[Frugalware-darcs] frugalware-0.6: actionpack-1.13.2-2terminus1-i686

voroskoi voroskoi at frugalware.org
Tue Jul 10 10:21:45 CEST 2007


Darcsweb-Url: http://darcs.frugalware.org/darcsweb/darcsweb.cgi?r=frugalware-0.6;a=darcs_commitdiff;h=20070710081852-dd049-f82c0e5c3110a5752733f534ccb9129b496668d8.gz;

[actionpack-1.13.2-2terminus1-i686
voroskoi <voroskoi at frugalware.org>**20070710081852
 forgot the patch
] {
addfile ./source/devel-extra/actionpack/CVE-2007-3227.diff
hunk ./source/devel-extra/actionpack/CVE-2007-3227.diff 1
+diff -aur actionpack-1.13.2/lib/action_controller/assertions/selector_assertions.rb fw-actionpack-1.13.2/lib/action_controller/assertions/selector_assertions.rb
+--- actionpack-1.13.2/lib/action_controller/assertions/selector_assertions.rb	2007-07-10 09:05:32.000000000 +0200
++++ fw-actionpack-1.13.2/lib/action_controller/assertions/selector_assertions.rb	2007-07-10 09:11:18.000000000 +0200
+@@ -561,6 +561,8 @@
+           # RJS encodes double quotes and line breaks.
+           unescaped= rjs_string.gsub('\"', '"')
+           unescaped.gsub!('\n', "\n")
++	  unescaped.gsub!('\076', '>')
++	  unescaped.gsub!('\074', '<')
+           # RJS encodes non-ascii characters.
+           unescaped.gsub!(RJS_PATTERN_UNICODE_ESCAPED_CHAR) {|u| [$1.hex].pack('U*')}
+           unescaped
}


More information about the Frugalware-darcs mailing list