packages/rubygem-yard
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-27285

Browse Source
This commit is contained in:
starlet-dx 2024-02-29 10:37:42 +08:00
parent 39d219c004
commit 3ba85b2ab0
2 changed files with 34 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
CVE-2024-27285.patch Normal file
View File

@ -0,0 +1,27 @@
From d78fc393d603c4fc35975969296ed381146a29d4 Mon Sep 17 00:00:00 2001
From: Aviv Keller <38299977+RedYetiDev@users.noreply.github.com>
Date: Wed, 28 Feb 2024 12:57:39 -0500
Subject: [PATCH] Update frames.erb
---
templates/default/fulldoc/html/frames.erb | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/templates/default/fulldoc/html/frames.erb b/templates/default/fulldoc/html/frames.erb
index e803bcd6c..994aee97e 100644
--- a/templates/default/fulldoc/html/frames.erb
+++ b/templates/default/fulldoc/html/frames.erb
@@ -5,10 +5,10 @@
<title><%= options.title %></title>
</head>
<script type="text/javascript">
- var match = unescape(window.location.hash).match(/^#!(.+)/);
+ var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/);
var name = match ? match[1] : '<%= url_for_main %>';
- name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, '');
- window.top.location = name;
+ name = name.replace(/^((\w*):)?[\/\\]*/gm, '').trim();
+ window.top.location.replace(name)
</script>
<noscript>
<h1>Oops!</h1>

8
rubygem-yard.spec
View File

@ -1,7 +1,7 @@
%global gem_name yard %global gem_name yard
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Version: 0.9.34 Version: 0.9.34
Release: 1 Release: 2
Summary: Documentation tool for consistent and usable documentation in Ruby Summary: Documentation tool for consistent and usable documentation in Ruby
License: MIT and (BSD or Ruby) License: MIT and (BSD or Ruby)
URL: http://yardoc.org URL: http://yardoc.org
@ -9,6 +9,8 @@ Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
# git clone http://github.com/lsegal/yard # git clone http://github.com/lsegal/yard
# cd yard && git archive -v -o yard-0.9.34-spec.txz v0.9.34 spec/ # cd yard && git archive -v -o yard-0.9.34-spec.txz v0.9.34 spec/
Source1: %{gem_name}-%{version}-spec.txz Source1: %{gem_name}-%{version}-spec.txz
# https://github.com/lsegal/yard/commit/d78fc393d603c4fc35975969296ed381146a29d4
Patch0: CVE-2024-27285.patch
BuildRequires: ruby(release) rubygems-devel ruby rubygem(RedCloth) rubygem(asciidoctor) rubygem(bundler) BuildRequires: ruby(release) rubygems-devel ruby rubygem(RedCloth) rubygem(asciidoctor) rubygem(bundler)
BuildRequires: rubygem(rspec) rubygem(redcarpet) rubygem(rack) rubygem(webrick) BuildRequires: rubygem(rspec) rubygem(redcarpet) rubygem(rack) rubygem(webrick)
@ -28,6 +30,7 @@ Documentation for %{name}.
%prep %prep
%setup -q -n %{gem_name}-%{version} -b1 %setup -q -n %{gem_name}-%{version} -b1
%patch0 -p1
%build %build
gem build ../%{gem_name}-%{version}.gemspec gem build ../%{gem_name}-%{version}.gemspec
@ -74,6 +77,9 @@ popd
%doc %{gem_instdir}/docs %doc %{gem_instdir}/docs
%changelog %changelog
* Thu Feb 29 2024 yaoxin <yao_xin001@hoperun.com> - 0.9.34-2
- Fix CVE-2024-27285
* Tue Aug 1 2023 liyanan <thistleslyn@163.com> - 0.9.34-1 * Tue Aug 1 2023 liyanan <thistleslyn@163.com> - 0.9.34-1
- Update to 0.9.34 - Update to 0.9.34