Projects
openEuler:24.03:SP1:Everything:64G
rubygem-actionpack
_service:tar_scm:CVE-2024-26143.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:CVE-2024-26143.patch of Package rubygem-actionpack
From 4c83b331092a79d58e4adffe4be5f250fa5782cc Mon Sep 17 00:00:00 2001 From: ooooooo_q <ooooooo-q@users.noreply.github.com> Date: Fri, 5 Jan 2024 12:00:02 +0900 Subject: [PATCH] fix XSS vulnerability when using translation [CVE-2024-26143] --- actionpack/CHANGELOG.md | 4 +++ .../lib/abstract_controller/translation.rb | 24 +++++++++++++- actionpack/test/abstract/translation_test.rb | 31 +++++++++++++++++++ 3 files changed, 58 insertions(+), 1 deletion(-) diff --git a/actionpack/lib/abstract_controller/translation.rb b/actionpack/lib/abstract_controller/translation.rb index db71c172abd6c..bdd44c6893aa2 100644 --- a/actionpack/lib/abstract_controller/translation.rb +++ b/actionpack/lib/abstract_controller/translation.rb @@ -25,7 +25,25 @@ def translate(key, **options) i18n_raise = options.fetch(:raise, self.raise_on_missing_translations) - ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise) + if options[:default] + options[:default] = [options[:default]] unless options[:default].is_a?(Array) + options[:default] = options[:default].map do |value| + value.is_a?(String) ? ERB::Util.html_escape(value) : value + end + end + + unless i18n_raise + options[:default] = [] unless options[:default] + options[:default] << MISSING_TRANSLATION + end + + result = ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise) + + if result == MISSING_TRANSLATION + +"translation missing: #{key}" + else + result + end end alias :t :translate @@ -34,5 +52,9 @@ def localize(object, **options) I18n.localize(object, **options) end alias :l :localize + + private + MISSING_TRANSLATION = -(2**60) + private_constant :MISSING_TRANSLATION end end
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2