|
 |
0f13cce |
From 0075f36acc933f4ceee95be725e37bfbbd3bf01c Mon Sep 17 00:00:00 2001
|
|
|
0f13cce |
From: Charlie Somerville <charlie@charliesomerville.com>
|
|
|
0f13cce |
Date: Wed, 13 Feb 2013 09:09:53 +1100
|
|
|
0f13cce |
Subject: [PATCH] fix incorrect ^$ usage leading to XSS in sanitize_css
|
|
|
0f13cce |
[CVE-2013-1855]
|
|
|
0f13cce |
|
|
|
0f13cce |
---
|
|
|
0f13cce |
.../lib/action_controller/vendor/html-scanner/html/sanitizer.rb | 6 +++---
|
|
|
0f13cce |
1 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
0f13cce |
|
|
|
0f13cce |
diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
|
|
|
0f13cce |
index dceddb9..6cf4d27 100644
|
|
|
0f13cce |
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
|
|
|
0f13cce |
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
|
|
|
0f13cce |
@@ -109,8 +109,8 @@ def sanitize_css(style)
|
|
|
0f13cce |
style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
|
|
|
0f13cce |
|
|
|
0f13cce |
# gauntlet
|
|
|
0f13cce |
- if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
|
|
|
0f13cce |
- style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
|
|
|
0f13cce |
+ if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
|
|
|
0f13cce |
+ style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
|
|
|
0f13cce |
return ''
|
|
|
0f13cce |
end
|
|
|
0f13cce |
|
|
|
0f13cce |
@@ -121,7 +121,7 @@ def sanitize_css(style)
|
|
|
0f13cce |
elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
|
|
|
0f13cce |
unless val.split().any? do |keyword|
|
|
|
0f13cce |
!allowed_css_keywords.include?(keyword) &&
|
|
|
0f13cce |
- keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
|
|
|
0f13cce |
+ keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
|
|
|
0f13cce |
end
|
|
|
0f13cce |
clean << prop + ': ' + val + ';'
|
|
|
0f13cce |
end
|
|
|
0f13cce |
--
|
|
|
0f13cce |
1.8.1.5
|
|
|
0f13cce |
|