packages/rubygem-actionview
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-23913

Browse Source
This commit is contained in:
wk333 2024-06-25 15:26:34 +08:00
parent 0d7f678c1e
commit fac5d1330d
2 changed files with 138 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
CVE-2023-23913.patch Normal file
View File

@ -0,0 +1,132 @@
Refer:
https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd
https://build.opensuse.org/projects/SUSE:SLE-15:Update/packages/rubygem-actionview-5_1/files/rubygem-actionview-5_1-CVE-2023-23913.patch?expand=1
From 5037a13614di71727af8a175063bcf6ba1a74bdbd Mon Sep 17 00:00:00 2001
From: Zack Deveau <zack.ref@gmail.com>
Date: Mon, 16 Jan 2023 09:43:54 -0500
Subject: [PATCH] Ignore certain data-* attributes in rails-ujs when element is
contenteditable
There is a potential DOM based cross-site scripting issue in rails-ujs
which leverages the Clipboard API to target HTML elements that are
assigned the contenteditable attribute. This has the potential to occur
when pasting malicious HTML content from the clipboard that includes
a data-method, data-disable-with or data-remote attribute.
[CVE-2023-23913]
---
lib/assets/compiled/rails-ujs.js | 41 ++++++++++++++++++++++++++++----
1 file changed, 36 insertions(+), 5 deletions(-)
diff --git a/lib/assets/compiled/rails-ujs.js b/lib/assets/compiled/rails-ujs.js
index 34e78aa..89450be 100644
--- a/lib/assets/compiled/rails-ujs.js
+++ b/lib/assets/compiled/rails-ujs.js
@@ -73,6 +73,22 @@ Released under the MIT license
return element[expando][key] = value;
};
+ Rails.isContentEditable = function(element) {
+ var isEditable;
+ isEditable = false;
+ while (true) {
+ if (element.isContentEditable) {
+ isEditable = true;
+ break;
+ }
+ element = element.parentElement;
+ if (!element) {
+ break;
+ }
+ }
+ return isEditable;
+ };
+
Rails.$ = function(selector) {
return Array.prototype.slice.call(document.querySelectorAll(selector));
};
@@ -388,9 +404,9 @@ Released under the MIT license
}).call(this);
(function() {
- var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, matches, setData, stopEverything;
+ var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isContentEditable, matches, setData, stopEverything;
- matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements;
+ matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements, isContentEditable = Rails.isContentEditable;
Rails.handleDisabledElement = function(e) {
var element;
@@ -403,6 +419,9 @@ Released under the MIT license
Rails.enableElement = function(e) {
var element;
element = e instanceof Event ? e.target : e;
+ if (isContentEditable(element)) {
+ return;
+ }
if (matches(element, Rails.linkDisableSelector)) {
return enableLinkElement(element);
} else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formEnableSelector)) {
@@ -415,6 +434,9 @@ Released under the MIT license
Rails.disableElement = function(e) {
var element;
element = e instanceof Event ? e.target : e;
+ if (isContentEditable(element)) {
+ return;
+ }
if (matches(element, Rails.linkDisableSelector)) {
return disableLinkElement(element);
} else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formDisableSelector)) {
@@ -487,10 +509,12 @@ Released under the MIT license
}).call(this);
(function() {
- var stopEverything;
+ var isContentEditable, stopEverything;
stopEverything = Rails.stopEverything;
+ isContentEditable = Rails.isContentEditable;
+
Rails.handleMethod = function(e) {
var csrfParam, csrfToken, form, formContent, href, link, method;
link = this;
@@ -498,6 +522,9 @@ Released under the MIT license
if (!method) {
return;
}
+ if (isContentEditable(this)) {
+ return;
+ }
href = Rails.href(link);
csrfToken = Rails.csrfToken();
csrfParam = Rails.csrfParam();
@@ -519,10 +546,10 @@ Released under the MIT license
}).call(this);
(function() {
- var ajax, fire, getData, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
+ var ajax, fire, getData, isContentEditable, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
slice = [].slice;
- matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement;
+ matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement, isContentEditable = Rails.isContentEditable;
isRemote = function(element) {
var value;
@@ -540,6 +567,10 @@ Released under the MIT license
fire(element, 'ajax:stopped');
return false;
}
+ if (isContentEditable(element)) {
+ fire(element, 'ajax:stopped');
+ return false;
+ }
withCredentials = element.getAttribute('data-with-credentials');
dataType = element.getAttribute('data-type') || 'script';
if (matches(element, Rails.formSubmitSelector)) {
--
2.33.0

7
rubygem-actionview.spec
View File

@ -3,13 +3,14 @@
%global bootstrap 1 %global bootstrap 1
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Version: 5.2.4.4 Version: 5.2.4.4
Release: 1 Release: 2
Summary: Rendering framework putting the V in MVC (part of Rails) Summary: Rendering framework putting the V in MVC (part of Rails)
License: MIT License: MIT
URL: http://rubyonrails.org URL: http://rubyonrails.org
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
Source1: https://github.com/rails/rails/archive/v5.2.4.4.tar.gz Source1: https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
Patch0: rubygem-actionview-5.1.2-Prevent-negative-IDs-in-output-of-inspect.patch Patch0: rubygem-actionview-5.1.2-Prevent-negative-IDs-in-output-of-inspect.patch
Patch3000: CVE-2023-23913.patch
BuildRequires: ruby(release) rubygems-devel BuildRequires: ruby(release) rubygems-devel
%if ! 0%{?bootstrap} %if ! 0%{?bootstrap}
BuildRequires: rubygem(activesupport) = %{version} rubygem(activerecord) = %{version} BuildRequires: rubygem(activesupport) = %{version} rubygem(activerecord) = %{version}
@ -32,6 +33,7 @@ Documentation for %{name}.
%gem_install -n %{SOURCE0} %gem_install -n %{SOURCE0}
pushd .%{gem_instdir} pushd .%{gem_instdir}
%patch0 -p2 %patch0 -p2
%patch3000 -p1
popd popd
%build %build
@ -66,6 +68,9 @@ popd
%doc %{gem_instdir}/CHANGELOG.md %doc %{gem_instdir}/CHANGELOG.md
%changelog %changelog
* Tue Jun 25 2024 wangkai <13474090681@163.com> - 5.2.4.4-2
- Fix CVE-2023-23913
* Mon Feb 8 2021sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1 * Mon Feb 8 2021sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1
- Upgrade to 5.2.4.4 - Upgrade to 5.2.4.4