RDoc produces HTML and command-line documentation for Ruby projects. RDoc
includes the rdoc and ri tools for generating and
displaying documentation from the command-line.
Vulnerability Description
RDoc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases up
to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit may
lead to cookie disclosure to third parties.
The exploit exists in darkfish.js which is copied from the RDoc install
location to the generated documentation.
RDoc is a static documentation generation tool. Patching the library itself
is insufficient to correct this exploit. Those hosting rdoc documentation will
need to apply the following patch. If applied while ignoring whitespace, this
patch will correct all affected versions:
This vulnerability has been assigned the CVE identifier CVE-2013-0256.
RDoc 3.9.5
RDoc 3.9.5 was released to match the RDoc in ruby 1.9.3-p385.
Bug fixes
Fixed an XSS exploit in darkfish.js. This could lead to cookie disclosure
to third parties. See CVE-2013-0256.rdoc for full details including a
patch you can apply to generated RDoc documentation.
RDoc 3.12.1
RDoc 3.12.1 was updated as the latest stable release as RDoc 4 is not yet ready.
Bug fixes
Fixed an XSS exploit in darkfish.js. This could lead to cookie disclosure
to third parties. See CVE-2013-0256.rdoc for full
details including a patch you can apply to generated RDoc documentation.
Ensured that rd parser files are generated before checking the manifest.
RDoc 4.0.0.rc.2
Minor enhancements
Added current heading and page-top links to HTML headings.
Bug fixes
Fixed an XSS exploit in darkfish.js. This could lead to cookie disclosure
to third parties. See CVE-2013-0256.rdoc for full
details including a patch you can apply to generated RDoc documentation.
Fixed parsing of multibyte files with incomplete characters at byte 1024.
Ruby bug #6393 by nobu, patch by Nobuyoshi Nakada and Yui NARUSE.
Fixed rdoc -E. Ruby Bug #6392 and (modified) patch by Nobuyoshi Nakada
Added link handling to Markdown output. Bug #160 by burningTyger.
Fixed HEREDOC output for the limited case of a heredoc followed by a line
end. When a HEREDOC is not followed by a line end RDoc is not currently
smart enough to restore the source correctly. Bug #162 by Zachary Scott.
Fixed parsing of executables with shebang and encoding comments. Bug #161
by Marcus Stollsteimer
RDoc now ignores methods defined on constants instead of creating a fake
module. Bug #163 by Zachary Scott.
Fixed ChangeLog parsing for FFI gem. Bug #165 by Zachary Scott.
RDoc now links #=== methods. Bug #164 by Zachary Scott.
Allow [] following argument names for TomDoc. Bug #167 by Ellis Berner.
Fixed the RDoc servlet for home and site directories. Bug #170 by Thomas
Leitner.
Fixed references to methods in the RDoc servlet. Bug #171 by Thomas
Leitner.
Fixed debug message when generating the darkfish root page. Pull Request #174 by Thomas Leitner.
Fixed deletion of attribute ri data when a class was loaded then saved.
Issue #171 by Thomas Leitner.