ruby/backport-CVE-2025-27220.patch

From da7aadf928d85ffdf594d7e77aed4a441f7c3ebb Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Fri, 21 Feb 2025 15:53:31 +0900
Subject: [PATCH 2/2] Escape/unescape unclosed tags as well

Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
---
 lib/cgi/util.rb           |  4 ++--
 test/cgi/test_cgi_util.rb | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb
index 5a5c77a..ce77a0c 100644
--- a/lib/cgi/util.rb
+++ b/lib/cgi/util.rb
@@ -178,7 +178,7 @@ module CGI::Util
   def escapeElement(string, *elements)
     elements = elements[0] if elements[0].kind_of?(Array)
     unless elements.empty?
-      string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do
+      string.gsub(/<\/?(?:#{elements.join("|")})\b[^<>]*+>?/im) do
         CGI.escapeHTML($&)
       end
     else
@@ -198,7 +198,7 @@ module CGI::Util
   def unescapeElement(string, *elements)
     elements = elements[0] if elements[0].kind_of?(Array)
     unless elements.empty?
-      string.gsub(/&lt;\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?&gt;/i) do
+      string.gsub(/&lt;\/?(?:#{elements.join("|")})\b(?>[^&]+|&(?![gl]t;)\w+;)*(?:&gt;)?/im) do
         unescapeHTML($&)
       end
     else
diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb
index a3be193..d058ccc 100644
--- a/test/cgi/test_cgi_util.rb
+++ b/test/cgi/test_cgi_util.rb
@@ -244,6 +244,14 @@ class CGIUtilTest < Test::Unit::TestCase
     assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<BR><A HREF="url"></A>', ["A", "IMG"]))
     assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<BR><A HREF="url"></A>', "A", "IMG"))
     assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<BR><A HREF="url"></A>', ["A", "IMG"]))
+
+    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<A <A HREF="url"></A>', "A", "IMG"))
+    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<A <A HREF="url"></A>', ["A", "IMG"]))
+    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<A <A HREF="url"></A>', "A", "IMG"))
+    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<A <A HREF="url"></A>', ["A", "IMG"]))
+
+    assert_equal("&lt;A &lt;A ", escapeElement('<A <A ', "A", "IMG"))
+    assert_equal("&lt;A &lt;A ", escapeElement('<A <A ', ["A", "IMG"]))
   end
 
 
@@ -252,6 +260,16 @@ class CGIUtilTest < Test::Unit::TestCase
     assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescapeElement(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
     assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), "A", "IMG"))
     assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
+
+    assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
+    assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
+    assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
+    assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
+
+    assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), "A", "IMG"))
+    assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), ["A", "IMG"]))
+    assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), "A", "IMG"))
+    assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), ["A", "IMG"]))
   end
 end
 
-- 
2.33.0
fix CVE-2025-27219 CVE-2025-27220 CVE-2025-27221 2025-02-28 16:14:19 +08:00			`From da7aadf928d85ffdf594d7e77aed4a441f7c3ebb Mon Sep 17 00:00:00 2001`
			`From: Hiroshi SHIBATA <hsbt@ruby-lang.org>`
			`Date: Fri, 21 Feb 2025 15:53:31 +0900`
			`Subject: [PATCH 2/2] Escape/unescape unclosed tags as well`

			`Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>`
			`---`
			`lib/cgi/util.rb \| 4 ++--`
			`test/cgi/test_cgi_util.rb \| 18 ++++++++++++++++++`
			`2 files changed, 20 insertions(+), 2 deletions(-)`

			`diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb`
			`index 5a5c77a..ce77a0c 100644`
			`--- a/lib/cgi/util.rb`
			`+++ b/lib/cgi/util.rb`
			`@@ -178,7 +178,7 @@ module CGI::Util`
			`def escapeElement(string, *elements)`
			`elements = elements[0] if elements[0].kind_of?(Array)`
			`unless elements.empty?`
			`- string.gsub(/<\/?(?:#{elements.join("\|")})(?!\w)(?:.\|\n)*?>/i) do`
			`+ string.gsub(/<\/?(?:#{elements.join("\|")})\b[^<>]*+>?/im) do`
			`CGI.escapeHTML($&)`
			`end`
			`else`
			`@@ -198,7 +198,7 @@ module CGI::Util`
			`def unescapeElement(string, *elements)`
			`elements = elements[0] if elements[0].kind_of?(Array)`
			`unless elements.empty?`
			`- string.gsub(/<\/?(?:#{elements.join("\|")})(?!\w)(?:.\|\n)*?>/i) do`
			`+ string.gsub(/<\/?(?:#{elements.join("\|")})\b(?>[^&]+\|&(?![gl]t;)\w+;)*(?:>)?/im) do`
			`unescapeHTML($&)`
			`end`
			`else`
			`diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb`
			`index a3be193..d058ccc 100644`
			`--- a/test/cgi/test_cgi_util.rb`
			`+++ b/test/cgi/test_cgi_util.rb`
			`@@ -244,6 +244,14 @@ class CGIUtilTest < Test::Unit::TestCase`
			`assert_equal("<BR><A HREF="url"></A>", escapeElement('<BR><A HREF="url"></A>', ["A", "IMG"]))`
			`assert_equal("<BR><A HREF="url"></A>", escape_element('<BR><A HREF="url"></A>', "A", "IMG"))`
			`assert_equal("<BR><A HREF="url"></A>", escape_element('<BR><A HREF="url"></A>', ["A", "IMG"]))`
			`+`
			`+ assert_equal("<A <A HREF="url"></A>", escapeElement('<A <A HREF="url"></A>', "A", "IMG"))`
			`+ assert_equal("<A <A HREF="url"></A>", escapeElement('<A <A HREF="url"></A>', ["A", "IMG"]))`
			`+ assert_equal("<A <A HREF="url"></A>", escape_element('<A <A HREF="url"></A>', "A", "IMG"))`
			`+ assert_equal("<A <A HREF="url"></A>", escape_element('<A <A HREF="url"></A>', ["A", "IMG"]))`
			`+`
			`+ assert_equal("<A <A ", escapeElement('<A <A ', "A", "IMG"))`
			`+ assert_equal("<A <A ", escapeElement('<A <A ', ["A", "IMG"]))`
			`end`


			`@@ -252,6 +260,16 @@ class CGIUtilTest < Test::Unit::TestCase`
			`assert_equal('<BR><A HREF="url"></A>', unescapeElement(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))`
			`assert_equal('<BR><A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), "A", "IMG"))`
			`assert_equal('<BR><A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))`
			`+`
			`+ assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))`
			`+ assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))`
			`+ assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))`
			`+ assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))`
			`+`
			`+ assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), "A", "IMG"))`
			`+ assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), ["A", "IMG"]))`
			`+ assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), "A", "IMG"))`
			`+ assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), ["A", "IMG"]))`
			`end`
			`end`

			`--`
			`2.33.0`