Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 694933 Details for
Bug 909029
CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh90 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
rubygem-json-1-5-CVE-2013-0269.patch
rubygem-json-1-5-CVE-2013-0269.patch (text/plain), 14.96 KB, created by
Kurt Seifried
on 2013-02-08 05:20:35 UTC
(
hide
)
Description:
rubygem-json-1-5-CVE-2013-0269.patch
Filename:
MIME Type:
Creator:
Kurt Seifried
Created:
2013-02-08 05:20:35 UTC
Size:
14.96 KB
patch
obsolete
>From 48f6ebb4262f378813fb3aa57868d708623f99d5 Mon Sep 17 00:00:00 2001 >From: Florian Frank <flori@ping.de> >Date: Mon, 4 Feb 2013 23:28:30 +0100 >Subject: [PATCH] Security fix create_additons problem 1.5.4 > >--- > CHANGES | 7 ++++++ > Gemfile | 4 +++ > ext/json/ext/parser/parser.c | 2 +- > ext/json/ext/parser/parser.rl | 2 +- > java/src/json/ext/Parser.java | 2 +- > java/src/json/ext/Parser.rl | 2 +- > lib/json/add/core.rb | 9 ++++--- > lib/json/common.rb | 6 ++--- > lib/json/pure/parser.rb | 8 +++--- > tests/test_json.rb | 4 +-- > tests/test_json_addition.rb | 50 ++++++++++++++++++++++---------------- > tests/test_json_string_matching.rb | 11 ++++----- > 12 files changed, 64 insertions(+), 43 deletions(-) > >diff --git a/CHANGES b/CHANGES >index 8e751be..42328b7 100644 >--- a/CHANGES >+++ b/CHANGES >@@ -1,3 +1,10 @@ >+2013-02-04 (1.5.5) >+ * Security fix for JSON create_additions default value. It should not be >+ possible to create additions unless >+ explicitely requested by setting the create_additions argument to true or >+ using the JSON.load/dump interface. >+ * Backport change that corrects Time serialisation/deserialisation on some >+ platforms. > 2011-08-31 (1.5.4) > * Fix memory leak when used from multiple JRuby. (Patch by > jfirebaugh@github). >diff --git a/Gemfile b/Gemfile >index eb44418..e405da2 100644 >--- a/Gemfile >+++ b/Gemfile >@@ -5,3 +5,7 @@ source :rubygems > gemspec :name => 'json' > gemspec :name => 'json_pure' > gemspec :name => 'json-java' >+ >+gem 'utils' >+gem 'test-unit' >+gem 'debugger', :platform => :mri_19 >diff --git a/ext/json/ext/parser/parser.c b/ext/json/ext/parser/parser.c >index d1d14c7..d96a951 100644 >--- a/ext/json/ext/parser/parser.c >+++ b/ext/json/ext/parser/parser.c >@@ -1671,7 +1671,7 @@ static VALUE cParser_initialize(int argc, VALUE *argv, VALUE self) > if (option_given_p(opts, tmp)) { > json->create_additions = RTEST(rb_hash_aref(opts, tmp)); > } else { >- json->create_additions = 1; >+ json->create_additions = 0; > } > tmp = ID2SYM(i_create_id); > if (option_given_p(opts, tmp)) { >diff --git a/ext/json/ext/parser/parser.rl b/ext/json/ext/parser/parser.rl >index e7d47e1..42d11ba 100644 >--- a/ext/json/ext/parser/parser.rl >+++ b/ext/json/ext/parser/parser.rl >@@ -652,7 +652,7 @@ static VALUE cParser_initialize(int argc, VALUE *argv, VALUE self) > if (option_given_p(opts, tmp)) { > json->create_additions = RTEST(rb_hash_aref(opts, tmp)); > } else { >- json->create_additions = 1; >+ json->create_additions = 0; > } > tmp = ID2SYM(i_create_id); > if (option_given_p(opts, tmp)) { >diff --git a/java/src/json/ext/Parser.java b/java/src/json/ext/Parser.java >index 1240922..ee3d5ec 100644 >--- a/java/src/json/ext/Parser.java >+++ b/java/src/json/ext/Parser.java >@@ -160,7 +160,7 @@ public class Parser extends RubyObject { > this.symbolizeNames = opts.getBool("symbolize_names", false); > this.quirksMode = opts.getBool("quirks_mode", false); > this.createId = opts.getString("create_id", getCreateId(context)); >- this.createAdditions = opts.getBool("create_additions", true); >+ this.createAdditions = opts.getBool("create_additions", false); > this.objectClass = opts.getClass("object_class", runtime.getHash()); > this.arrayClass = opts.getClass("array_class", runtime.getArray()); > this.match_string = opts.getHash("match_string"); >diff --git a/java/src/json/ext/Parser.rl b/java/src/json/ext/Parser.rl >index e8cd874..e9b3bbd 100644 >--- a/java/src/json/ext/Parser.rl >+++ b/java/src/json/ext/Parser.rl >@@ -162,7 +162,7 @@ public class Parser extends RubyObject { > this.symbolizeNames = opts.getBool("symbolize_names", false); > this.quirksMode = opts.getBool("quirks_mode", false); > this.createId = opts.getString("create_id", getCreateId(context)); >- this.createAdditions = opts.getBool("create_additions", true); >+ this.createAdditions = opts.getBool("create_additions", false); > this.objectClass = opts.getClass("object_class", runtime.getHash()); > this.arrayClass = opts.getClass("array_class", runtime.getArray()); > this.match_string = opts.getHash("match_string"); >diff --git a/lib/json/add/core.rb b/lib/json/add/core.rb >index 1ae00d0..01b8e04 100644 >--- a/lib/json/add/core.rb >+++ b/lib/json/add/core.rb >@@ -36,8 +36,8 @@ class Time > if usec = object.delete('u') # used to be tv_usec -> tv_nsec > object['n'] = usec * 1000 > end >- if respond_to?(:tv_nsec) >- at(*object.values_at('s', 'n')) >+ if instance_methods.include?(:tv_nsec) >+ at(object['s'], Rational(object['n'], 1000)) > else > at(object['s'], object['n'] / 1000) > end >@@ -46,10 +46,13 @@ class Time > # Returns a hash, that will be turned into a JSON object and represent this > # object. > def as_json(*) >+ nanoseconds = [ tv_usec * 1000 ] >+ respond_to?(:tv_nsec) and nanoseconds << tv_nsec >+ nanoseconds = nanoseconds.max > { > JSON.create_id => self.class.name, > 's' => tv_sec, >- 'n' => respond_to?(:tv_nsec) ? tv_nsec : tv_usec * 1000 >+ 'n' => nanoseconds, > } > end > >diff --git a/lib/json/common.rb b/lib/json/common.rb >index 43e249c..22760b6 100644 >--- a/lib/json/common.rb >+++ b/lib/json/common.rb >@@ -141,7 +141,7 @@ module JSON > # the default. > # * *create_additions*: If set to false, the Parser doesn't create > # additions even if a matching class and create_id was found. This option >- # defaults to true. >+ # defaults to false. > # * *object_class*: Defaults to Hash > # * *array_class*: Defaults to Array > def parse(source, opts = {}) >@@ -162,7 +162,7 @@ module JSON > # to true. > # * *create_additions*: If set to false, the Parser doesn't create > # additions even if a matching class and create_id was found. This option >- # defaults to true. >+ # defaults to false. > def parse!(source, opts = {}) > opts = { > :max_nesting => false, >@@ -299,7 +299,7 @@ module JSON > else > source = source.read > end >- result = parse(source, :max_nesting => false, :allow_nan => true) >+ result = parse(source, :max_nesting => false, :allow_nan => true, :create_additions => false) > recurse_proc(result, &proc) if proc > result > end >diff --git a/lib/json/pure/parser.rb b/lib/json/pure/parser.rb >index e24aac1..d02ec34 100644 >--- a/lib/json/pure/parser.rb >+++ b/lib/json/pure/parser.rb >@@ -63,9 +63,9 @@ module JSON > # * *symbolize_names*: If set to true, returns symbols for the names > # (keys) in a JSON object. Otherwise strings are returned, which is also > # the default. >- # * *create_additions*: If set to false, the Parser doesn't create >- # additions even if a matchin class and create_id was found. This option >- # defaults to true. >+ # * *create_additions*: If set to true, the Parser creates >+ # additions when if a matching class and create_id was found. This >+ # option defaults to false. > # * *object_class*: Defaults to Hash > # * *array_class*: Defaults to Array > # * *quirks_mode*: Enables quirks_mode for parser, that is for example >@@ -88,7 +88,7 @@ module JSON > if opts.key?