CVS commit: pkgsrc/www/ruby-actionpack31

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/ruby-actionpack31
From: "Takahiro Kambe" <taca%netbsd.org@localhost>
Date: Sun, 12 Aug 2012 10:34:38 +0000

Module Name:    pkgsrc
Committed By:   taca
Date:           Sun Aug 12 10:34:38 UTC 2012

Modified Files:
        pkgsrc/www/ruby-actionpack31: distinfo

Log Message:
Update ruby-actionpack31 to 3.1.8.

## Rails 3.1.8 (Aug 9, 2012)

* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
  helper doesn't correctly handle malformed html.  As a result an attacker can
  execute arbitrary javascript through the use of specially crafted malformed
  html.

  *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*

* When a "prompt" value is supplied to the `select_tag` helper, the
  "prompt" value is not escaped.
  If untrusted data is not escaped, and is supplied as the prompt value,
  there is a potential for XSS attacks.
  Vulnerable code will look something like this:
    select_tag("name", options, :prompt => UNTRUSTED_INPUT)

  *Santiago Pastorino*


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 pkgsrc/www/ruby-actionpack31/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: pkgsrc/devel/ruby-activemodel31
Next by Date: CVS commit: pkgsrc/databases/ruby-activerecord31
Previous by Thread: CVS commit: pkgsrc/devel/ruby-activemodel31
Next by Thread: CVS commit: pkgsrc/databases/ruby-activerecord31
Indexes:

Home | Main Index | Thread Index | Old Index