From f4de25452a7dfe7f27b65540b256f721f3a968a7 Mon Sep 17 00:00:00 2001 From: taca Date: Wed, 17 Aug 2011 14:13:31 +0000 Subject: Update ruby-actionpack package to 2.3.14: 2.3.14: Security Fix: 1. The code in Ruby on Rails 2.3 which sets the response content type performs insufficient sanitization of the values provided. This means that applications which let the user provide an arbitrary Content-Type header for the response are vulnerable to response splitting attacks. 2. The strip_tags helper in Ruby on Rails is designed to remove all HTML tags from a string. By using specially crafted values an attacker can confuse the parser and cause HTML tags to be injected into the response. This can be exploited to inject arbitrary javascript into the rendered page. Future releases of Ruby on Rails are likely to replace the current HTML tokenizer with one provided by libxml to reduce the likelihood of errors such as these in the future. In the meantime users can install the loofah gem[1] which should enhance both the performance and reliability of the HTML sanitization helpers. --- www/ruby-actionpack/distinfo | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/www/ruby-actionpack/distinfo b/www/ruby-actionpack/distinfo index 681720251c4..09f3878277c 100644 --- a/www/ruby-actionpack/distinfo +++ b/www/ruby-actionpack/distinfo @@ -1,6 +1,6 @@ -$NetBSD: distinfo,v 1.23 2011/06/11 03:13:46 taca Exp $ +$NetBSD: distinfo,v 1.24 2011/08/17 14:13:31 taca Exp $ -SHA1 (actionpack-2.3.12.gem) = 1ea563b0dd719e76c9e74ee125a7d2a230ba2683 -RMD160 (actionpack-2.3.12.gem) = 97e0a115eaa65dd9465a8bc8c63bd9052f141c6d -Size (actionpack-2.3.12.gem) = 748544 bytes +SHA1 (actionpack-2.3.14.gem) = d3140bce6e6051e3a5d0b95b1f221bda77122768 +RMD160 (actionpack-2.3.14.gem) = fba269031390c0b502b2905adf76c39ca0a76328 +Size (actionpack-2.3.14.gem) = 749056 bytes SHA1 (patch-ab) = bfba841b0af9d503a71745cc8d992e9d09d94191 -- cgit v1.2.3