Backport upstream patch for CVE-2020-14001 (bug 1858395)
This commit is contained in:
parent
e08de6acda
commit
59d8fdf4b4
@ -0,0 +1,67 @@
|
||||
From 1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Leitner <t_leitner@gmx.at>
|
||||
Date: Sat, 27 Jun 2020 14:47:21 +0200
|
||||
Subject: [PATCH 1/2] Add option forbidden_inline_options
|
||||
|
||||
It is sometimes necessary to restrict the options that can be set
|
||||
inline, ie. using the {::options ...} extensions.
|
||||
|
||||
By default, the template option is now forbidden to avoid possible
|
||||
security problems. This addresses CVE-2020-14001.
|
||||
---
|
||||
lib/kramdown/options.rb | 10 ++++++++++
|
||||
lib/kramdown/parser/kramdown/extensions.rb | 6 ++++++
|
||||
test/testcases/block/12_extension/options.text | 2 ++
|
||||
3 files changed, 18 insertions(+)
|
||||
|
||||
diff --git a/lib/kramdown/options.rb b/lib/kramdown/options.rb
|
||||
index ea67913..0214e28 100644
|
||||
--- a/lib/kramdown/options.rb
|
||||
+++ b/lib/kramdown/options.rb
|
||||
@@ -589,6 +589,16 @@ module Kramdown
|
||||
Used by: HTML converter
|
||||
EOF
|
||||
|
||||
+ define(:forbidden_inline_options, Object, %w[template], <<~EOF) do |val|
|
||||
+ Defines the options that may not be set using the {::options} extension
|
||||
+
|
||||
+ Default: template
|
||||
+ Used by: HTML converter
|
||||
+ EOF
|
||||
+ val.map! {|item| item.kind_of?(String) ? str_to_sym(item) : item }
|
||||
+ simple_array_validator(val, :forbidden_inline_options)
|
||||
+ end
|
||||
+
|
||||
end
|
||||
|
||||
end
|
||||
diff --git a/lib/kramdown/parser/kramdown/extensions.rb b/lib/kramdown/parser/kramdown/extensions.rb
|
||||
index 493dcf7..637d0fa 100644
|
||||
--- a/lib/kramdown/parser/kramdown/extensions.rb
|
||||
+++ b/lib/kramdown/parser/kramdown/extensions.rb
|
||||
@@ -110,6 +110,12 @@ module Kramdown
|
||||
opts.select do |k, v|
|
||||
k = k.to_sym
|
||||
if Kramdown::Options.defined?(k)
|
||||
+ if @options[:forbidden_inline_options].include?(k) ||
|
||||
+ k == :forbidden_inline_options
|
||||
+ warning("Option #{k} may not be set inline")
|
||||
+ next false
|
||||
+ end
|
||||
+
|
||||
begin
|
||||
val = Kramdown::Options.parse(k, v)
|
||||
@options[k] = val
|
||||
diff --git a/test/testcases/block/12_extension/options.text b/test/testcases/block/12_extension/options.text
|
||||
index 5991ab7..b63f34b 100644
|
||||
--- a/test/testcases/block/12_extension/options.text
|
||||
+++ b/test/testcases/block/12_extension/options.text
|
||||
@@ -19,3 +19,5 @@ some <span>*para*</span>
|
||||
Some text[^ab].
|
||||
|
||||
[^ab]: Some text.
|
||||
+
|
||||
+{::options template="/etc/passwd" /}
|
||||
--
|
||||
2.26.2
|
||||
|
@ -3,12 +3,16 @@
|
||||
|
||||
Name: rubygem-%{gem_name}
|
||||
Version: 2.2.1
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Summary: Fast, pure-Ruby Markdown-superset converter
|
||||
|
||||
License: MIT
|
||||
URL: http://kramdown.rubyforge.org
|
||||
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1858395
|
||||
# https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde
|
||||
# CVE-2020-14001
|
||||
Patch1: rubygem-kramdown-2.2.1-0001-Add-option-forbidden_inline_options.patch
|
||||
BuildRequires: ruby(release)
|
||||
BuildRequires: rubygems-devel
|
||||
BuildRequires: rubygem(minitest) >= 5
|
||||
@ -47,6 +51,7 @@ Documentation for %{name}
|
||||
%prep
|
||||
gem unpack %{SOURCE0}
|
||||
%setup -q -D -T -n %{gem_name}-%{version}
|
||||
%patch1 -p1
|
||||
gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec
|
||||
# 2.2.1 explicily adds rexml runtime dependency, which is actually provided by system ruby.
|
||||
# So writing it to kramdown gemspec is not strictly needed, removing for now
|
||||
@ -108,6 +113,9 @@ popd
|
||||
%doc %{gem_docdir}
|
||||
|
||||
%changelog
|
||||
* Mon Aug 10 2020 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.2.1-4
|
||||
- Backport upstream patch for CVE-2020-14001 (bug 1858395)
|
||||
|
||||
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user