote attribute.
 [CVE-2023-23913]
 ---
 lib/assets/compiled/rails-ujs.js | 41 ++++++++++++++++++++++++++++----
 1 file changed, 36 insertions(+), 5 deletions(-)
 diff --git a/lib/assets/compiled/rails-ujs.js b/lib/assets/compiled/rails-ujs.js
 index 2176247..d428163 100644
 --- a/lib/assets/compiled/rails-ujs.js
 +++ b/lib/assets/compiled/rails-ujs.js
@@ -73,6 +73,22 @@ Released under the MIT license
         return element[expando][key] = value;
       };
 +      Rails.isContentEditable = function(element) {
 +        var isEditable;
 +        isEditable = false;
 +        while (true) {
 +          if (element.isContentEditable) {
 +            isEditable = true;
 +            break;
 +          }
 +          element = element.parentElement;
 +          if (!element) {
 +            break;
 +          }
 +        }
 +        return isEditable;
 +      };
 +
       Rails.$ = function(selector) {
         return Array.prototype.slice.call(document.querySelectorAll(selector));
       };
@@ -395,9 +411,9 @@ Released under the MIT license
     }).call(this);
     (function() {
 -      var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isXhrRedirect, matches, setData, stopEverything;
 +      var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isContentEditable, isXhrRedirect, matches, setData, stopEverything;
 -      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements;
 +      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements, isContentEditable = Rails.isContentEditable;
       Rails.handleDisabledElement = function(e) {
         var element;
@@ -417,6 +433,9 @@ Released under the MIT license
         } else {
           element = e;
         }
 +        if (isContentEditable(element)) {
 +          return;
 +        }
         if (matches(element, Rails.linkDisableSelector)) {
           return enableLinkElement(element);
         } else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formEnableSelector)) {
@@ -429,6 +448,9 @@ Released under the MIT license
       Rails.disableElement = function(e) {
         var element;
         element = e instanceof Event ? e.target : e;
 +        if (isContentEditable(element)) {
 +          return;
 +        }
         if (matches(element, Rails.linkDisableSelector)) {
           return disableLinkElement(element);
         } else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formDisableSelector)) {
@@ -513,10 +535,12 @@ Released under the MIT license
     }).call(this);
     (function() {
 -      var stopEverything;
 +      var isContentEditable, stopEverything;
       stopEverything = Rails.stopEverything;
 +      isContentEditable = Rails.isContentEditable;
 +
       Rails.handleMethod = function(e) {
         var csrfParam, csrfToken, form, formContent, href, link, method;
         link = this;
@@ -524,6 +548,9 @@ Released under the MIT license
         if (!method) {
           return;
         }
 +        if (isContentEditable(this)) {
 +          return;
 +        }
         href = Rails.href(link);
         csrfToken = Rails.csrfToken();
         csrfParam = Rails.csrfParam();
@@ -545,10 +572,10 @@ Released under the MIT license
     }).call(this);
     (function() {
 -      var ajax, fire, getData, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
 +      var ajax, fire, getData, isContentEditable, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
         slice = [].slice;
 -      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement;
 +      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement, isContentEditable = Rails.isContentEditable;
       isRemote = function(element) {
         var value;
