!17 [sync] PR-12: Fix CVE-2024-27285

From: @openeuler-sync-bot Reviewed-by: @lyn1001 Signed-off-by: @lyn1001
2024-02-29 06:18:58 +00:00 · 2024-02-29 06:18:58 +00:00 · 5909b71d37
commit 5909b71d37
parent 6193177543 48485fddda
2 changed files with 34 additions and 1 deletions
--- a/CVE-2024-27285.patch
+++ b/CVE-2024-27285.patch
@ -0,0 +1,27 @@
+From d78fc393d603c4fc35975969296ed381146a29d4 Mon Sep 17 00:00:00 2001
+From: Aviv Keller <38299977+RedYetiDev@users.noreply.github.com>
+Date: Wed, 28 Feb 2024 12:57:39 -0500
+Subject: [PATCH] Update frames.erb
+
+---
+ templates/default/fulldoc/html/frames.erb | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/templates/default/fulldoc/html/frames.erb b/templates/default/fulldoc/html/frames.erb
+index e803bcd6c..994aee97e 100644
+--- a/templates/default/fulldoc/html/frames.erb
+++ b/templates/default/fulldoc/html/frames.erb
+@@ -5,10 +5,10 @@
+ 	<title><%= options.title %></title>
+ </head>
+ <script type="text/javascript">
+-  var match = unescape(window.location.hash).match(/^#!(.+)/);
+  var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/);
+   var name = match ? match[1] : '<%= url_for_main %>';
+-  name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, '');
+-  window.top.location = name;
+  name = name.replace(/^((\w*):)?[\/\\]*/gm, '').trim();
+  window.top.location.replace(name)
+ </script>
+ <noscript>
+   <h1>Oops!</h1>
--- a/rubygem-yard.spec
+++ b/rubygem-yard.spec
@ -1,12 +1,14 @@
 %global gem_name yard
 Name:                rubygem-%{gem_name}
 Version:             0.9.26
-Release:             2
+Release:             3
 Summary:             Documentation tool for consistent and usable documentation in Ruby
 License:             MIT and (BSD or Ruby)
 URL:                 http://yardoc.org
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1:             %{gem_name}-%{version}-spec.txz
+# https://github.com/lsegal/yard/commit/d78fc393d603c4fc35975969296ed381146a29d4
+Patch0:              CVE-2024-27285.patch

 BuildRequires:       ruby(release) rubygems-devel ruby rubygem(RedCloth) rubygem(asciidoctor) rubygem(bundler)
 BuildRequires:       rubygem(rspec) rubygem(redcarpet) rubygem(rack) rubygem(webrick)
@ -26,6 +28,7 @@ Documentation for %{name}.

 %prep
 %setup -q -n  %{gem_name}-%{version} -b1
+%patch0 -p1

 %build
 gem build ../%{gem_name}-%{version}.gemspec
@ -82,6 +85,9 @@ popd
 %{gem_instdir}/%{gem_name}.gemspec

 %changelog
+* Thu Feb 29 2024 yaoxin <yao_xin001@hoperun.com> - 0.9.26-3
+- Fix CVE-2024-27285
+
 * Sat Jan 22 2022 liyanan <liyanan32@huawei.com> - 0.9.26-2
 - Fix build error for Ruby 3