packages/rubygem-kramdown
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!4 fix CVE-2021-28834

Browse Source 
From: @wang_yue111
Reviewed-by: @zhanghua1831,@small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-03-30 09:39:46 +08:00 committed by Gitee
commit 3a12e8416d
2 changed files with 80 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
CVE-2021-28834.patch Normal file
View File

@ -0,0 +1,74 @@
From 1690419eb9feacdf45afe362d21114c82051d7a4 Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Mon, 29 Mar 2021 16:58:23 +0800
Subject: [PATCH] Restrict Rouge formatters to Rouge::Formatters namespace
ff0218a added support for specifying custom Rouge formatters with the
constraint that the formatter be in theRouge::Formatters namespace, but
it did not actually enforce this constraint. For example, this is valid:
```ruby
Rouge::Formatters.const_get('CSV')
=> CSV
```
Adding the `false` parameter to `const_get` prevents this:
```ruby
Rouge::Formatters.const_get('CSV', false)
NameError: uninitialized constant Rouge::Formatters::CSV
```
---
.../converter/syntax_highlighter/rouge.rb | 2 +-
test/test_files.rb | 18 +++++++++++-------
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/lib/kramdown/converter/syntax_highlighter/rouge.rb b/lib/kramdown/converter/syntax_highlighter/rouge.rb
index 8ca55d8..94e8c97 100644
--- a/lib/kramdown/converter/syntax_highlighter/rouge.rb
+++ b/lib/kramdown/converter/syntax_highlighter/rouge.rb
@@ -62,7 +62,7 @@ module Kramdown::Converter::SyntaxHighlighter
when Class
formatter
when /\A[[:upper:]][[:alnum:]_]*\z/
- ::Rouge::Formatters.const_get(formatter)
+ ::Rouge::Formatters.const_get(formatter, false)
else
# Available in Rouge 2.0 or later
::Rouge::Formatters::HTMLLegacy
diff --git a/test/test_files.rb b/test/test_files.rb
index d788115..3a7bd74 100644
--- a/test/test_files.rb
+++ b/test/test_files.rb
@@ -20,16 +20,20 @@ begin
end
# custom formatter for tests
- class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class
+ module Rouge
+ module Formatters
+ class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class
- tag 'rouge_html_formatters'
+ tag 'rouge_html_formatters'
- def stream(tokens, &b)
- yield %(<div class="custom-class">)
- super
- yield %(</div>)
- end
+ def stream(tokens, &b)
+ yield %(<div class="custom-class">)
+ super
+ yield %(</div>)
+ end
+ end
+ end
end
rescue LoadError, SyntaxError, NameError
end
--
2.23.0

8
rubygem-kramdown.spec
View File

@ -1,11 +1,12 @@
%global gem_name kramdown
Name: rubygem-%{gem_name}
Version: 2.1.0
Release: 1
Release: 2
Summary: A fast pure Ruby yet-another-markdown-parser
License: MIT
URL: http://kramdown.rubyforge.org
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
Patch0000: CVE-2021-28834.patch
BuildRequires: ruby(release) rubygems-devel rubygem(minitest) >= 5 rubygem(rouge)
BuildRequires: rubygem(test-unit) tidy tex tex(acronym.sty) tex(amssymb.sty)
BuildRequires: tex(amsmath.sty) tex(amsthm.sty) tex(amsfonts.sty) tex(utf8x.def) tex-ec
@ -28,7 +29,7 @@ Documentation for %{name}
%prep
gem unpack %{SOURCE0}
%autosetup -D -T -n kramdown-%{version}
%autosetup -D -T -n kramdown-%{version} -p1
gem spec %{SOURCE0} -l --ruby > kramdown.gemspec
%build
@ -83,6 +84,9 @@ popd
%doc %{gem_docdir}
%changelog
* Mon Mar 29 2021 wangyue <wangyue92@huawei.com> - 2.1.0-2
- fix CVE-2021-28834
* Tue Dec 15 2020 chengzihan <chengzihan2@huawei.com> - 2.1.0-1
- update to 2.1.0