CVS commit: pkgsrc/www/ruby-actionpack

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/ruby-actionpack
From: "Takahiro Kambe" <taca%netbsd.org@localhost>
Date: Wed, 17 Aug 2011 14:13:32 +0000

Module Name:    pkgsrc
Committed By:   taca
Date:           Wed Aug 17 14:13:32 UTC 2011

Modified Files:
        pkgsrc/www/ruby-actionpack: distinfo

Log Message:
Update ruby-actionpack package to 2.3.14:

2.3.14:

Security Fix:

1. The code in Ruby on Rails 2.3 which sets the response content type
   performs insufficient sanitization of the values provided.  This
   means that applications which let the user provide an arbitrary
   Content-Type header for the response are vulnerable to response
   splitting attacks.

2. The strip_tags helper in Ruby on Rails is designed to remove all
   HTML tags from a string.  By using specially crafted values an
   attacker can confuse the parser and cause HTML tags to be injected
   into the response.  This can be exploited to inject arbitrary
   javascript into the rendered page.

   Future releases of Ruby on Rails are likely to replace the current
   HTML tokenizer with one provided by libxml to reduce the likelihood
   of errors such as these in the future.  In the meantime users can
   install the loofah gem[1] which should enhance both the performance
   and reliability of the HTML sanitization helpers.


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 pkgsrc/www/ruby-actionpack/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: pkgsrc/databases/ruby-activerecord
Next by Date: CVS commit: pkgsrc/mail/ruby-actionmailer
Previous by Thread: CVS commit: pkgsrc/databases/ruby-activerecord
Next by Thread: CVS commit: pkgsrc/mail/ruby-actionmailer
Indexes:

Home | Main Index | Thread Index | Old Index