@@ -566,6 +593,10 @@ Released under the MIT license
           fire(element, 'ajax:stopped');
           return false;
         }
 +        if (isContentEditable(element)) {
 +          fire(element, 'ajax:stopped');
 +          return false;
 +        }
         withCredentials = element.getAttribute('data-with-credentials');
         dataType = element.getAttribute('data-type') || 'script';
         if (matches(element, Rails.formSubmitSelector)) {
 -- 
 2.33.0
--- a/actionview-6.0.3.4.gem
+++ b/actionview-6.0.3.4.gem
--- a/actionview-6.1.4.1-tests.txz
+++ b/actionview-6.1.4.1-tests.txz
--- a/actionview-6.1.4.1.gem
+++ b/actionview-6.1.4.1.gem
--- a/rails-6.1.4.1-tools.txz
+++ b/rails-6.1.4.1-tools.txz
--- a/rubygem-actionview.spec
+++ b/rubygem-actionview.spec
@ -1,99 +1,99 @@
-%global pkg_name %{name}
+%global		gem_name actionview
 %bcond_with bootstrap
-%global gem_name actionview
+Name:		rubygem-%{gem_name}
-%global gem_require_name %{gem_name}
+Version:	6.1.4.1
 Release:	2
 Summary:	Rendering framework putting the V in MVC (part of Rails)
 License:	MIT
 URL:		http://rubyonrails.org
 Source0:	https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1:	%{gem_name}-%{version}-tests.txz
 Source2:	rails-%{version}-tools.txz
 Patch3000:	CVE-2023-23913.patch
-Name: rubygem-%{gem_name}
+BuildRequires:	ruby(release)
-Version: 6.0.3.4
+BuildRequires:	rubygems-devel
-Release: 2
+%if %{without bootstrap}
-Summary: Rendering framework putting the V in MVC (part of Rails)
+BuildRequires:	rubygem(activesupport) = %{version}
-Group: Development/Languages
+BuildRequires:	rubygem(activerecord) = %{version}
-License: MIT
+BuildRequires:	rubygem(actionpack) = %{version}
-URL: https://rubyonrails.org
+BuildRequires:	rubygem(railties) = %{version}
-Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
+BuildRequires:	rubygem(sqlite3)
-Source1: https://github.com/rails/rails/archive/refs/tags/v%{version}.tar.gz
+%endif
-
+BuildArch:	noarch
 Requires: ruby(release)
 Requires: ruby >= 2.5.0
 Requires: ruby(rubygems)
 Requires: rubygem(activesupport) = 6.0.3.4
 Requires: rubygem(builder) >= 3.1
 Requires: rubygem(builder) < 4
 Requires: rubygem(erubi) >= 1.4
 Requires: rubygem(erubi) < 2
 Requires: rubygem(rails-html-sanitizer) >= 1.1
 Requires: rubygem(rails-html-sanitizer) < 2
 Requires: rubygem(rails-html-sanitizer) >= 1.2.0
 Requires: rubygem(rails-dom-testing) >= 2.0
 Requires: rubygem(rails-dom-testing) < 3
 BuildRequires: ruby(release)
 BuildRequires: ruby >= 2.5.0
 BuildRequires: rubygems-devel
 BuildArch: noarch
 Provides: rubygem(%{gem_name}) = %{version}
 Obsoletes: tfm-ror52-rubygem-%{gem_name} <= 5.2.1
 %description
 Simple, battle-tested conventions and helpers for building web pages.
-%package doc
+%package	doc
-Summary: Documentation for %{pkg_name}
+Summary:	Documentation for %{name}
-Group: Documentation
+Requires:	%{name} = %{version}-%{release}
-Requires: %{pkg_name} = %{version}-%{release}
+BuildArch:	noarch
 BuildArch: noarch
-%description doc
+%description	doc
-Documentation for %{pkg_name}.
+Documentation for %{name}.
 %prep
-gem unpack %{SOURCE0}
+%setup -q -n %{gem_name}-%{version} -b1 -b2
-
+%patch3000 -p1
 %setup -q -D -T -n  %{gem_name}-%{version}
 gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec
 %build
-gem build %{gem_name}.gemspec
+gem build ../%{gem_name}-%{version}.gemspec
 %gem_install
 %install
 mkdir -p %{buildroot}%{gem_dir}
-cp -a .%{gem_dir}/* \
+cp -pa .%{gem_dir}/* \
        %{buildroot}%{gem_dir}/
 %if %{without bootstrap}
 %check
 ln -s %{gem_dir}/gems/activerecord-%{version}/ .%{gem_dir}/gems/activerecord
 pushd .%{gem_instdir}
-tar xzvf %{SOURCE1} -C .
+ln -s %{_builddir}/tools ..
