From 2e3c3a87d81e16a2fed442c1cf31360f75737a83 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Sat, 30 Nov 2013 17:02:53 -0800 Subject: [PATCH 1/5] Only use valid mime type symbols as cache keys CVE-2013-6414 --- actionview/lib/action_view/lookup_context.rb | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/actionview/lib/action_view/lookup_context.rb b/actionview/lib/action_view/lookup_context.rb index f9d5b97fe3..c6ff683827 100644 --- a/actionview/lib/action_view/lookup_context.rb +++ b/actionview/lib/action_view/lookup_context.rb @@ -62,6 +62,13 @@ module ActionView @details_keys = ThreadSafe::Cache.new def self.get(details) + if details[:formats] + details = details.dup + syms = Set.new Mime::SET.symbols + details[:formats] = details[:formats].select { |v| + syms.include? v + } + end @details_keys[details] ||= new end From b31a7a6f1ec3c74f75b4cd12386b08295287418d Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Mon, 2 Dec 2013 10:12:47 +1300 Subject: [PATCH 2/5] Escape the unit value provided to number_to_currency Previously the unit values were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2013-6415 --- actionview/lib/action_view/helpers/number_helper.rb | 1 + actionview/test/template/number_helper_test.rb | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/actionview/lib/action_view/helpers/number_helper.rb b/actionview/lib/action_view/helpers/number_helper.rb index 9adc2c1a8f..13387078a4 100644 --- a/actionview/lib/action_view/helpers/number_helper.rb +++ b/actionview/lib/action_view/helpers/number_helper.rb @@ -394,6 +394,7 @@ module ActionView def escape_unsafe_delimiters_and_separators(options) options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] && !options[:separator].html_safe? options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] && !options[:delimiter].html_safe? + options[:unit] = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe? options end diff --git a/actionview/test/template/number_helper_test.rb b/actionview/test/template/number_helper_test.rb index 6e640889d2..be336ea3fb 100644 --- a/actionview/test/template/number_helper_test.rb +++ b/actionview/test/template/number_helper_test.rb @@ -14,7 +14,8 @@ class NumberHelperTest < ActionView::TestCase assert_equal nil, number_to_currency(nil) assert_equal "$1,234,567,890.50", number_to_currency(1234567890.50) assert_equal "$1,234,567,892", number_to_currency(1234567891.50, precision: 0) - assert_equal "1,234,567,890.50 - Kč", number_to_currency("-1234567890.50", unit: "Kč", format: "%n %u", negative_format: "%n - %u") + assert_equal "1,234,567,890.50 - Kč", number_to_currency("-1234567890.50", unit: raw("Kč"), format: "%n %u", negative_format: "%n - %u") + assert_equal "&pound;1,234,567,890.50", number_to_currency("1234567890.50", unit: "£") end def test_number_to_percentage From bea9c9b4c0f9bb7356ea2058118fe40495432010 Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Tue, 19 Nov 2013 09:00:08 +1300 Subject: [PATCH 3/5] Ensure simple_format escapes its html attributes The previous behavior equated the sanitize option for simple_format with the escape option of content_tag, however these are two distinct concepts. This fixes CVE-2013-6416 Conflicts: actionview/lib/action_view/helpers/text_helper.rb --- actionview/lib/action_view/helpers/text_helper.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actionview/lib/action_view/helpers/text_helper.rb b/actionview/lib/action_view/helpers/text_helper.rb index b0e4aa3cd3..0c956670b6 100644 --- a/actionview/lib/action_view/helpers/text_helper.rb +++ b/actionview/lib/action_view/helpers/text_helper.rb @@ -268,7 +268,7 @@ module ActionView content_tag(wrapper_tag, nil, html_options) else paragraphs.map! { |paragraph| - content_tag(wrapper_tag, paragraph, html_options, false) + content_tag(wrapper_tag, raw(paragraph), html_options, false) }.join("\n\n").html_safe end end From 0c7ac34aed1845044cd1911e5a775366d7ca41c1 Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Fri, 1 Nov 2013 11:50:05 +1300 Subject: [PATCH 4/5] Stop using i18n's built in HTML error handling. i18n doesn't depend on active support which means it can't use our html_safe code to do its escaping when generating the spans. Rather than try to sanitize the output from i18n, just revert to our old behaviour of rescuing the error and constructing the tag ourselves. Fixes: CVE-2013-4491 --- .../action_view/helpers/translation_helper.rb | 22 ++++++++----------- .../test/template/translation_helper_test.rb | 2 +- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/actionview/lib/action_view/helpers/translation_helper.rb b/actionview/lib/action_view/helpers/translation_helper.rb index ad8eb47f1f..a1a2bebb6e 100644 --- a/actionview/lib/action_view/helpers/translation_helper.rb +++ b/actionview/lib/action_view/helpers/translation_helper.rb @@ -1,24 +1,14 @@ require 'action_view/helpers/tag_helper' require 'i18n/exceptions' -module I18n - class ExceptionHandler - include Module.new { - def call(exception, locale, key, options) - exception.is_a?