Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
rubygem-loofah.12342
CVE-2018-8048.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2018-8048.patch of Package rubygem-loofah.12342
--- loofah-2.0.2/lib/loofah.orig.rb 2018-11-06 10:06:09.775147887 +0100 +++ loofah-2.0.2/lib/loofah.rb 2018-11-06 10:06:22.895069326 +0100 @@ -6,6 +6,7 @@ require 'loofah/elements' require 'loofah/html5/whitelist' +require 'loofah/html5/libxml2_workarounds' require 'loofah/html5/scrub' require 'loofah/scrubber' --- /dev/null 2018-10-08 13:41:49.034376627 +0200 +++ loofah-2.0.2/lib/loofah/html5/libxml2_workarounds.rb 2018-11-06 08:56:11.700332872 +0100 @@ -0,0 +1,26 @@ +# coding: utf-8 +require 'set' + +module Loofah + # + # constants related to working around unhelpful libxml2 behavior + # + # ಠ_ಠ + # + module LibxmlWorkarounds + # + # these attributes and qualifying parent tags are determined by the code at: + # + # https://git.gnome.org/browse/libxml2/tree/HTMLtree.c?h=v2.9.2#n714 + # + # see comments about CVE-2018-8048 within the tests for more information + # + BROKEN_ESCAPING_ATTRIBUTES = Set.new %w[ + href + action + src + name + ] + BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = {"name" => "a"} + end +end --- loofah-2.0.2/lib/loofah/html5/scrub.rb.orig 2019-08-22 08:18:37.360925203 +0200 +++ loofah-2.0.2/lib/loofah/html5/scrub.rb 2019-08-22 08:18:45.220927905 +0200 @@ -54,6 +54,8 @@ node.attribute_nodes.each do |attr_node| node.remove_attribute(attr_node.name) if attr_node.value !~ /[^[:space:]]/ end + + force_correct_attribute_escaping! node end def scrub_css_attribute node @@ -89,6 +91,32 @@ style = clean.join(' ') end + # + # libxml2 >= 2.9.2 fails to escape comments within some attributes. + # + # see comments about CVE-2018-8048 within the tests for more information + # + def force_correct_attribute_escaping! node + return unless Nokogiri::VersionInfo.instance.libxml2? + + node.attribute_nodes.each do |attr_node| + next unless LibxmlWorkarounds::BROKEN_ESCAPING_ATTRIBUTES.include?(attr_node.name) + + tag_name = LibxmlWorkarounds::BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG[attr_node.name] + next unless tag_name.nil? || tag_name == node.name + + # + # this block is just like CGI.escape in Ruby 2.4, but + # only encodes space and double-quote, to mimic + # pre-2.9.2 behavior + # + encoding = attr_node.value.encoding + attr_node.value = attr_node.value.gsub(/[ "]/) do |m| + '%' + m.unpack('H2' * m.bytesize).join('%').upcase + end.force_encoding(encoding) + end + end + end end --- loofah-2.0.2/loofah-2.0.2.orig.gemspec 2018-11-26 13:56:18.246596949 +0100 +++ loofah-2.0.2/loofah-2.0.2.gemspec 2018-11-26 13:57:41.894185408 +0100 @@ -60,5 +60,7 @@ s.add_dependency(%q<hoe-git>, [">= 0"]) s.add_dependency(%q<hoe>, ["~> 3.13"]) end + + s.files << 'lib/loofah/html5/libxml2_workarounds.rb' end
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor