security fix, prepare 4.3.1

jgarber · May 17, 2016 · cddd03b · cddd03b
1 parent 319e140
commit cddd03b
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 6 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,7 @@
+== 4.3.1 / May 17th, 2016
+
+* Fix additional case for CVE-2012-6684 [Joshua Siler]
+
 == 4.3.0 / April 29th, 2016
 
 * Remove JRuby and Windows cross compilation and support

diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb
@@ -119,11 +119,15 @@ def link(opts)
   end
 
   def image(opts)
-    opts.delete(:align)
-    opts[:alt] = opts[:title]
-    img = "<img src=\"#{escape_attribute opts[:src]}\"#{pba(opts)} alt=\"#{escape_attribute opts[:alt].to_s}\" />"  
-    img = "<a href=\"#{escape_attribute opts[:href]}\">#{img}</a>" if opts[:href]
-    img
+    if (filter_html || sanitize_html) && ( opts[:src] =~ /^\s*javascript:/ || opts[:href] =~ /^\s*javascript:/ )
+      opts[:title]
+    else
+      opts.delete(:align)
+      opts[:alt] = opts[:title]
+      img = "<img src=\"#{escape_attribute opts[:src]}\"#{pba(opts)} alt=\"#{escape_attribute opts[:alt].to_s}\" />"  
+      img = "<a href=\"#{escape_attribute opts[:href]}\">#{img}</a>" if opts[:href]
+      img
+    end
   end
 
   def footno(opts)

diff --git a/lib/redcloth/version.rb b/lib/redcloth/version.rb
@@ -2,7 +2,7 @@ module RedCloth
   module VERSION
     MAJOR = 4
     MINOR = 3
-    TINY  = 0
+    TINY  = 1
 #    RELEASE_CANDIDATE = 0
 
     STRING = [MAJOR, MINOR, TINY].compact.join('.')

diff --git a/spec/security/CVE-2012-6684_spec.rb b/spec/security/CVE-2012-6684_spec.rb
@@ -10,5 +10,13 @@
     expect(output).to_not match(/href=.javascript:alert/)
   end
 
+  it 'should not let javascript links pass through on images' do
+  	output = RedCloth.new('"!<javascript:alert(1)(2)!:javascript:prompt(document.domain)"').to_html
+    expect(output).to match(/src=.javascript:alert/)
+    expect(output).to match(/href=.javascript:prompt/)
 
+    output = RedCloth.new('"!<javascript:alert(1)(2)!:javascript:prompt(document.domain)"', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
+    expect(output).to_not match(/src=.javascript:alert/)
+    expect(output).to_not match(/href=.javascript:prompt/)
+  end
 end
diff --git a/tasks/release.rake b/tasks/release.rake
@@ -1,5 +1,11 @@
 namespace :release do
   desc 'Push all gems to rubygems.org'
+  # git tag and push tag
+  # branch into stable vx.x branch
+  # change version in version.rb
+  # update changelog
+  # run rake test
+
   task :gem do
     puts "Did you git tag and git push the tag for this release yet?"
     sh("rm *.gem")