diff --git a/.gitignore b/.gitignore index 27e01ec..1614bcb 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,4 @@ /kramdown-1.17.0.gem /kramdown-2.1.0.gem /kramdown-2.2.1.gem +/kramdown-2.3.0.gem diff --git a/rubygem-kramdown-2.2.1-0001-Add-option-forbidden_inline_options.patch b/rubygem-kramdown-2.2.1-0001-Add-option-forbidden_inline_options.patch deleted file mode 100644 index 316a3f9..0000000 --- a/rubygem-kramdown-2.2.1-0001-Add-option-forbidden_inline_options.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde Mon Sep 17 00:00:00 2001 -From: Thomas Leitner -Date: Sat, 27 Jun 2020 14:47:21 +0200 -Subject: [PATCH 1/2] Add option forbidden_inline_options - -It is sometimes necessary to restrict the options that can be set -inline, ie. using the {::options ...} extensions. - -By default, the template option is now forbidden to avoid possible -security problems. This addresses CVE-2020-14001. ---- - lib/kramdown/options.rb | 10 ++++++++++ - lib/kramdown/parser/kramdown/extensions.rb | 6 ++++++ - test/testcases/block/12_extension/options.text | 2 ++ - 3 files changed, 18 insertions(+) - -diff --git a/lib/kramdown/options.rb b/lib/kramdown/options.rb -index ea67913..0214e28 100644 ---- a/lib/kramdown/options.rb -+++ b/lib/kramdown/options.rb -@@ -589,6 +589,16 @@ module Kramdown - Used by: HTML converter - EOF - -+ define(:forbidden_inline_options, Object, %w[template], <<~EOF) do |val| -+ Defines the options that may not be set using the {::options} extension -+ -+ Default: template -+ Used by: HTML converter -+ EOF -+ val.map! {|item| item.kind_of?(String) ? str_to_sym(item) : item } -+ simple_array_validator(val, :forbidden_inline_options) -+ end -+ - end - - end -diff --git a/lib/kramdown/parser/kramdown/extensions.rb b/lib/kramdown/parser/kramdown/extensions.rb -index 493dcf7..637d0fa 100644 ---- a/lib/kramdown/parser/kramdown/extensions.rb -+++ b/lib/kramdown/parser/kramdown/extensions.rb -@@ -110,6 +110,12 @@ module Kramdown - opts.select do |k, v| - k = k.to_sym - if Kramdown::Options.defined?(k) -+ if @options[:forbidden_inline_options].include?(k) || -+ k == :forbidden_inline_options -+ warning("Option #{k} may not be set inline") -+ next false -+ end -+ - begin - val = Kramdown::Options.parse(k, v) - @options[k] = val -diff --git a/test/testcases/block/12_extension/options.text b/test/testcases/block/12_extension/options.text -index 5991ab7..b63f34b 100644 ---- a/test/testcases/block/12_extension/options.text -+++ b/test/testcases/block/12_extension/options.text -@@ -19,3 +19,5 @@ some *para* - Some text[^ab]. - - [^ab]: Some text. -+ -+{::options template="/etc/passwd" /} --- -2.26.2 - diff --git a/rubygem-kramdown-2.2.1-minitest-warning-must_equal.patch b/rubygem-kramdown-2.2.1-minitest-warning-must_equal.patch deleted file mode 100644 index f81a5ee..0000000 --- a/rubygem-kramdown-2.2.1-minitest-warning-must_equal.patch +++ /dev/null @@ -1,45 +0,0 @@ -From dd1bab4ee32324db3a11f5712718792164bd38c8 Mon Sep 17 00:00:00 2001 -From: Thomas Leitner -Date: Sat, 27 Jun 2020 11:35:15 +0200 -Subject: [PATCH] Use assert_equal instead of .must_equal in test cases - ---- - test/test_location.rb | 4 ++-- - test/test_string_scanner_kramdown.rb | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/test/test_location.rb b/test/test_location.rb -index 41295dc4..d2642c78 100644 ---- a/test/test_location.rb -+++ b/test/test_location.rb -@@ -18,7 +18,7 @@ - def check_element_for_location(element) - if (match = /^line-(\d+)/.match(element.attr['class'] || '')) - expected_line = match[1].to_i -- element.options[:location].must_equal(expected_line) -+ assert_equal(expected_line, element.options[:location]) - end - element.children.each do |child| - check_element_for_location(child) -@@ -187,7 +187,7 @@ def check_element_for_location(element) - *[duplicate]: The second definition - ) - doc = Kramdown::Document.new(test_string.strip) -- doc.warnings.must_equal ["Duplicate abbreviation ID 'duplicate' on line 4 - overwriting"] -+ assert_equal(["Duplicate abbreviation ID 'duplicate' on line 4 - overwriting"], doc.warnings) - end - - it 'handles abbreviations' do -diff --git a/test/test_string_scanner_kramdown.rb b/test/test_string_scanner_kramdown.rb -index a2c91ebc..713c03c4 100644 ---- a/test/test_string_scanner_kramdown.rb -+++ b/test/test_string_scanner_kramdown.rb -@@ -21,7 +21,7 @@ - it "computes the correct current_line_number for example ##{i + 1}" do - str_sc = Kramdown::Utils::StringScanner.new(test_string) - scan_regexes.each {|scan_re| str_sc.scan_until(scan_re) } -- str_sc.current_line_number.must_equal expect -+ assert_equal(expect, str_sc.current_line_number) - end - end - end diff --git a/rubygem-kramdown.spec b/rubygem-kramdown.spec index bcf9657..7ef35b7 100644 --- a/rubygem-kramdown.spec +++ b/rubygem-kramdown.spec @@ -2,28 +2,20 @@ %global gem_name kramdown Name: rubygem-%{gem_name} -Version: 2.2.1 -Release: 9%{?dist} +Version: 2.3.0 +Release: 1%{?dist} Summary: Fast, pure-Ruby Markdown-superset converter License: MIT URL: http://kramdown.rubyforge.org Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem -# https://bugzilla.redhat.com/show_bug.cgi?id=1858395 -# https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde -# CVE-2020-14001 -Patch1: rubygem-kramdown-2.2.1-0001-Add-option-forbidden_inline_options.patch # https://github.com/gettalong/kramdown/commit/e1beb51af7fe4ecb85dbab7328f47a23c86c7df2 Patch2: rubygem-kramdown-2.2.1-rouge-3_26_0-testsuite.patch -# https://github.com/gettalong/kramdown/commit/dd1bab4ee32324db3a11f5712718792164bd38c8 -Patch3: rubygem-kramdown-2.2.1-minitest-warning-must_equal.patch BuildRequires: ruby(release) BuildRequires: rubygems-devel BuildRequires: rubygem(minitest) >= 5 -%if 0%{?fedora} >= 34 BuildRequires: rubygem(rexml) -%endif -BuildRequires: rubygem(rouge) +BuildRequires: rubygem(rouge) >= 3.26.0 BuildRequires: rubygem(test-unit) BuildRequires: rubygem(stringex) # Recommends: rubygem(stringex) @@ -58,16 +50,8 @@ Documentation for %{name} %prep gem unpack %{SOURCE0} %setup -q -D -T -n %{gem_name}-%{version} -%patch1 -p1 %patch2 -p1 -%patch3 -p1 gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec -# 2.2.1 explicily adds rexml runtime dependency, which is actually required from -# ruby 3.0 -# for ruby < 3.0, see bug 1838185 -%if 0%{?fedora} < 34 -sed -i %{gem_name}.gemspec -e '\@rexml@d' -%endif %build gem build %{gem_name}.gemspec @@ -99,10 +83,9 @@ LANG=C.UTF-8 pushd .%{gem_instdir} -# Test suite is now failing, need investigating export RUBYLIB=$(pwd)/lib -ruby -e 'Dir.glob "./test/test_*.rb", &method(:require)' \ - || false +ruby -e 'Dir.glob "./test/test_*.rb", &method(:require)' + popd %files @@ -127,6 +110,10 @@ popd %doc %{gem_docdir} %changelog +* Mon Feb 1 2021 Mamoru TASAKA - 2.3.0-1 +- 2.3.0 +- Speficy rouge version dependency for test suite + * Wed Jan 27 2021 Fedora Release Engineering - 2.2.1-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild diff --git a/sources b/sources index 2803f8e..7e24ab4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (kramdown-2.2.1.gem) = 7c322010a8a418706c48d5a1011354aba215d50be94354fff93a636ff3453906bb381cf5669560a6bd10ecaf3bab7b04f446efa0a4b85322865b879f74de4c43 +SHA512 (kramdown-2.3.0.gem) = a3ed8360de9208d5ce658d198763737826db943d23dda7ca9cfd507a4656c39f2b19ece78af87981b1177fe01690d6647c854092b230cf3a8a7d2823dc83d276