Package: ruby-actionpack-3.2 / 3.2.6-6+deb7u2

Metadata

Package Version Patches format
ruby-actionpack-3.2 3.2.6-6+deb7u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
CVE 2012 3424.patch | (download)

lib/action_controller/metal/http_authentication.rb | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 do not convert digest auth strings to symbols.
CVE 2012 3463.patch | (download)

lib/action_view/helpers/form_tag_helper.rb | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] escape select_tag :prompt values


CVE 2012 3465.patch | (download)

lib/action_view/helpers/sanitize_helper.rb | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] do not mark strip_tags result as html_safe

Thanks to Marek Labos & Nethemba

CVE 2013 0155.patch | (download)

lib/action_dispatch/http/request.rb | 10 4 + 6 - 0 !
lib/action_dispatch/middleware/params_parser.rb | 4 2 + 2 - 0 !
2 files changed, 6 insertions(+), 8 deletions(-)

 [patch 1/2] * strip nils from collections on json and xml posts.
 [CVE-2013-0155] * dealing with empty hashes. Thanks
 Damien Mathieu


CVE 2013 1855.patch | (download)

lib/action_controller/vendor/html-scanner/html/sanitizer.rb | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

---
CVE 2013 1857.patch | (download)

lib/action_controller/vendor/html-scanner/html/sanitizer.rb | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

---
CVE 2013 4491.patch | (download)

lib/action_view/helpers/translation_helper.rb | 21 8 + 13 - 0 !
1 file changed, 8 insertions(+), 13 deletions(-)

 [patch] stop using i18n's built in html error handling.

i18n doesn't depend on active support which means it can't use our html_safe
code to do its escaping when generating the spans.  Rather than try to sanitize
the output from i18n, just revert to our old behaviour of rescuing the error
and constructing the tag ourselves.

Fixes: CVE-2013-4491


CVE 2013 6414.patch | (download)

lib/action_view/lookup_context.rb | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 [patch] only use valid mime type symbols as cache keys

CVE-2013-6414


CVE 2013 6415.patch | (download)

lib/action_view/helpers/number_helper.rb | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] escape the unit value provided to number_to_currency

Fixes CVE-2013-6415


CVE 2013 6417.patch | (download)

lib/action_dispatch/http/request.rb | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] deep munge the parameters for get and post

The previous implementation of this functionality could be accidentally
subverted by instantiating a raw Rack::Request before the first Rails::Request
was constructed.

Fixes CVE-2013-6417


CVE 2013 4389.patch | (download)

lib/action_controller/log_subscriber.rb | 11 5 + 6 - 0 !
1 file changed, 5 insertions(+), 6 deletions(-)

 [patch] remove the use of string#% when formatting durations in log
 messages

This avoids potential format string vulnerabilities where user-provided
data is interpolated into the log message before String#% is called.


CVE 2014 0081.patch | (download)

lib/action_view/helpers/number_helper.rb | 14 13 + 1 - 0 !
1 file changed, 13 insertions(+), 1 deletion(-)

 [patch] escape format, negative_format and units options of number
 helpers

Previously the values of these options were trusted leading to
potential XSS vulnerabilities.

Fixes: CVE-2014-0081

CVE 2014 0082.patch | (download)

lib/action_view/template/text.rb | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] use the reference for the mime type to get the format

Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.

Fixes: CVE-2014-0082

CVE 2014 0130.patch | (download)

lib/abstract_controller/base.rb | 28 25 + 3 - 0 !
1 file changed, 25 insertions(+), 3 deletions(-)

 [patch] only accept actions without file::separator in the name.

This will avoid directory traversal in implicit render.

Fixes: CVE-2014-0130