Overview

File CVE-2018-8048.patch of Package rubygem-loofah.12342

--- loofah-2.0.2/lib/loofah.orig.rb	2018-11-06 10:06:09.775147887 +0100
+++ loofah-2.0.2/lib/loofah.rb	2018-11-06 10:06:22.895069326 +0100
@@ -6,6 +6,7 @@
 require 'loofah/elements'
 
 require 'loofah/html5/whitelist'
+require 'loofah/html5/libxml2_workarounds'
 require 'loofah/html5/scrub'
 
 require 'loofah/scrubber'
--- /dev/null	2018-10-08 13:41:49.034376627 +0200
+++ loofah-2.0.2/lib/loofah/html5/libxml2_workarounds.rb	2018-11-06 08:56:11.700332872 +0100
@@ -0,0 +1,26 @@
+# coding: utf-8
+require 'set'
+
+module Loofah
+  #
+  #  constants related to working around unhelpful libxml2 behavior
+  #
+  #  ಠ_ಠ
+  #
+  module LibxmlWorkarounds
+    #
+    #  these attributes and qualifying parent tags are determined by the code at:
+    #
+    #    https://git.gnome.org/browse/libxml2/tree/HTMLtree.c?h=v2.9.2#n714
+    #
+    #  see comments about CVE-2018-8048 within the tests for more information
+    #
+    BROKEN_ESCAPING_ATTRIBUTES = Set.new %w[
+        href
+        action
+        src
+        name
+      ]
+    BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = {"name" => "a"}
+  end
+end
--- loofah-2.0.2/lib/loofah/html5/scrub.rb.orig	2019-08-22 08:18:37.360925203 +0200
+++ loofah-2.0.2/lib/loofah/html5/scrub.rb	2019-08-22 08:18:45.220927905 +0200
@@ -54,6 +54,8 @@
           node.attribute_nodes.each do |attr_node|
             node.remove_attribute(attr_node.name) if attr_node.value !~ /[^[:space:]]/
           end
+
+          force_correct_attribute_escaping! node
         end

         def scrub_css_attribute node
@@ -89,6 +91,32 @@
           style = clean.join(' ')
         end

+        #
+        #  libxml2 >= 2.9.2 fails to escape comments within some attributes.
+        #
+        #  see comments about CVE-2018-8048 within the tests for more information
+        #
+        def force_correct_attribute_escaping! node
+          return unless Nokogiri::VersionInfo.instance.libxml2?
+
+          node.attribute_nodes.each do |attr_node|
+            next unless LibxmlWorkarounds::BROKEN_ESCAPING_ATTRIBUTES.include?(attr_node.name)
+
+            tag_name = LibxmlWorkarounds::BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG[attr_node.name]
+            next unless tag_name.nil? || tag_name == node.name
+
+            #
+            #  this block is just like CGI.escape in Ruby 2.4, but
+            #  only encodes space and double-quote, to mimic
+            #  pre-2.9.2 behavior
+            #
+            encoding = attr_node.value.encoding
+            attr_node.value = attr_node.value.gsub(/[ "]/) do |m|
+              '%' + m.unpack('H2' * m.bytesize).join('%').upcase
+            end.force_encoding(encoding)
+          end
+        end
+
       end

     end
--- loofah-2.0.2/loofah-2.0.2.orig.gemspec	2018-11-26 13:56:18.246596949 +0100
+++ loofah-2.0.2/loofah-2.0.2.gemspec	2018-11-26 13:57:41.894185408 +0100
@@ -60,5 +60,7 @@
     s.add_dependency(%q<hoe-git>, [">= 0"])
     s.add_dependency(%q<hoe>, ["~> 3.13"])
   end
+
+  s.files << 'lib/loofah/html5/libxml2_workarounds.rb'
 end
openSUSE Build Service is sponsored by
Places