The Artima Developer Community
Sponsored Link

Ruby Buzz Forum
RDoc XSS vulnerability CVE-2013-0256 releases 3.9.5, 3.12.1, 4.0.0.rc.2

0 replies on 1 page.

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 0 replies on 1 page
Eric Hodel

Posts: 660
Nickname: drbrain
Registered: Mar, 2006

Eric Hodel is a long-time Rubyist and co-founder of Seattle.rb.
RDoc XSS vulnerability CVE-2013-0256 releases 3.9.5, 3.12.1, 4.0.0.rc.2 Posted: Feb 6, 2013 3:17 PM
Reply to this message Reply

This post originated from an RSS feed registered with Ruby Buzz by Eric Hodel.
Original Post: RDoc XSS vulnerability CVE-2013-0256 releases 3.9.5, 3.12.1, 4.0.0.rc.2
Feed Title: Segment7
Feed URL: http://blog.segment7.net/articles.rss
Feed Description: Posts about and around Ruby, MetaRuby, ruby2c, ZenTest and work at The Robot Co-op.
Latest Ruby Buzz Posts
Latest Ruby Buzz Posts by Eric Hodel
Latest Posts From Segment7

Advertisement

RDoc versions 3.9.5, 3.12.1 and 4.0.0.rc.2 have been released!

RDoc produces HTML and command-line documentation for Ruby projects. RDoc includes the rdoc and ri tools for generating and displaying documentation from the command-line.

Vulnerability Description

RDoc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit may lead to cookie disclosure to third parties.

The exploit exists in darkfish.js which is copied from the RDoc install location to the generated documentation.

RDoc is a static documentation generation tool. Patching the library itself is insufficient to correct this exploit. Those hosting rdoc documentation will need to apply the following patch. If applied while ignoring whitespace, this patch will correct all affected versions:

diff --git darkfish.js darkfish.js
index 4be722f..f26fd45 100644
--- darkfish.js
+++ darkfish.js
@@ -109,13 +109,15 @@ function hookSearch() {
 function highlightTarget( anchor ) {
   console.debug( "Highlighting target '%s'.", anchor );

-  $("a[name=" + anchor + "]").each( function() {
-    if ( !$(this).parent().parent().hasClass('target-section') ) {
-      console.debug( "Wrapping the target-section" );
-      $('div.method-detail').unwrap( 'div.target-section' );
-      $(this).parent().wrap( '<div class="target-section"></div>' );
-    } else {
-      console.debug( "Already wrapped." );
+  $("a[name]").each( function() {
+    if ( $(this).attr("name") == anchor ) {
+      if ( !$(this).parent().parent().hasClass('target-section') ) {
+        console.debug( "Wrapping the target-section" );
+        $('div.method-detail').unwrap( 'div.target-section' );
+        $(this).parent().wrap( '<div class="target-section"></div>' );
+      } else {
+        console.debug( "Already wrapped." );
+      }
     }
   });
 };

RDoc 3.9.5, 3.12.1 and RDoc 4.0.0.rc.2 and newer are not vulnerable to this exploit.

This exploit was discovered by Evgeny Ermakov corwmh@gmail.com.

This vulnerability has been assigned the CVE identifier CVE-2013-0256.

RDoc 3.9.5

RDoc 3.9.5 was released to match the RDoc in ruby 1.9.3-p385.

  • Bug fixes
    • Fixed an XSS exploit in darkfish.js. This could lead to cookie disclosure to third parties. See CVE-2013-0256.rdoc for full details including a patch you can apply to generated RDoc documentation.

RDoc 3.12.1

RDoc 3.12.1 was updated as the latest stable release as RDoc 4 is not yet ready.

  • Bug fixes
    • Fixed an XSS exploit in darkfish.js. This could lead to cookie disclosure to third parties. See CVE-2013-0256.rdoc for full details including a patch you can apply to generated RDoc documentation.
    • Ensured that rd parser files are generated before checking the manifest.

RDoc 4.0.0.rc.2

  • Minor enhancements

    • Added current heading and page-top links to HTML headings.
  • Bug fixes

    • Fixed an XSS exploit in darkfish.js. This could lead to cookie disclosure to third parties. See CVE-2013-0256.rdoc for full details including a patch you can apply to generated RDoc documentation.
    • Fixed parsing of multibyte files with incomplete characters at byte 1024. Ruby bug #6393 by nobu, patch by Nobuyoshi Nakada and Yui NARUSE.
    • Fixed rdoc -E. Ruby Bug #6392 and (modified) patch by Nobuyoshi Nakada
    • Added link handling to Markdown output. Bug #160 by burningTyger.
    • Fixed HEREDOC output for the limited case of a heredoc followed by a line end. When a HEREDOC is not followed by a line end RDoc is not currently smart enough to restore the source correctly. Bug #162 by Zachary Scott.
    • Fixed parsing of executables with shebang and encoding comments. Bug #161 by Marcus Stollsteimer
    • RDoc now ignores methods defined on constants instead of creating a fake module. Bug #163 by Zachary Scott.
    • Fixed ChangeLog parsing for FFI gem. Bug #165 by Zachary Scott.
    • RDoc now links #=== methods. Bug #164 by Zachary Scott.
    • Allow [] following argument names for TomDoc. Bug #167 by Ellis Berner.
    • Fixed the RDoc servlet for home and site directories. Bug #170 by Thomas Leitner.
    • Fixed references to methods in the RDoc servlet. Bug #171 by Thomas Leitner.
    • Fixed debug message when generating the darkfish root page. Pull Request #174 by Thomas Leitner.
    • Fixed deletion of attribute ri data when a class was loaded then saved. Issue #171 by Thomas Leitner.

Read: RDoc XSS vulnerability CVE-2013-0256 releases 3.9.5, 3.12.1, 4.0.0.rc.2

Topic: RDoc 4.0.0.rc.2.1 Previous Topic   Next Topic Topic: VIDEO: Friday Sector Laggards: Sporting Goods & Activities, Computer Peripherals


Sponsored Links



Google
  Web Artima.com   

Copyright © 1996-2014 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use - Advertise with Us