Package: rails / 2:4.1.8-1+deb8u4

CVE-2016-6316.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
From: Andrew Carpenter <andrew@criticaljuncture.org>
Date: Thu, 28 Jul 2016 16:12:21 -0700
Subject: ensure tag/content_tag escapes " in attribute vals

Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))`

CVE-2016-6316

Author: Andrew Carpenter <andrew@criticaljuncture.org>
Backported-by: Antonio Terceiro <terceiro@debian.org>
---
 actionview/lib/action_view/helpers/tag_helper.rb |  2 +-
 actionview/test/template/tag_helper_test.rb      | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

--- a/actionview/lib/action_view/helpers/tag_helper.rb
+++ b/actionview/lib/action_view/helpers/tag_helper.rb
@@ -169,7 +169,7 @@ module ActionView
         def tag_option(key, value, escape)
           value = value.join(" ") if value.is_a?(Array)
           value = ERB::Util.h(value) if escape
-          %(#{key}="#{value}")
+          %(#{key}="#{value.to_s.gsub(/"/, '&quot;'.freeze)}")
         end
     end
   end
--- a/actionview/test/template/tag_helper_test.rb
+++ b/actionview/test/template/tag_helper_test.rb
@@ -116,6 +116,16 @@ class TagHelperTest < ActionView::TestCa
     end
   end
 
+  def test_tag_does_not_honor_html_safe_double_quotes_as_attributes
+    assert_dom_equal '<p title="&quot;">content</p>',
+      content_tag('p', "content", title: '"'.html_safe)
+  end
+
+  def test_data_tag_does_not_honor_html_safe_double_quotes_as_attributes
+    assert_dom_equal '<p data-title="&quot;">content</p>',
+      content_tag('p', "content", data: { title: '"'.html_safe })
+  end
+
   def test_skip_invalid_escaped_attributes
     ['&1;', '&#1dfa3;', '& #123;'].each do |escaped|
       assert_equal %(<a href="#{escaped.gsub(/&/, '&amp;')}" />), tag('a', :href => escaped)