From d6ff67fde2e4b48e83f3ec17714740d133c90b6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonne=20Ha=C3=9F?= Date: Tue, 26 Feb 2013 18:44:49 +0100 Subject: [PATCH 1/3] fix XSS vulnerability in conversations#new, closes #4010 --- Changelog.md | 4 ++++ app/views/conversations/new.haml | 2 +- config/defaults.yml | 2 +- spec/controllers/conversations_controller_spec.rb | 8 ++++++++ 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 26c1b2c6a..6c4640a11 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,3 +1,7 @@ +# 0.0.3.2 + +* Fix XSS vulnerability in conversations#new [#4010](https://github.com/diaspora/diaspora/issues/4010) + # 0.0.3.1 * exec foreman in ./script/server to replace the process so that we can Ctrl+C it again. diff --git a/app/views/conversations/new.haml b/app/views/conversations/new.haml index afab424df..484534866 100644 --- a/app/views/conversations/new.haml +++ b/app/views/conversations/new.haml @@ -20,7 +20,7 @@ keyDelay: 0, startText: '', emptyText: '#{t('no_results')}', - preFill: [{name : "#{params[:name]}", + preFill: [{name : "#{h params[:name]}", value : "#{@contact_ids}"}] }); autocompleteInput.focus(); diff --git a/config/defaults.yml b/config/defaults.yml index 5bb2bb70f..e2afeb29f 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -4,7 +4,7 @@ defaults: version: - number: "0.0.3.1" + number: "0.0.3.2" heroku: false environment: url: "http://localhost:3000/" diff --git a/spec/controllers/conversations_controller_spec.rb b/spec/controllers/conversations_controller_spec.rb index a0963bcf8..60e3bf739 100644 --- a/spec/controllers/conversations_controller_spec.rb +++ b/spec/controllers/conversations_controller_spec.rb @@ -33,6 +33,14 @@ describe ConversationsController do get :new, :aspect_id => alice.aspects.first.id assigns(:contact_ids).should == alice.aspects.first.contacts.map(&:id).join(',') end + + it "does not allow XSS via the name parameter" do + ["", + '"}]});alert(1);(function f() {var foo = [{b:"'].each do |xss| + get :new, name: xss + response.body.should_not include xss + end + end end describe '#index' do From 57669017bdff1c6154fee434698107ca6331179c Mon Sep 17 00:00:00 2001 From: Alexander Wenzowski Date: Thu, 28 Feb 2013 19:05:39 -0500 Subject: [PATCH 2/3] bundler should communicate with rubygems using ssl --- Gemfile | 2 +- Gemfile.lock | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile b/Gemfile index c651c9c95..4a641952d 100644 --- a/Gemfile +++ b/Gemfile @@ -1,4 +1,4 @@ -source 'http://rubygems.org' +source 'https://rubygems.org' gem 'rails', '3.2.12' diff --git a/Gemfile.lock b/Gemfile.lock index fe94fab4a..06f591857 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -8,7 +8,7 @@ GIT nokogiri (>= 1.3.3) GEM - remote: http://rubygems.org/ + remote: https://rubygems.org/ specs: actionmailer (3.2.12) actionpack (= 3.2.12) From c7283c60a177b6c60586d5f6d366de288c0b3491 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonne=20Ha=C3=9F?= Date: Mon, 11 Mar 2013 21:23:28 +0100 Subject: [PATCH 3/3] release 0.0.3.3 --- Changelog.md | 4 ++++ config/defaults.yml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 6c4640a11..a77c77fc5 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,3 +1,7 @@ +# 0.0.3.3 + +* Switch Gemfile source to https to be compatible with bundler 1.3 + # 0.0.3.2 * Fix XSS vulnerability in conversations#new [#4010](https://github.com/diaspora/diaspora/issues/4010) diff --git a/config/defaults.yml b/config/defaults.yml index e2afeb29f..d36c7024e 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -4,7 +4,7 @@ defaults: version: - number: "0.0.3.2" + number: "0.0.3.3" heroku: false environment: url: "http://localhost:3000/"