From ffa87887ee0517793df7541629a470e331f9fe60 Mon Sep 17 00:00:00 2001 From: Eric Hodel <drbrain@segment7.net> Date: Tue, 5 Feb 2013 19:57:58 -0800 Subject: [PATCH] Fix CVE-2013-0256, an XSS exploit in RDoc diff --git a/CVE-2013-0256.rdoc b/CVE-2013-0256.rdoc new file mode 100644 index 0000000..b285b6a --- /dev/null +++ b/CVE-2013-0256.rdoc @@ -0,0 +1,49 @@ += RDoc 2.3.0 through 3.12 XSS Exploit + +RDoc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases up +to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit may +lead to cookie disclosure to third parties. + +The exploit exists in darkfish.js which is copied from the RDoc install +location to the generated documentation. + +RDoc is a static documentation generation tool. Patching the library itself +is insufficient to correct this exploit. Those hosting rdoc documentation will +need to apply the following patch. If applied while ignoring whitespace, this +patch will correct all affected versions: + + diff --git darkfish.js darkfish.js + index 4be722f..f26fd45 100644 + --- darkfish.js + +++ darkfish.js + @@ -109,13 +109,15 @@ function hookSearch() { + function highlightTarget( anchor ) { + console.debug( "Highlighting target '%s'.", anchor ); + + - $("a[name=" + anchor + "]").each( function() { + - if ( !$(this).parent().parent().hasClass('target-section') ) { + - console.debug( "Wrapping the target-section" ); + - $('div.method-detail').unwrap( 'div.target-section' ); + - $(this).parent().wrap( '<div class="target-section"></div>' ); + - } else { + - console.debug( "Already wrapped." ); + + $("a[name]").each( function() { + + if ( $(this).attr("name") == anchor ) { + + if ( !$(this).parent().parent().hasClass('target-section') ) { + + console.debug( "Wrapping the target-section" ); + + $('div.method-detail').unwrap( 'div.target-section' ); + + $(this).parent().wrap( '<div class="target-section"></div>' ); + + } else { + + console.debug( "Already wrapped." ); + + } + } + }); + }; + +RDoc 3.9.5, 3.12.1 and RDoc 4.0.0.rc.2 and newer are not vulnerable to this +exploit. + +This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>. + +This vulnerability has been assigned the CVE identifier CVE-2013-0256. + diff --git a/History.rdoc b/History.rdoc index 21497df..f4ebf1f 100644 --- a/History.rdoc +++ b/History.rdoc @@ -11,0 +11,3 @@ + * Fixed an XSS exploit in darkfish.js. This could lead to cookie disclosure + to third parties. See CVE-2012-0256.rdoc for full details including a + patch you can apply to generated RDoc documentation. diff --git a/Manifest.txt b/Manifest.txt index 918447a..b26bfef 100644 --- a/Manifest.txt +++ b/Manifest.txt @@ -1,5 +1,6 @@ .autotest .document +CVE-2013-0256.rdoc DEVELOPERS.rdoc History.rdoc LEGAL.rdoc diff --git a/Rakefile b/Rakefile index 3985102..962c473 100644 --- a/Rakefile +++ b/Rakefile @@ -42,6 +42,7 @@ self.testlib = :minitest self.extra_rdoc_files += %w[ DEVELOPERS.rdoc + CVE-2013-0256.rdoc History.rdoc LICENSE.rdoc LEGAL.rdoc diff --git a/lib/rdoc/generator/template/darkfish/js/darkfish.js b/lib/rdoc/generator/template/darkfish/js/darkfish.js index 4be722f..f26fd45 100644 --- a/lib/rdoc/generator/template/darkfish/js/darkfish.js +++ b/lib/rdoc/generator/template/darkfish/js/darkfish.js @@ -109,13 +109,15 @@ function hookSearch() { function highlightTarget( anchor ) { console.debug( "Highlighting target '%s'.", anchor ); - $("a[name=" + anchor + "]").each( function() { - if ( !$(this).parent().parent().hasClass('target-section') ) { - console.debug( "Wrapping the target-section" ); - $('div.method-detail').unwrap( 'div.target-section' ); - $(this).parent().wrap( '<div class="target-section"></div>' ); - } else { - console.debug( "Already wrapped." ); + $("a[name]").each( function() { + if ( $(this).attr("name") == anchor ) { + if ( !$(this).parent().parent().hasClass('target-section') ) { + console.debug( "Wrapping the target-section" ); + $('div.method-detail').unwrap( 'div.target-section' ); + $(this).parent().wrap( '<div class="target-section"></div>' ); + } else { + console.debug( "Already wrapped." ); + } } }); };