Merge pull request #20 from tpo/master

joshuasiler · joshuasiler · commit b9bec13a2454 · 2016-04-29T14:13:09.000-06:00
please include fix for CVE-2012-6684
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,5 +1,13 @@
 == Head
 
+* include CVE-2012-6684 fix [Tomas Pospisek]
+  * fix by [Antonio Terceiro] 
+    * see http://sources.debian.net/src/ruby-redcloth/4.2.9-4/debian/patches/0001-Filter-out-javascript-links-when-using-filter_html-o.patch/
+  * vulnerability reported by [Kousuke Ebihara] 
+    * see http://co3k.org/blog/redcloth-unfixed-xss-en
+
+== 4.2.9.1 / February 24, 2015
+
 * Lazy-load latex_entities.yml [Charlie Somerville]
 
 == 4.2.9 / November 25, 2011
diff --git a/README.rdoc b/README.rdoc
@@ -1,3 +1,11 @@
+= Specifics of this RedCloth fork
+
+This RedCloth fork fixes CVE-2012-6684 as
+{reported by Kousuke Ebihara}(http://co3k.org/blog/redcloth-unfixed-xss-en)
+using a {patch by Antonio Terceiro}(http://sources.debian.net/src/ruby-redcloth/4.2.9-4/debian/patches/0001-Filter-out-javascript-links-when-using-filter_html-o.patch/)
+
+Read on below for the original RedCloth documentation
+
 = RedCloth - Textile parser for Ruby
 
 Homepage::  http://redcloth.org
diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb
@@ -111,7 +111,11 @@ def bq_close(opts)
   end
   
   def link(opts)
-    "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
+    if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/
+      opts[:name]
+    else
+      "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
+    end
   end
   
   def image(opts)
diff --git a/lib/redcloth/version.rb b/lib/redcloth/version.rb
@@ -3,7 +3,7 @@ module VERSION
     MAJOR = 4
     MINOR = 2
     TINY  = 9
-    RELEASE_CANDIDATE = nil
+    RELEASE_CANDIDATE = 1
 
     STRING = [MAJOR, MINOR, TINY, RELEASE_CANDIDATE].compact.join('.')
     TAG = "REL_#{[MAJOR, MINOR, TINY, RELEASE_CANDIDATE].compact.join('_')}".upcase.gsub(/\.|-/, '_')
diff --git a/spec/security/CVE-2012-6684_spec.rb b/spec/security/CVE-2012-6684_spec.rb
@@ -0,0 +1,14 @@
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6684
+
+require 'redcloth'
+
+describe 'CVE-2012-6684' do
+
+  it 'should not let javascript links pass through' do
+    # PoC from http://co3k.org/blog/redcloth-unfixed-xss-en
+    output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
+    expect(output).to_not match(/href=.javascript:alert/)
+  end
+
+
+end
