packages/rubygem-kramdown
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
rubygem-kramdown/CVE-2021-28834.patch
wang_yue111 22bd318804 CVE-2021-28834
2021-03-29 17:09:12 +08:00

75 lines
2.2 KiB
Diff
Raw Blame History

From 1690419eb9feacdf45afe362d21114c82051d7a4 Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Mon, 29 Mar 2021 16:58:23 +0800
Subject: [PATCH] Restrict Rouge formatters to Rouge::Formatters namespace
ff0218a added support for specifying custom Rouge formatters with the
constraint that the formatter be in theRouge::Formatters namespace, but
it did not actually enforce this constraint. For example, this is valid:
```ruby
Rouge::Formatters.const_get('CSV')
=> CSV
```
Adding the `false` parameter to `const_get` prevents this:
```ruby
Rouge::Formatters.const_get('CSV', false)
NameError: uninitialized constant Rouge::Formatters::CSV
```
---
.../converter/syntax_highlighter/rouge.rb | 2 +-
test/test_files.rb | 18 +++++++++++-------
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/lib/kramdown/converter/syntax_highlighter/rouge.rb b/lib/kramdown/converter/syntax_highlighter/rouge.rb
index 8ca55d8..94e8c97 100644
--- a/lib/kramdown/converter/syntax_highlighter/rouge.rb
+++ b/lib/kramdown/converter/syntax_highlighter/rouge.rb
@@ -62,7 +62,7 @@ module Kramdown::Converter::SyntaxHighlighter
when Class
formatter
when /\A[[:upper:]][[:alnum:]_]*\z/
- ::Rouge::Formatters.const_get(formatter)
+ ::Rouge::Formatters.const_get(formatter, false)
else
# Available in Rouge 2.0 or later
::Rouge::Formatters::HTMLLegacy
diff --git a/test/test_files.rb b/test/test_files.rb
index d788115..3a7bd74 100644
--- a/test/test_files.rb
+++ b/test/test_files.rb
@@ -20,16 +20,20 @@ begin
end
# custom formatter for tests
- class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class
+ module Rouge
+ module Formatters
+ class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class
- tag 'rouge_html_formatters'
+ tag 'rouge_html_formatters'
- def stream(tokens, &b)
- yield %(<div class="custom-class">)
- super
- yield %(</div>)
- end
+ def stream(tokens, &b)
+ yield %(<div class="custom-class">)
+ super
+ yield %(</div>)
+ end
+ end
+ end
end
rescue LoadError, SyntaxError, NameError
end
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink