Skip to content

Commit ffa8788

Browse files
committed
Fix CVE-2013-0256, an XSS exploit in RDoc
See CVE-2013-0256 for details on the exploit including a patch you can apply to generated RDoc output.
1 parent 67db3ed commit ffa8788

File tree

6 files changed

+65
-9
lines changed

6 files changed

+65
-9
lines changed

Diff for: CVE-2013-0256.rdoc

+49
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
= RDoc 2.3.0 through 3.12 XSS Exploit
2+
3+
RDoc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases up
4+
to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit may
5+
lead to cookie disclosure to third parties.
6+
7+
The exploit exists in darkfish.js which is copied from the RDoc install
8+
location to the generated documentation.
9+
10+
RDoc is a static documentation generation tool. Patching the library itself
11+
is insufficient to correct this exploit. Those hosting rdoc documentation will
12+
need to apply the following patch. If applied while ignoring whitespace, this
13+
patch will correct all affected versions:
14+
15+
diff --git darkfish.js darkfish.js
16+
index 4be722f..f26fd45 100644
17+
--- darkfish.js
18+
+++ darkfish.js
19+
@@ -109,13 +109,15 @@ function hookSearch() {
20+
function highlightTarget( anchor ) {
21+
console.debug( "Highlighting target '%s'.", anchor );
22+
23+
- $("a[name=" + anchor + "]").each( function() {
24+
- if ( !$(this).parent().parent().hasClass('target-section') ) {
25+
- console.debug( "Wrapping the target-section" );
26+
- $('div.method-detail').unwrap( 'div.target-section' );
27+
- $(this).parent().wrap( '<div class="target-section"></div>' );
28+
- } else {
29+
- console.debug( "Already wrapped." );
30+
+ $("a[name]").each( function() {
31+
+ if ( $(this).attr("name") == anchor ) {
32+
+ if ( !$(this).parent().parent().hasClass('target-section') ) {
33+
+ console.debug( "Wrapping the target-section" );
34+
+ $('div.method-detail').unwrap( 'div.target-section' );
35+
+ $(this).parent().wrap( '<div class="target-section"></div>' );
36+
+ } else {
37+
+ console.debug( "Already wrapped." );
38+
+ }
39+
}
40+
});
41+
};
42+
43+
RDoc 3.9.5, 3.12.1 and RDoc 4.0.0.rc.2 and newer are not vulnerable to this
44+
exploit.
45+
46+
This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.
47+
48+
This vulnerability has been assigned the CVE identifier CVE-2013-0256.
49+

Diff for: History.rdoc

+4-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
=== 4.0.0.preview3.1 / ??
1+
=== 4.0.0.rc.2 / ??
22

33
As a preview release, please file bugs for any problems you have with rdoc at
44
https://github.com/rdoc/rdoc/issues
@@ -14,6 +14,9 @@ to build HTML documentation when installing gems.)
1414
* Added current heading and page-top links to HTML headings.
1515

1616
* Bug fixes
17+
* Fixed an XSS exploit in darkfish.js. This could lead to cookie disclosure
18+
to third parties. See CVE-2012-0256.rdoc for full details including a
19+
patch you can apply to generated RDoc documentation.
1720
* Fixed parsing of multibyte files with incomplete characters at byte 1024.
1821
Ruby bug #6393 by nobu, patch by Nobuyoshi Nakada and Yui NARUSE.
1922
* Fixed rdoc -E. Ruby Bug #6392 and (modified) patch by Nobuyoshi Nakada

Diff for: Manifest.txt

+1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
.autotest
22
.document
3+
CVE-2013-0256.rdoc
34
DEVELOPERS.rdoc
45
History.rdoc
56
LEGAL.rdoc

Diff for: Rakefile

+1
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,7 @@ Depending on your version of ruby, you may need to install ruby rdoc/ri data:
4848
self.testlib = :minitest
4949
self.extra_rdoc_files += %w[
5050
DEVELOPERS.rdoc
51+
CVE-2013-0256.rdoc
5152
History.rdoc
5253
LICENSE.rdoc
5354
LEGAL.rdoc

Diff for: lib/rdoc.rb

+1-1
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@ class Error < RuntimeError; end
6464
##
6565
# RDoc version you are using
6666

67-
VERSION = '4.0.0.preview3.1'
67+
VERSION = '4.0.0.rc.2'
6868

6969
##
7070
# Method visibilities

Diff for: lib/rdoc/generator/template/darkfish/js/darkfish.js

+9-7
Original file line numberDiff line numberDiff line change
@@ -109,13 +109,15 @@ function hookSearch() {
109109
function highlightTarget( anchor ) {
110110
console.debug( "Highlighting target '%s'.", anchor );
111111

112-
$("a[name=" + anchor + "]").each( function() {
113-
if ( !$(this).parent().parent().hasClass('target-section') ) {
114-
console.debug( "Wrapping the target-section" );
115-
$('div.method-detail').unwrap( 'div.target-section' );
116-
$(this).parent().wrap( '<div class="target-section"></div>' );
117-
} else {
118-
console.debug( "Already wrapped." );
112+
$("a[name]").each( function() {
113+
if ( $(this).attr("name") == anchor ) {
114+
if ( !$(this).parent().parent().hasClass('target-section') ) {
115+
console.debug( "Wrapping the target-section" );
116+
$('div.method-detail').unwrap( 'div.target-section' );
117+
$(this).parent().wrap( '<div class="target-section"></div>' );
118+
} else {
119+
console.debug( "Already wrapped." );
120+
}
119121
}
120122
});
121123
};

0 commit comments

Comments
 (0)