!5 [sync] PR-4: update to 2.10.0

From: @openeuler-sync-bot Reviewed-by: @small_leek Signed-off-by: @small_leek
2022-03-31 01:28:23 +00:00 · 2022-03-31 01:28:23 +00:00 · b2e6733f4a
commit b2e6733f4a
parent ce23804a52 95a55b99d0
5 changed files with 13 additions and 98 deletions
--- a/loofah-2.10.0-test.tar.gz
+++ b/loofah-2.10.0-test.tar.gz
--- a/loofah-2.10.0.gem
+++ b/loofah-2.10.0.gem
--- a/loofah-2.2.3.gem
+++ b/loofah-2.2.3.gem
--- a/rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch
+++ b/rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch
@ -1,83 +0,0 @@
-From 0c6617af440879ce97440f6eb6c58636456dc8ec Mon Sep 17 00:00:00 2001
-From: Mike Dalessio <mike.dalessio@gmail.com>
-Date: Wed, 9 Oct 2019 15:36:32 -0400
-Subject: [PATCH] mitigate XSS vulnerability in SVG animate attributes
-
-this addresses CVE-2019-15587
-
-see #171 for more information
-
-https://github.com/flavorjones/loofah/issues/171
---
- lib/loofah/html5/safelist.rb    |  3 ---
- test/integration/test_ad_hoc.rb | 30 ++++++++++++++++++++++++------
- 2 files changed, 24 insertions(+), 9 deletions(-)
-
-diff --git a/lib/loofah/html5/safelist.rb b/lib/loofah/html5/safelist.rb
-index 8abd922..4b2b6dd 100644
--- a/lib/loofah/html5/whitelist.rb
-+++ b/lib/loofah/html5/whitelist.rb
-@@ -88,7 +88,7 @@
- 
-       SVG_ATTRIBUTES = Set.new %w[accent-height accumulate additive alphabetic
-        arabic-form ascent attributeName attributeType baseProfile bbox begin
-       by calcMode cap-height class clip-path clip-rule color
-+       calcMode cap-height class clip-path clip-rule color
-        color-interpolation-filters color-rendering content cx cy d dx
-        dy descent display dur end fill fill-opacity fill-rule
-        filterRes filterUnits font-family
-@@ -105,9 +105,9 @@
-        stemv stop-color stop-opacity strikethrough-position
-        strikethrough-thickness stroke stroke-dasharray stroke-dashoffset
-        stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity
-       stroke-width systemLanguage target text-anchor to transform type u1
-+       stroke-width systemLanguage target text-anchor transform type u1
-        u2 underline-position underline-thickness unicode unicode-range
-       units-per-em values version viewBox visibility width widths x
-+       units-per-em version viewBox visibility width widths x
-        x-height x1 x2 xlink:actuate xlink:arcrole xlink:href xlink:role
-        xlink:show xlink:title xlink:type xml:base xml:lang xml:space xmlns
-        xmlns:xlink y y1 y2 zoomAndPan]
-diff --git a/test/integration/test_ad_hoc.rb b/test/integration/test_ad_hoc.rb
-index 16fccbb..cc6fc65 100644
--- a/test/integration/test_ad_hoc.rb
-+++ b/test/integration/test_ad_hoc.rb
-@@ -190,14 +190,32 @@ def test_dont_remove_whitespace_between_tags
-       end
-     end
- 
-    # see:
-    # - https://github.com/flavorjones/loofah/issues/154
-    # - https://hackerone.com/reports/429267
-    context "xss protection from svg xmlns:xlink animate attribute" do
-      it "sanitizes appropriate attributes" do
-        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>}
-+    context "xss protection from svg animate attributes" do
-+      # see recommendation from https://html5sec.org/#137
-+      # to sanitize "to", "from", "values", and "by" attributes
-+
-+      it "sanitizes 'from', 'to', and 'by' attributes" do
-+        # for CVE-2018-16468
-+        # see:
-+        # - https://github.com/flavorjones/loofah/issues/154
-+        # - https://hackerone.com/reports/429267
-+        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26 by=5>}
-+
-         sanitized = Loofah.scrub_fragment(html, :escape)
-         assert_nil sanitized.at_css("animate")["from"]
-+        assert_nil sanitized.at_css("animate")["to"]
-+        assert_nil sanitized.at_css("animate")["by"]
-+      end
-+
-+      it "sanitizes 'values' attribute" do
-+        # for CVE-2019-15587
-+        # see:
-+        # - https://github.com/flavorjones/loofah/issues/171
-+        # - https://hackerone.com/reports/709009
-+        html = %Q{<svg> <animate href="#foo" attributeName="href" values="javascript:alert('xss')"/> <a id="foo"> <circle r=400 /> </a> </svg>}
-+
-+        sanitized = Loofah.scrub_fragment(html, :escape)
-+        assert_nil sanitized.at_css("animate")["values"]
-       end
-     end
-   end
--- a/rubygem-loofah.spec
+++ b/rubygem-loofah.spec
@ -1,15 +1,17 @@
-%bcond_with bootstrap
 %global gem_name loofah
+
 Name:                rubygem-%{gem_name}
-Version:             2.2.3
-Release:             2
+Version:             2.10.0
+Release:             1
 Summary:             Manipulate and transform HTML/XML documents and fragments
 License:             MIT
 URL:                 https://github.com/flavorjones/loofah
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
-Patch0:              rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch
+# git clone https://github.com/flavorjones/loofah.git && cd loofah
+# git archive -v -o loofah-2.10.0-test.tar.gz v2.10.0 test/
+Source1:             %{gem_name}-%{version}-test.tar.gz
 BuildRequires:       ruby(release) rubygems-devel rubygem(nokogiri) >= 1.6.6.2 rubygem(minitest)
-BuildRequires:       rubygem(crass)
+BuildRequires:       rubygem(crass) rubygem(rr) ruby
 BuildArch:           noarch
 %description
 Loofah is a general library for manipulating and transforming HTML/XML
@ -27,8 +29,7 @@ BuildArch:           noarch
 Documentation for %{name}.

 %prep
-%setup -q -n %{gem_name}-%{version}
-%patch0 -p1
+%setup -q -n %{gem_name}-%{version} -b1

 %build
 gem build ../%{gem_name}-%{version}.gemspec
@ -38,16 +39,15 @@ gem build ../%{gem_name}-%{version}.gemspec
 mkdir -p %{buildroot}%{gem_dir}
 cp -a .%{gem_dir}/* \
        %{buildroot}%{gem_dir}/
-%if %{with bootstrap}
+
 %check
 pushd .%{gem_instdir}
+cp -a %{_builddir}/test .
 ruby -Itest -e 'Dir.glob "./test/**/test_*.rb", &method(:require)'
 popd
-%endif

 %files
 %dir %{gem_instdir}
-%exclude %{gem_instdir}/.*
 %license %{gem_instdir}/MIT-LICENSE.txt
 %{gem_libdir}
 %exclude %{gem_cache}
@ -56,15 +56,13 @@ popd
 %files doc
 %doc %{gem_docdir}
 %doc %{gem_instdir}/CHANGELOG.md
-%{gem_instdir}/Gemfile
-%doc %{gem_instdir}/Manifest.txt
 %doc %{gem_instdir}/README.md
-%{gem_instdir}/Rakefile
 %doc %{gem_instdir}/SECURITY.md
-%{gem_instdir}/benchmark
-%{gem_instdir}/test

 %changelog
+* Thu Mar 03 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 2.10.0-1
+- update to 2.10.0
+
 * Sat Sep 5 2020 yanan li <liyanan032@huawei.com> - 2.2.3-2
 - Fix build fail