Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66]) by www.NetBSD.org (Postfix) with ESMTP id 0B64563B882 for ; Sun, 12 Aug 2012 09:46:50 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id DE43A14A29B; Sun, 12 Aug 2012 09:46:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 0670B14A24A for ; Sun, 12 Aug 2012 09:46:46 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id xpGw_itDkD7R for ; Sun, 12 Aug 2012 09:46:45 +0000 (UTC) Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id 3886A14A29B for ; Sun, 12 Aug 2012 09:46:45 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id 3302A175DD; Sun, 12 Aug 2012 09:46:45 +0000 (UTC) MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Date: Sun, 12 Aug 2012 09:46:45 +0000 From: "Takahiro Kambe" Subject: CVS commit: pkgsrc/www/ruby-actionpack3 To: pkgsrc-changes@NetBSD.org Reply-To: taca@netbsd.org X-Mailer: log_accum Message-Id: <20120812094645.3302A175DD@cvs.netbsd.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: taca Date: Sun Aug 12 09:46:45 UTC 2012 Modified Files: pkgsrc/www/ruby-actionpack3: distinfo Log Message: Update ruby-actionpack3 to 3.0.17 ## Rails 3.0.17 (Aug 9, 2012) * There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the helper doesn't correctly handle malformed html. As a result an attacker can execute arbitrary javascript through the use of specially crafted malformed html. *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino* * When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks. Vulnerable code will look something like this: select_tag("name", options, :prompt => UNTRUSTED_INPUT) *Santiago Pastorino* To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 pkgsrc/www/ruby-actionpack3/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.