Package: ruby-i18n / 0.6.0-3+deb7u1

CVE-2013-4492.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Description: fixes CVE-2013-4492, backported for Wheezy
Origin: https://github.com/svenfuchs/i18n/commit/92b57b1e4f84adcdcc3a375278f299274be62445.patch
Author: Christopher Dell <chris@tigrish.com>

diff --git a/lib/i18n/exceptions.rb b/lib/i18n/exceptions.rb
index 2f625a0..e17d432 100644
--- a/lib/i18n/exceptions.rb
+++ b/lib/i18n/exceptions.rb
@@ -1,3 +1,5 @@
+require 'cgi'
+
 module I18n
   # Handles exceptions raised in the backend. All exceptions except for
   # MissingTranslationData exceptions are re-thrown. When a MissingTranslationData
@@ -45,8 +47,9 @@ module I18n
       end
 
       def html_message
-        key = keys.last.to_s.gsub('_', ' ').gsub(/\b('?[a-z])/) { $1.capitalize }
-        %(<span class="translation_missing" title="translation missing: #{keys.join('.')}">#{key}</span>)
+        key  = CGI.escapeHTML titleize(keys.last)
+        path = CGI.escapeHTML keys.join('.')
+        %(<span class="translation_missing" title="translation missing: #{path}">#{key}</span>)
       end
 
       def keys
@@ -63,6 +66,13 @@ module I18n
       def to_exception
         MissingTranslationData.new(locale, key, options)
       end
+
+      protected
+
+      # TODO : remove when #html_message is removed
+      def titleize(key)
+        key.to_s.gsub('_', ' ').gsub(/\b('?[a-z])/) { $1.capitalize }
+      end
     end
 
     include Base
diff --git a/test/i18n/exceptions_test.rb b/test/i18n/exceptions_test.rb
index fcc50f3..650c844 100644
--- a/test/i18n/exceptions_test.rb
+++ b/test/i18n/exceptions_test.rb
@@ -28,9 +28,13 @@ class I18nExceptionsTest < Test::Unit::TestCase
   end
 
   test "MissingTranslationData html_message is a span with the titlelized last key token" do
-    force_missing_translation_data do |exception|
-      assert_equal '<span class="translation_missing" title="translation missing: de.bar.foo">Foo</span>', exception.html_message
-    end
+    exception = I18n::MissingTranslationData.new(:de, :foo, :scope => :bar)
+    assert_equal '<span class="translation_missing" title="translation missing: de.bar.foo">Foo</span>', exception.html_message
+  end
+
+  test "MissingTranslationData html_message html escapes key names" do
+    exception = I18n::MissingTranslationData.new(:de, '<script>Evil</script>', :scope => '<iframe src="example.com" />')
+    assert_equal '<span class="translation_missing" title="translation missing: de.&lt;iframe src=&quot;example.com&quot; /&gt;.&lt;script&gt;Evil&lt;/script&gt;">&lt;Script&gt;Evil&lt;/Script&gt;</span>', exception.html_message
   end
 
   test "ExceptionHandler returns the html_message if :rescue_format => :html was given" do