From ffa87887ee0517793df7541629a470e331f9fe60 Mon Sep 17 00:00:00 2001
From: Eric Hodel <drbrain@segment7.net>
Date: Tue, 5 Feb 2013 19:57:58 -0800
Subject: [PATCH] Fix CVE-2013-0256, an XSS exploit in RDoc
diff --git a/CVE-2013-0256.rdoc b/CVE-2013-0256.rdoc
new file mode 100644
index 0000000..b285b6a
--- /dev/null
+++ b/CVE-2013-0256.rdoc
@@ -0,0 +1,49 @@
+= RDoc 2.3.0 through 3.12 XSS Exploit
+
+RDoc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases up
+to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit may
+lead to cookie disclosure to third parties.
+
+The exploit exists in darkfish.js which is copied from the RDoc install
+location to the generated documentation.
+
+RDoc is a static documentation generation tool. Patching the library itself
+is insufficient to correct this exploit. Those hosting rdoc documentation will
+need to apply the following patch. If applied while ignoring whitespace, this
+patch will correct all affected versions:
+
+ diff --git darkfish.js darkfish.js
+ index 4be722f..f26fd45 100644
+ --- darkfish.js
+ +++ darkfish.js
+ @@ -109,13 +109,15 @@ function hookSearch() {
+ function highlightTarget( anchor ) {
+ console.debug( "Highlighting target '%s'.", anchor );
+
+ - $("a[name=" + anchor + "]").each( function() {
+ - if ( !$(this).parent().parent().hasClass('target-section') ) {
+ - console.debug( "Wrapping the target-section" );
+ - $('div.method-detail').unwrap( 'div.target-section' );
+ - $(this).parent().wrap( '<div class="target-section"></div>' );
+ - } else {
+ - console.debug( "Already wrapped." );
+ + $("a[name]").each( function() {
+ + if ( $(this).attr("name") == anchor ) {
+ + if ( !$(this).parent().parent().hasClass('target-section') ) {
+ + console.debug( "Wrapping the target-section" );
+ + $('div.method-detail').unwrap( 'div.target-section' );
+ + $(this).parent().wrap( '<div class="target-section"></div>' );
+ + } else {
+ + console.debug( "Already wrapped." );
+ + }
+ }
+ });
+ };
+
+RDoc 3.9.5, 3.12.1 and RDoc 4.0.0.rc.2 and newer are not vulnerable to this
+exploit.
+
+This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.
+
+This vulnerability has been assigned the CVE identifier CVE-2013-0256.
+
diff --git a/History.rdoc b/History.rdoc
index 21497df..f4ebf1f 100644
--- a/History.rdoc
+++ b/History.rdoc
@@ -11,0 +11,3 @@
+ * Fixed an XSS exploit in darkfish.js. This could lead to cookie disclosure
+ to third parties. See CVE-2012-0256.rdoc for full details including a
+ patch you can apply to generated RDoc documentation.
diff --git a/Manifest.txt b/Manifest.txt
index 918447a..b26bfef 100644
--- a/Manifest.txt
+++ b/Manifest.txt
@@ -1,5 +1,6 @@
.autotest
.document
+CVE-2013-0256.rdoc
DEVELOPERS.rdoc
History.rdoc
LEGAL.rdoc
diff --git a/Rakefile b/Rakefile
index 3985102..962c473 100644
--- a/Rakefile
+++ b/Rakefile
@@ -42,6 +42,7 @@
self.testlib = :minitest
self.extra_rdoc_files += %w[
DEVELOPERS.rdoc
+ CVE-2013-0256.rdoc
History.rdoc
LICENSE.rdoc
LEGAL.rdoc
diff --git a/lib/rdoc/generator/template/darkfish/js/darkfish.js b/lib/rdoc/generator/template/darkfish/js/darkfish.js
index 4be722f..f26fd45 100644
--- a/lib/rdoc/generator/template/darkfish/js/darkfish.js
+++ b/lib/rdoc/generator/template/darkfish/js/darkfish.js
@@ -109,13 +109,15 @@ function hookSearch() {
function highlightTarget( anchor ) {
console.debug( "Highlighting target '%s'.", anchor );
- $("a[name=" + anchor + "]").each( function() {
- if ( !$(this).parent().parent().hasClass('target-section') ) {
- console.debug( "Wrapping the target-section" );
- $('div.method-detail').unwrap( 'div.target-section' );
- $(this).parent().wrap( '<div class="target-section"></div>' );
- } else {
- console.debug( "Already wrapped." );
+ $("a[name]").each( function() {
+ if ( $(this).attr("name") == anchor ) {
+ if ( !$(this).parent().parent().hasClass('target-section') ) {
+ console.debug( "Wrapping the target-section" );
+ $('div.method-detail').unwrap( 'div.target-section' );
+ $(this).parent().wrap( '<div class="target-section"></div>' );
+ } else {
+ console.debug( "Already wrapped." );
+ }
}
});
};
