diff options
| author | Aaron Patterson <aaron.patterson@gmail.com> | 2013-03-15 15:04:00 -0700 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-03-15 17:46:34 -0700 |
| commit | e115ace02a88290d2fc707b4979f23728c300950 (patch) | |
| tree | 96245393fd5f28005ad66091f88c0cc8d62890ce /actionpack/lib/action_view | |
| parent | db8b636e50ee8a138f48117e8e8ad057cc7527a4 (diff) | |
| download | rails-e115ace02a88290d2fc707b4979f23728c300950.tar.gz rails-e115ace02a88290d2fc707b4979f23728c300950.tar.bz2 rails-e115ace02a88290d2fc707b4979f23728c300950.zip | |
fix protocol checking in sanitization [CVE-2013-1857]
Diffstat (limited to 'actionpack/lib/action_view')
| -rw-r--r-- | actionpack/lib/action_view/vendor/html-scanner/html/sanitizer.rb | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/actionpack/lib/action_view/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_view/vendor/html-scanner/html/sanitizer.rb index 6b8cb3acc7..30b6b8b141 100644 --- a/actionpack/lib/action_view/vendor/html-scanner/html/sanitizer.rb +++ b/actionpack/lib/action_view/vendor/html-scanner/html/sanitizer.rb @@ -77,7 +77,7 @@ module HTML # A regular expression of the valid characters used to separate protocols like # the ':' in 'http://foo.com' - self.protocol_separator = /:|(�*58)|(p)|(%|%)3A/ + self.protocol_separator = /:|(�*58)|(p)|(�*3a)|(%|%)3A/i # Specifies a Set of HTML attributes that can have URIs. self.uri_attributes = Set.new(%w(href src cite action longdesc xlink:href lowsrc)) @@ -182,7 +182,7 @@ module HTML def contains_bad_protocols?(attr_name, value) uri_attributes.include?(attr_name) && - (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip)) + (value =~ /(^[^\/:]*):|(�*58)|(p)|(�*3a)|(%|%)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip)) end end end |