[BACK]Return to distinfo CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / pkgsrc / www / ruby-actionpack32

File: [cvs.NetBSD.org] / pkgsrc / www / ruby-actionpack32 / Attic / distinfo (download)

Revision 1.6, Sun Aug 12 12:40:00 2012 UTC (7 years, 2 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2012Q3-base, pkgsrc-2012Q3
Changes since 1.5: +4 -4 lines

Update ruby-actionpack32 to 3.2.8.

## Rails 3.2.8 (Aug 9, 2012) ##

* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
  helper doesn't correctly handle malformed html.  As a result an attacker can
  execute arbitrary javascript through the use of specially crafted malformed
  html.

  *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*

* When a "prompt" value is supplied to the `select_tag` helper, the "prompt"
  value is not escaped.
  If untrusted data is not escaped, and is supplied as the prompt value, there
  is a potential for XSS attacks.
  Vulnerable code will look something like this:

    select_tag("name", options, :prompt => UNTRUSTED_INPUT)

  *Santiago Pastorino*

$NetBSD: distinfo,v 1.6 2012/08/12 12:40:00 taca Exp $

SHA1 (actionpack-3.2.8.gem) = ccc63cc2fcb3131b92d45cf5834aa629857d7258
RMD160 (actionpack-3.2.8.gem) = ec71996e73831ea346d8e060234a7f7a73881908
Size (actionpack-3.2.8.gem) = 379392 bytes