-cd rails-%{version}/%{gem_name}
+mv %{_builddir}/test .
-for t in {actionpack,activerecord,template}; do
+
-  ruby -Ilib:test -e "Dir.glob('./test/$t/**/*_test.rb')"
+mv test/activerecord/controller_runtime_test.rb{,.disable}
-done
+
 find test -type f -name '*_test.rb' -print0 | \
  sort -z | \
  xargs -0 -n1 -i sh -c "echo '* Test file: {}'; ruby -Itest -- '{}' || exit 255"
 popd
 %endif
 %files
 %dir %{gem_instdir}
 %license %{gem_instdir}/MIT-LICENSE
 %{gem_libdir}
 %exclude %{gem_cache}
 %{gem_spec}
 %license %{gem_instdir}/MIT-LICENSE
 %files doc
 %doc %{gem_docdir}
 %doc %{gem_instdir}/CHANGELOG.md
 %doc %{gem_instdir}/README.rdoc
 %doc %{gem_instdir}/CHANGELOG.md
 %changelog
 * Tue Jun 25 2024 wangkai <13474090681@163.com> - 6.1.4.1-2
 - Fix CVE-2023-23913
 * Mon May 02 2022 wangkerong <wangkerong@h-partners.com>- 6.1.4.1-1
 - Upgrade to 6.1.4.1
 * Wed Aug 04 2021 wangyue <wangyue92@huawei.com> - 5.2.4.4-2
 - revert to 5.2.4.4
 * Fri Jun 25 2021 jiangxinyu <jiangxinyu@kylinos.cn> - 6.0.3.4-2
 - Add code testing
 * Mon Jun 07 2021 jiangxinyu <jiangxinyu@kylinos.cn> - 6.0.3.4-1
 - Update to 6.0.3.4
-* Mon Feb  8 2021sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1
+* Mon Feb 8 2021 sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1
 - Upgrade to 5.2.4.4
 * Sat Aug 8 2020 chengzihan <chengzihan2@huawei.com> - 5.2.3-1
--- a/v6.0.3.4.tar.gz
+++ b/v6.0.3.4.tar.gz
Author	SHA1	Message	Date
openeuler-ci-bot	0e5ca21301	!22 Fix CVE-2023-23913 From: @wk333 Reviewed-by: @jxy_git Signed-off-by: @jxy_git	2024-06-25 08:40:54 +00:00
wk333	0d9523c284	Fix CVE-2023-23913	2024-06-25 16:00:49 +08:00
openeuler-ci-bot	7e5eaacfad	!16 【轻量级 PR】：fix bogus date From: @zhangshaoning_uniontech Reviewed-by: @shinwell_hu Signed-off-by: @shinwell_hu	2022-06-20 01:55:03 +00:00
zhangshaoning	05a2135124	fix bogus date	2022-06-17 06:20:21 +00:00
openeuler-ci-bot	5cf85d5dad	!14 [sync] PR-13: update changelog date From: @openeuler-sync-bot Reviewed-by: @jxy_git Signed-off-by: @jxy_git	2022-06-09 09:30:10 +00:00
tanyulong2021	03e6badc55	update changelog date (cherry picked from commit 744699b7072d224828d05cb82dc5ad46ca141c33)	2022-06-09 13:48:15 +08:00
openeuler-ci-bot	3a6b02b236	!10 Upgrade to 6.1.4.1 From: @kerongw Reviewed-by: @small_leek Signed-off-by: @small_leek	2022-03-04 10:17:07 +00:00
wangkerong	0969189a63	Upgrade to 6.1.4.1	2022-03-02 20:08:50 +08:00
openeuler-ci-bot	d8ed297f23	!9 revert to 5.2.4.4 From: @wang_yue111 Reviewed-by: @small_leek Signed-off-by: @small_leek	2021-08-04 06:47:55 +00:00
wang_yue111	d95a74527d	revert to 5.2.4.4	2021-08-04 10:41:03 +08:00