Fix CVE-2013-0256, an XSS exploit in RDoc

See CVE-2013-0256 for details on the exploit including a patch you can apply to generated RDoc output.
ruby · Feb 6, 2013 · ffa8788 · ffa8788
1 parent 67db3ed
commit ffa8788
Show file tree

Hide file tree

Showing 6 changed files with 65 additions and 9 deletions.
diff --git a/CVE-2013-0256.rdoc b/CVE-2013-0256.rdoc
@@ -0,0 +1,49 @@
+= RDoc 2.3.0 through 3.12 XSS Exploit
+
+RDoc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases up
+to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit.  This exploit may
+lead to cookie disclosure to third parties.
+
+The exploit exists in darkfish.js which is copied from the RDoc install
+location to the generated documentation.
+
+RDoc is a static documentation generation tool.  Patching the library itself
+is insufficient to correct this exploit.  Those hosting rdoc documentation will
+need to apply the following patch.  If applied while ignoring whitespace, this
+patch will correct all affected versions:
+
+  diff --git darkfish.js darkfish.js
+  index 4be722f..f26fd45 100644
+  --- darkfish.js
+  +++ darkfish.js
+  @@ -109,13 +109,15 @@ function hookSearch() {
+   function highlightTarget( anchor ) {
+     console.debug( "Highlighting target '%s'.", anchor );
+
+  -  $("a[name=" + anchor + "]").each( function() {
+  -    if ( !$(this).parent().parent().hasClass('target-section') ) {
+  -      console.debug( "Wrapping the target-section" );
+  -      $('div.method-detail').unwrap( 'div.target-section' );
+  -      $(this).parent().wrap( '<div class="target-section"></div>' );
+  -    } else {
+  -      console.debug( "Already wrapped." );
+  +  $("a[name]").each( function() {
+  +    if ( $(this).attr("name") == anchor ) {
+  +      if ( !$(this).parent().parent().hasClass('target-section') ) {
+  +        console.debug( "Wrapping the target-section" );
+  +        $('div.method-detail').unwrap( 'div.target-section' );
+  +        $(this).parent().wrap( '<div class="target-section"></div>' );
+  +      } else {
+  +        console.debug( "Already wrapped." );
+  +      }
+       }
+     });
+   };
+
+RDoc 3.9.5, 3.12.1 and RDoc 4.0.0.rc.2 and newer are not vulnerable to this
+exploit.
+
+This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.
+
+This vulnerability has been assigned the CVE identifier CVE-2013-0256.
+
diff --git a/History.rdoc b/History.rdoc
@@ -1,4 +1,4 @@
-=== 4.0.0.preview3.1 / ??
+=== 4.0.0.rc.2 / ??
 
 As a preview release, please file bugs for any problems you have with rdoc at
 https://github.com/rdoc/rdoc/issues
@@ -14,6 +14,9 @@ to build HTML documentation when installing gems.)
   * Added current heading and page-top links to HTML headings.
 
 * Bug fixes
+  * Fixed an XSS exploit in darkfish.js.  This could lead to cookie disclosure
+    to third parties.  See CVE-2012-0256.rdoc for full details including a
+    patch you can apply to generated RDoc documentation.
   * Fixed parsing of multibyte files with incomplete characters at byte 1024.
     Ruby bug #6393 by nobu, patch by Nobuyoshi Nakada and Yui NARUSE.
   * Fixed rdoc -E.  Ruby Bug #6392 and (modified) patch by Nobuyoshi Nakada

diff --git a/Manifest.txt b/Manifest.txt
@@ -1,5 +1,6 @@
 .autotest
 .document
+CVE-2013-0256.rdoc
 DEVELOPERS.rdoc
 History.rdoc
 LEGAL.rdoc

diff --git a/Rakefile b/Rakefile
@@ -48,6 +48,7 @@ Depending on your version of ruby, you may need to install ruby rdoc/ri data:
   self.testlib = :minitest
   self.extra_rdoc_files += %w[
     DEVELOPERS.rdoc
+    CVE-2013-0256.rdoc
     History.rdoc
     LICENSE.rdoc
     LEGAL.rdoc

diff --git a/lib/rdoc.rb b/lib/rdoc.rb
@@ -64,7 +64,7 @@ class Error < RuntimeError; end
   ##
   # RDoc version you are using
 
-  VERSION = '4.0.0.preview3.1'
+  VERSION = '4.0.0.rc.2'
 
   ##
   # Method visibilities

diff --git a/lib/rdoc/generator/template/darkfish/js/darkfish.js b/lib/rdoc/generator/template/darkfish/js/darkfish.js
@@ -109,13 +109,15 @@ function hookSearch() {
 function highlightTarget( anchor ) {
   console.debug( "Highlighting target '%s'.", anchor );
 
-  $("a[name=" + anchor + "]").each( function() {
-    if ( !$(this).parent().parent().hasClass('target-section') ) {
-      console.debug( "Wrapping the target-section" );
-      $('div.method-detail').unwrap( 'div.target-section' );
-      $(this).parent().wrap( '<div class="target-section"></div>' );
-    } else {
-      console.debug( "Already wrapped." );
+  $("a[name]").each( function() {
+    if ( $(this).attr("name") == anchor ) {
+      if ( !$(this).parent().parent().hasClass('target-section') ) {
+        console.debug( "Wrapping the target-section" );
+        $('div.method-detail').unwrap( 'div.target-section' );
+        $(this).parent().wrap( '<div class="target-section"></div>' );
+      } else {
+        console.debug( "Already wrapped." );
+      }
     }
   });
 };