(MissingTranslation) && options[:rescue_format] == :html ? super.html_safe : super - end - } - end -end - module ActionView # = Action View Translation Helpers module Helpers module TranslationHelper # Delegates to I18n#translate but also performs three additional functions. # - # First, it'll pass the rescue_format: :html option to I18n so that any - # thrown +MissingTranslation+ messages will be turned into inline spans that + # First, it will ensure that any thrown +MissingTranslation+ messages will be turned + # into inline spans that: # # * have a "translation-missing" class set, # * contain the missing key as a title attribute and @@ -44,8 +34,11 @@ module ActionView # naming convention helps to identify translations that include HTML tags so that # you know what kind of output to expect when you call translate in a template. def translate(key, options = {}) - options.merge!(:rescue_format => :html) unless options.key?(:rescue_format) options[:default] = wrap_translate_defaults(options[:default]) if options[:default] + + # If the user has specified rescue_format then pass it all through, otherwise use + # raise and do the work ourselves + options[:raise] = true unless options.key?(:raise) || options.key?(:rescue_format) if html_safe_translation_key?(key) html_safe_options = options.dup options.except(*I18n::RESERVED_KEYS).each do |name, value| @@ -59,6 +52,9 @@ module ActionView else I18n.translate(scope_key_by_partial(key), options) end + rescue I18n::MissingTranslationData => e + keys = I18n.normalize_keys(e.locale, e.key, e.options[:scope]) + content_tag('span', keys.last.to_s.titleize, :class => 'translation_missing', :title => "translation missing: #{keys.join('.')}") end alias :t :translate diff --git a/actionview/test/template/translation_helper_test.rb b/actionview/test/template/translation_helper_test.rb index d496dbb35e..0dfe47f5f4 100644 --- a/actionview/test/template/translation_helper_test.rb +++ b/actionview/test/template/translation_helper_test.rb @@ -31,7 +31,7 @@ class TranslationHelperTest < ActiveSupport::TestCase end def test_delegates_to_i18n_setting_the_rescue_format_option_to_html - I18n.expects(:translate).with(:foo, :locale => 'en', :rescue_format => :html).returns("") + I18n.expects(:translate).with(:foo, :locale => 'en', :raise=>true).returns("") translate :foo, :locale => 'en' end From 4e9dd5378bd5bfaa095a96068c7d1b7c4f47e1b0 Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Sat, 30 Nov 2013 16:45:23 +1300 Subject: [PATCH 5/5] Deep Munge the parameters for GET and POST The previous implementation of this functionality could be accidentally subverted by instantiating a raw Rack::Request before the first Rails::Request was constructed. Fixes CVE-2013-6417 --- actionpack/lib/action_dispatch/http/request.rb | 4 ++-- .../dispatch/request/query_string_parsing_test.rb | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb index 99b81c898f..071ff0b63e 100644 --- a/actionpack/lib/action_dispatch/http/request.rb +++ b/actionpack/lib/action_dispatch/http/request.rb @@ -271,7 +271,7 @@ module ActionDispatch # Override Rack's GET method to support indifferent access def GET - @env["action_dispatch.request.query_parameters"] ||= (normalize_encode_params(super) || {}) + @env["action_dispatch.request.query_parameters"] ||= deep_munge((normalize_encode_params(super) || {})) rescue TypeError => e raise ActionController::BadRequest.new(:query, e) end @@ -279,7 +279,7 @@ module ActionDispatch # Override Rack's POST method to support indifferent access def POST - @env["action_dispatch.request.request_parameters"] ||= (normalize_encode_params(super) || {}) + @env["action_dispatch.request.request_parameters"] ||= deep_munge((normalize_encode_params(super) || {})) rescue TypeError => e raise ActionController::BadRequest.new(:request, e) end diff --git a/actionpack/test/dispatch/request/query_string_parsing_test.rb b/actionpack/test/dispatch/request/query_string_parsing_test.rb index f072a9f717..0ad0dbc958 100644 --- a/actionpack/test/dispatch/request/query_string_parsing_test.rb +++ b/actionpack/test/dispatch/request/query_string_parsing_test.rb @@ -11,6 +11,17 @@ class QueryStringParsingTest < ActionDispatch::IntegrationTest head :ok end end + class EarlyParse + def initialize(app) + @app = app + end + + def call(env) + # Trigger a Rack parse so that env caches the query params + Rack::Request.new(env).params + @app.call(env) + end + end def teardown TestController.last_query_parameters = nil @@ -131,6 +142,10 @@ class QueryStringParsingTest < ActionDispatch::IntegrationTest set.draw do get ':action', :to => ::QueryStringParsingTest::TestController end + @app = self.class.build_app(set) do |middleware| + middleware.use(EarlyParse) + end + get "/parse", actual assert_response :ok