Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fix CVE-2013-0256, an XSS exploit in RDoc

See CVE-2013-0256 for details on the exploit including a patch you can
apply to generated RDoc output.
commit ffa87887ee0517793df7541629a470e331f9fe60 1 parent 67db3ed
@drbrain drbrain authored
View
49 CVE-2013-0256.rdoc
@@ -0,0 +1,49 @@
+= RDoc 2.3.0 through 3.12 XSS Exploit
+
+RDoc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases up
+to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit may
+lead to cookie disclosure to third parties.
+
+The exploit exists in darkfish.js which is copied from the RDoc install
+location to the generated documentation.
+
+RDoc is a static documentation generation tool. Patching the library itself
+is insufficient to correct this exploit. Those hosting rdoc documentation will
+need to apply the following patch. If applied while ignoring whitespace, this
+patch will correct all affected versions:
+
+ diff --git darkfish.js darkfish.js
+ index 4be722f..f26fd45 100644
+ --- darkfish.js
+ +++ darkfish.js
+ @@ -109,13 +109,15 @@ function hookSearch() {
+ function highlightTarget( anchor ) {
+ console.debug( "Highlighting target '%s'.", anchor );
+
+ - $("a[name=" + anchor + "]").each( function() {
+ - if ( !$(this).parent().parent().hasClass('target-section') ) {
+ - console.debug( "Wrapping the target-section" );
+ - $('div.method-detail').unwrap( 'div.target-section' );
+ - $(this).parent().wrap( '<div class="target-section"></div>' );
+ - } else {
+ - console.debug( "Already wrapped." );
+ + $("a[name]").each( function() {
+ + if ( $(this).attr("name") == anchor ) {
+ + if ( !$(this).parent().parent().hasClass('target-section') ) {
+ + console.debug( "Wrapping the target-section" );
+ + $('div.method-detail').unwrap( 'div.target-section' );
+ + $(this).parent().wrap( '<div class="target-section"></div>' );
+ + } else {
+ + console.debug( "Already wrapped." );
+ + }
+ }
+ });
+ };
+
+RDoc 3.9.5, 3.12.1 and RDoc 4.0.0.rc.2 and newer are not vulnerable to this
+exploit.
+
+This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.
+
+This vulnerability has been assigned the CVE identifier CVE-2013-0256.
+
View
5 History.rdoc
@@ -1,4 +1,4 @@
-=== 4.0.0.preview3.1 / ??
+=== 4.0.0.rc.2 / ??
As a preview release, please file bugs for any problems you have with rdoc at
https://github.com/rdoc/rdoc/issues
@@ -14,6 +14,9 @@ to build HTML documentation when installing gems.)
* Added current heading and page-top links to HTML headings.
* Bug fixes
+ * Fixed an XSS exploit in darkfish.js. This could lead to cookie disclosure
+ to third parties. See CVE-2012-0256.rdoc for full details including a
+ patch you can apply to generated RDoc documentation.
* Fixed parsing of multibyte files with incomplete characters at byte 1024.
Ruby bug #6393 by nobu, patch by Nobuyoshi Nakada and Yui NARUSE.
* Fixed rdoc -E. Ruby Bug #6392 and (modified) patch by Nobuyoshi Nakada
View
1  Manifest.txt
@@ -1,5 +1,6 @@
.autotest
.document
+CVE-2013-0256.rdoc
DEVELOPERS.rdoc
History.rdoc
LEGAL.rdoc
View
1  Rakefile
@@ -48,6 +48,7 @@ Depending on your version of ruby, you may need to install ruby rdoc/ri data:
self.testlib = :minitest
self.extra_rdoc_files += %w[
DEVELOPERS.rdoc
+ CVE-2013-0256.rdoc
History.rdoc
LICENSE.rdoc
LEGAL.rdoc
View
2  lib/rdoc.rb
@@ -64,7 +64,7 @@ class Error < RuntimeError; end
##
# RDoc version you are using
- VERSION = '4.0.0.preview3.1'
+ VERSION = '4.0.0.rc.2'
##
# Method visibilities
View
16 lib/rdoc/generator/template/darkfish/js/darkfish.js
@@ -109,13 +109,15 @@ function hookSearch() {
function highlightTarget( anchor ) {
console.debug( "Highlighting target '%s'.", anchor );
- $("a[name=" + anchor + "]").each( function() {
- if ( !$(this).parent().parent().hasClass('target-section') ) {
- console.debug( "Wrapping the target-section" );
- $('div.method-detail').unwrap( 'div.target-section' );
- $(this).parent().wrap( '<div class="target-section"></div>' );
- } else {
- console.debug( "Already wrapped." );
+ $("a[name]").each( function() {
+ if ( $(this).attr("name") == anchor ) {
+ if ( !$(this).parent().parent().hasClass('target-section') ) {
+ console.debug( "Wrapping the target-section" );
+ $('div.method-detail').unwrap( 'div.target-section' );
+ $(this).parent().wrap( '<div class="target-section"></div>' );
+ } else {
+ console.debug( "Already wrapped." );
+ }
}
});
};
Please sign in to comment.
Something went wrong with that request. Please try again.