diff options
Diffstat (limited to 'devel/ruby-activesupport3')
-rw-r--r-- | devel/ruby-activesupport3/Makefile | 3 | ||||
-rw-r--r-- | devel/ruby-activesupport3/distinfo | 3 | ||||
-rw-r--r-- | devel/ruby-activesupport3/patches/patch-lib_active__support_core__ext_string_output__safety.rb | 93 |
3 files changed, 97 insertions, 2 deletions
diff --git a/devel/ruby-activesupport3/Makefile b/devel/ruby-activesupport3/Makefile index b3a95d37968..13328097af4 100644 --- a/devel/ruby-activesupport3/Makefile +++ b/devel/ruby-activesupport3/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.5 2011/12/13 15:53:37 taca Exp $ +# $NetBSD: Makefile,v 1.5.2.1 2012/03/05 23:28:39 tron Exp $ DISTNAME= activesupport-${RUBY_RAILS_VERSION} +PKGREVISION= 1 CATEGORIES= devel MAINTAINER= pkgsrc-users@NetBSD.org diff --git a/devel/ruby-activesupport3/distinfo b/devel/ruby-activesupport3/distinfo index a44a799eb6a..59c3926e265 100644 --- a/devel/ruby-activesupport3/distinfo +++ b/devel/ruby-activesupport3/distinfo @@ -1,5 +1,6 @@ -$NetBSD: distinfo,v 1.10 2011/11/19 15:32:34 taca Exp $ +$NetBSD: distinfo,v 1.10.2.1 2012/03/05 23:28:39 tron Exp $ SHA1 (activesupport-3.0.11.gem) = 45fd29d5663d4bf90c8695d04aaead2023525789 RMD160 (activesupport-3.0.11.gem) = cb66549165f8b6d57e8cf3883559c6884d92bf7d Size (activesupport-3.0.11.gem) = 304640 bytes +SHA1 (patch-lib_active__support_core__ext_string_output__safety.rb) = 655215cb063e589d922d0efdb48d5884dafe396a diff --git a/devel/ruby-activesupport3/patches/patch-lib_active__support_core__ext_string_output__safety.rb b/devel/ruby-activesupport3/patches/patch-lib_active__support_core__ext_string_output__safety.rb new file mode 100644 index 00000000000..8a0392a8802 --- /dev/null +++ b/devel/ruby-activesupport3/patches/patch-lib_active__support_core__ext_string_output__safety.rb @@ -0,0 +1,93 @@ +$NetBSD: patch-lib_active__support_core__ext_string_output__safety.rb,v 1.1.2.2 2012/03/05 23:28:40 tron Exp $ + +Fix for CVE-2012-1099. + +--- lib/active_support/core_ext/string/output_safety.rb.orig 2012-03-03 03:54:59.000000000 +0000 ++++ lib/active_support/core_ext/string/output_safety.rb +@@ -85,23 +85,41 @@ module ActiveSupport #:nodoc: + end + end + ++ def [](*args) ++ return super if args.size < 2 ++ ++ if html_safe? ++ new_safe_buffer = super ++ new_safe_buffer.instance_eval { @html_safe = true } ++ new_safe_buffer ++ else ++ to_str[*args] ++ end ++ end ++ + def safe_concat(value) +- raise SafeConcatError if dirty? ++ raise SafeConcatError unless html_safe? + original_concat(value) + end + + def initialize(*) +- @dirty = false ++ @html_safe = true + super + end + + def initialize_copy(other) + super +- @dirty = other.dirty? ++ @html_safe = other.html_safe? ++ end ++ ++ def clone_empty ++ new_safe_buffer = self[0, 0] ++ new_safe_buffer.instance_variable_set(:@dirty, @dirty) ++ new_safe_buffer + end + + def concat(value) +- if dirty? || value.html_safe? ++ if !html_safe? || value.html_safe? + super(value) + else + super(ERB::Util.h(value)) +@@ -114,7 +132,7 @@ module ActiveSupport #:nodoc: + end + + def html_safe? +- !dirty? ++ defined?(@html_safe) && @html_safe + end + + def to_s +@@ -132,23 +150,17 @@ module ActiveSupport #:nodoc: + for unsafe_method in UNSAFE_STRING_METHODS + if 'String'.respond_to?(unsafe_method) + class_eval <<-EOT, __FILE__, __LINE__ + 1 +- def #{unsafe_method}(*args) +- super.to_str +- end +- +- def #{unsafe_method}!(*args) +- @dirty = true +- super +- end ++ def #{unsafe_method}(*args, &block) # def capitalize(*args, &block) ++ to_str.#{unsafe_method}(*args, &block) # to_str.capitalize(*args, &block) ++ end # end ++ ++ def #{unsafe_method}!(*args) # def capitalize!(*args) ++ @html_safe = false # @html_safe = false ++ super # super ++ end # end + EOT + end + end +- +- protected +- +- def dirty? +- @dirty +- end + end + end + |