(:create_additions) > @create_additions = !!opts[:create_additions] > else >- @create_additions = true >+ @create_additions = false > end > @create_id = @create_additions ? JSON.create_id : nil > @object_class = opts[:object_class] || Hash >diff --git a/tests/test_json.rb b/tests/test_json.rb >index eafd758..be8cace 100755 >--- a/tests/test_json.rb >+++ b/tests/test_json.rb >@@ -263,12 +263,12 @@ class TC_JSON < Test::Unit::TestCase > def test_generation_of_core_subclasses_with_new_to_json > obj = SubHash2["foo" => SubHash2["bar" => true]] > obj_json = JSON(obj) >- obj_again = JSON(obj_json) >+ obj_again = JSON.parse(obj_json, :create_additions => true) > assert_kind_of SubHash2, obj_again > assert_kind_of SubHash2, obj_again['foo'] > assert obj_again['foo']['bar'] > assert_equal obj, obj_again >- assert_equal ["foo"], JSON(JSON(SubArray2["foo"])) >+ assert_equal ["foo"], JSON(JSON(SubArray2["foo"]), :create_additions => true) > end > > def test_generation_of_core_subclasses_with_default_to_json >diff --git a/tests/test_json_addition.rb b/tests/test_json_addition.rb >index 9f578a4..865880c 100755 >--- a/tests/test_json_addition.rb >+++ b/tests/test_json_addition.rb >@@ -71,11 +71,19 @@ class TC_JSONAddition < Test::Unit::TestCase > a = A.new(666) > assert A.json_creatable? > json = generate(a) >- a_again = JSON.parse(json) >+ a_again = JSON.parse(json, :create_additions => true) > assert_kind_of a.class, a_again > assert_equal a, a_again > end > >+ def test_extended_json_default >+ a = A.new(666) >+ assert A.json_creatable? >+ json = generate(a) >+ a_hash = JSON.parse(json) >+ assert_kind_of Hash, a_hash >+ end >+ > def test_extended_json_disabled > a = A.new(666) > assert A.json_creatable? >@@ -102,7 +110,7 @@ class TC_JSONAddition < Test::Unit::TestCase > c = C.new > assert !C.json_creatable? > json = generate(c) >- assert_raises(ArgumentError, NameError) { JSON.parse(json) } >+ assert_raises(ArgumentError, NameError) { JSON.parse(json, :create_additions => true) } > end > > def test_raw_strings >@@ -120,7 +128,7 @@ class TC_JSONAddition < Test::Unit::TestCase > assert_match(/\A\{.*\}\Z/, json) > assert_match(/"json_class":"String"/, json) > assert_match(/"raw":\[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255\]/, json) >- raw_again = JSON.parse(json) >+ raw_again = JSON.parse(json, :create_additions => true) > assert_equal raw, raw_again > end > >@@ -128,17 +136,17 @@ class TC_JSONAddition < Test::Unit::TestCase > > def test_core > t = Time.now >- assert_equal t.inspect, JSON(JSON(t)).inspect >+ assert_equal t, JSON(JSON(t), :create_additions => true) > d = Date.today >- assert_equal d, JSON(JSON(d)) >+ assert_equal d, JSON(JSON(d), :create_additions => true) > d = DateTime.civil(2007, 6, 14, 14, 57, 10, Rational(1, 12), 2299161) >- assert_equal d, JSON(JSON(d)) >- assert_equal 1..10, JSON(JSON(1..10)) >- assert_equal 1...10, JSON(JSON(1...10)) >- assert_equal "a".."c", JSON(JSON("a".."c")) >- assert_equal "a"..."c", JSON(JSON("a"..."c")) >+ assert_equal d, JSON(JSON(d), :create_additions => true) >+ assert_equal 1..10, JSON(JSON(1..10), :create_additions => true) >+ assert_equal 1...10, JSON(JSON(1...10), :create_additions => true) >+ assert_equal "a".."c", JSON(JSON("a".."c"), :create_additions => true) >+ assert_equal "a"..."c", JSON(JSON("a"..."c"), :create_additions => true) > s = MyJsonStruct.new 4711, 'foot' >- assert_equal s, JSON(JSON(s)) >+ assert_equal s, JSON(JSON(s), :create_additions => true) > struct = Struct.new :foo, :bar > s = struct.new 4711, 'foot' > assert_raises(JSONError) { JSON(s) } >@@ -146,29 +154,29 @@ class TC_JSONAddition < Test::Unit::TestCase > raise TypeError, "test me" > rescue TypeError => e > e_json = JSON.generate e >- e_again = JSON e_json >+ e_again = JSON e_json, :create_additions => true > assert_kind_of TypeError, e_again > assert_equal e.message, e_again.message > assert_equal e.backtrace, e_again.backtrace > end >- assert_equal(/foo/, JSON(JSON(/foo/))) >- assert_equal(/foo/i, JSON(JSON(/foo/i))) >+ assert_equal(/foo/, JSON(JSON(/foo/), :create_additions => true)) >+ assert_equal(/foo/i, JSON(JSON(/foo/i), :create_additions => true)) > end > > def test_utc_datetime > now = Time.now >- d = DateTime.parse(now.to_s) # usual case >- assert_equal d, JSON.parse(d.to_json) >+ d = DateTime.parse(now.to_s, :create_additions => true) # usual case >+ assert_equal d, JSON.parse(d.to_json, :create_additions => true) > d = DateTime.parse(now.utc.to_s) # of = 0 >- assert_equal d, JSON.parse(d.to_json) >+ assert_equal d, JSON.parse(d.to_json, :create_additions => true) > d = DateTime.civil(2008, 6, 17, 11, 48, 32, Rational(1,24)) >- assert_equal d, JSON.parse(d.to_json) >+ assert_equal d, JSON.parse(d.to_json, :create_additions => true) > d = DateTime.civil(2008, 6, 17, 11, 48, 32, Rational(12,24)) >- assert_equal d, JSON.parse(d.to_json) >+ assert_equal d, JSON.parse(d.to_json, :create_additions => true) > end > > def test_rational_complex >- assert_equal Rational(2, 9), JSON(JSON(Rational(2, 9))) >- assert_equal Complex(2, 9), JSON(JSON(Complex(2, 9))) >+ assert_equal Rational(2, 9), JSON.parse(JSON(Rational(2, 9)), :create_additions => true) >+ assert_equal Complex(2, 9), JSON.parse(JSON(Complex(2, 9)), :create_additions => true) > end > end >diff --git a/tests/test_json_string_matching.rb b/tests/test_json_string_matching.rb >index df26a68..7335c0e 100644 >--- a/tests/test_json_string_matching.rb >+++ b/tests/test_json_string_matching.rb >@@ -27,14 +27,13 @@ class TestJsonStringMatching < Test::Unit::TestCase > t = TestTime.new > t_json = [ t ].to_json > assert_equal [ t ], >- JSON.parse(t_json, >- :match_string => { /\A\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[+-]\d{4}\Z/ => TestTime }) >+ JSON.parse(t_json, :create_additions => true, >+ :match_string => { /\A\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[+-]\d{4}\z/ => TestTime }) > assert_equal [ t.strftime('%FT%T%z') ], >- JSON.parse(t_json, >- :match_string => { /\A\d{3}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[+-]\d{4}\Z/ => TestTime }) >+ JSON.parse(t_json, :create_additions => true, >+ :match_string => { /\A\d{3}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[+-]\d{4}\z/ => TestTime }) > assert_equal [ t.strftime('%FT%T%z') ], > JSON.parse(t_json, >- :match_string => { /\A\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[+-]\d{4}\Z/ => TestTime }, >- :create_additions => false) >+ :match_string => { /\A\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[+-]\d{4}\z/ => TestTime }) > end > end >-- >1.8.1.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=694933">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 909029
: 694933 |
694934
|
694936
|
696457