---
- branch: MAIN
  date: Sun Aug 12 12:40:00 UTC 2012
  files:
  - new: '1.6'
    old: '1.5'
    path: pkgsrc/www/ruby-actionpack32/distinfo
    pathrev: pkgsrc/www/ruby-actionpack32/distinfo@1.6
    type: modified
  id: 20120812T124000Z.d1960e2950f4bd73da89316a634603e9dc248cc4
  log: |
    Update ruby-actionpack32 to 3.2.8.

    ## Rails 3.2.8 (Aug 9, 2012) ##

    * There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
      helper doesn't correctly handle malformed html.  As a result an attacker can
      execute arbitrary javascript through the use of specially crafted malformed
      html.

      *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*

    * When a "prompt" value is supplied to the `select_tag` helper, the "prompt"
      value is not escaped.
      If untrusted data is not escaped, and is supplied as the prompt value, there
      is a potential for XSS attacks.
      Vulnerable code will look something like this:

        select_tag("name", options, :prompt => UNTRUSTED_INPUT)

      *Santiago Pastorino*
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/www/ruby-actionpack32'
  unixtime: '1344775200'
  user: taca