Fix XSS vulnerabilities in Rails (CVE-2012-3464, CVE-2012-3465) #1113 #1114

This commit is contained in:
Holger Just 2013-01-06 20:15:05 +01:00
parent 6d87b8b297
commit 6ece1687de
1 changed files with 64 additions and 0 deletions

View File

@ -326,3 +326,67 @@ module ActiveRecord
end
end
end
# Backported fix for CVE-2012-3465
# https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J
# TODO: Remove this once we are on Rails >= 3.2.8
require 'action_view/helpers/sanitize_helper'
module ActionView::Helpers::SanitizeHelper
def strip_tags(html)
self.class.full_sanitizer.sanitize(html)
end
end
# Backported fix for CVE-2012-3464
# https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J
# TODO: Remove this once we are on Rails >= 3.2.8
require 'active_support/core_ext/string/output_safety'
class ERB
module Util
HTML_ESCAPE["'"] = '''
if RUBY_VERSION >= '1.9'
# A utility method for escaping HTML tag characters.
# This method is also aliased as <tt>h</tt>.
#
# In your ERB templates, use this method to escape any unsafe content. For example:
# <%=h @person.name %>
#
# ==== Example:
# puts html_escape("is a > 0 & a < 10?")
# # => is a &gt; 0 &amp; a &lt; 10?
def html_escape(s)
s = s.to_s
if s.html_safe?
s
else
s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
end
end
else
def html_escape(s) #:nodoc:
s = s.to_s
if s.html_safe?
s
else
s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe
end
end
end
# Aliasing twice issues a warning "discarding old...". Remove first to avoid it.
remove_method(:h)
alias h html_escape
module_function :h
singleton_class.send(:remove_method, :html_escape)
module_function :html_escape
end
end
require 'action_view/helpers/tag_helper'
module ActionView::Helpers::TagHelper
def escape_once(html)
ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"\'><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
end
end