Projects
Mega:24.03:SP1:Everything
rubygem-actionmailer
_service:tar_scm:backport-CVE-2024-47889.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-CVE-2024-47889.patch of Package rubygem-actionmailer
From 0e5694f4d32544532d2301a9b4084eacb6986e94 Mon Sep 17 00:00:00 2001 From: John Hawthorn <john@hawthorn.email> Date: Fri, 11 Oct 2024 00:34:14 -0700 Subject: [PATCH] Avoid backtracking in ActionMailer block_format [CVE-2024-47889] Thanks to yuki_osaki and scyoon for reporting this vulnerability --- actionmailer/lib/action_mailer/mail_helper.rb | 14 +++++++++++--- actionmailer/test/mail_helper_test.rb | 12 ++++++++++++ 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/actionmailer/lib/action_mailer/mail_helper.rb b/actionmailer/lib/action_mailer/mail_helper.rb index e7bed41f8d294..f527d5a59ebf5 100644 --- a/actionmailer/lib/action_mailer/mail_helper.rb +++ b/actionmailer/lib/action_mailer/mail_helper.rb @@ -23,10 +23,18 @@ def block_format(text) }.join("\n\n") # Make list points stand on their own line - formatted.gsub!(/[ ]*([*]+) ([^*]*)/) { " #{$1} #{$2.strip}\n" } - formatted.gsub!(/[ ]*([#]+) ([^#]*)/) { " #{$1} #{$2.strip}\n" } + output = +"" + splits = formatted.split(/(\*+|\#+)/) + while line = splits.shift + if line.start_with?("*", "#") && splits[0].start_with?(" ") + output.chomp!(" ") while output.end_with?(" ") + output << " #{line} #{splits.shift.strip}\n" + else + output << line + end + end - formatted + output end # Access the mailer instance.
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2