993302 – (CVE-2016-6316) VUL-0: CVE-2016-6316: rubygem-actionview-*: Possible XSS Vulnerability in Action View

Bug 993302 (CVE-2016-6316) - VUL-0: CVE-2016-6316: rubygem-actionview-*: Possible XSS Vulnerability in Action View

Summary: VUL-0: CVE-2016-6316: rubygem-actionview-*: Possible XSS Vulnerability in Ac...

Status:	RESOLVED FIXED

Alias:	CVE-2016-6316

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/171842/
Whiteboard:	CVSSv2:RedHat:CVE-2016-6316:4.3:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-08-11 12:28 UTC by Victor Pereira
Modified:	2023-04-25 11:16 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
upstream patch for 3.2 (3.14 KB, patch) 2016-08-11 12:28 UTC, Victor Pereira	Details \| Diff
patch for 4.2 (2.19 KB, patch) 2016-08-11 12:29 UTC, Victor Pereira	Details \| Diff
path for 5.0 (2.53 KB, patch) 2016-08-11 12:32 UTC, Victor Pereira	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2016-08-11 12:28:12 UTC

Created attachment 687773 [details]
upstream patch for 3.2

# Possible XSS Vulnerability in Action View

There is a possible XSS vulnerability in Action View.  Text declared as "HTML
safe" will not have quotes escaped when used as attribute values in tag
helpers.  This vulnerability has been assigned the CVE identifier
CVE-2016-6316.

Versions Affected:  >= 3.0.0.
Not affected:       < 3.0.0
Fixed Versions:     5.0.0.1, 4.2.7.1, 3.2.22.3

Impact
------
Text declared as "HTML safe" when passed as an attribute value to a tag helper
will not have quotes escaped which can lead to an XSS attack.  Impacted code
looks something like this:

```
content_tag(:div, "hi", title: user_input.html_safe)
```

Some helpers like the `sanitize` helper will automatically mark strings as
"HTML safe", so impacted code could also look something like this:

```
content_tag(:div, "hi", title: sanitize(user_input))
```

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
You can work around this issue by either *not* marking arbitrary user input as
safe, or by manually escaping quotes like this:

```
def escape_quotes(value)
  value.gsub(/"/, '&quot;'.freeze)
end

content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 3-2-rails-xss.patch - Patch for 3.2 series
* 4-2-rails-xss.patch - Patch for 4.2 series
* 5-0-rails-xss.patch - Patch for 5.0 series

Please note that only the 5.0.x and 4.2.x series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.

Credits
-------

Thanks to Andrew Carpenter of Critical Juncture for reporting this issue and
sending a patch to fix it!

Comment 1 Victor Pereira 2016-08-11 12:29:54 UTC

Created attachment 687776 [details]
patch for 4.2

Comment 2 Victor Pereira 2016-08-11 12:32:58 UTC

Created attachment 687778 [details]
path for 5.0

Comment 3 Swamp Workflow Management 2016-08-11 22:00:25 UTC

bugbot adjusting priority

Comment 7 Swamp Workflow Management 2017-10-12 16:12:03 UTC

SUSE-SU-2017:2716-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1055962,968849,993302,993313
CVE References: CVE-2016-2098,CVE-2016-6316,CVE-2016-6317
Sources used:
SUSE OpenStack Cloud 7 (src):    rubygem-actionmailer-4_2-4.2.9-3.3.1, rubygem-actionpack-4_2-4.2.9-7.3.1, rubygem-actionview-4_2-4.2.9-9.3.1, rubygem-activejob-4_2-4.2.9-3.3.1, rubygem-activemodel-4_2-4.2.9-6.3.1, rubygem-activerecord-4_2-4.2.9-6.3.1, rubygem-activesupport-4_2-4.2.9-7.3.1, rubygem-rails-4_2-4.2.9-3.3.1, rubygem-rails-html-sanitizer-1.0.3-8.3.1, rubygem-railties-4_2-4.2.9-3.3.1
SUSE OpenStack Cloud 6 (src):    rubygem-actionmailer-4_2-4.2.9-3.3.1, rubygem-actionpack-4_2-4.2.9-7.3.1, rubygem-actionview-4_2-4.2.9-9.3.1, rubygem-activejob-4_2-4.2.9-3.3.1, rubygem-activemodel-4_2-4.2.9-6.3.1, rubygem-activerecord-4_2-4.2.9-6.3.1, rubygem-activesupport-4_2-4.2.9-7.3.1, rubygem-rails-4_2-4.2.9-3.3.1, rubygem-rails-html-sanitizer-1.0.3-8.3.1, rubygem-railties-4_2-4.2.9-3.3.1
SUSE Enterprise Storage 4 (src):    rubygem-actionmailer-4_2-4.2.9-3.3.1, rubygem-actionpack-4_2-4.2.9-7.3.1, rubygem-actionview-4_2-4.2.9-9.3.1, rubygem-activejob-4_2-4.2.9-3.3.1, rubygem-activemodel-4_2-4.2.9-6.3.1, rubygem-activerecord-4_2-4.2.9-6.3.1, rubygem-activesupport-4_2-4.2.9-7.3.1, rubygem-rails-4_2-4.2.9-3.3.1, rubygem-rails-html-sanitizer-1.0.3-8.3.1, rubygem-railties-4_2-4.2.9-3.3.1
SUSE Enterprise Storage 3 (src):    rubygem-actionmailer-4_2-4.2.9-3.3.1, rubygem-actionpack-4_2-4.2.9-7.3.1, rubygem-actionview-4_2-4.2.9-9.3.1, rubygem-activejob-4_2-4.2.9-3.3.1, rubygem-activemodel-4_2-4.2.9-6.3.1, rubygem-activerecord-4_2-4.2.9-6.3.1, rubygem-activesupport-4_2-4.2.9-7.3.1, rubygem-rails-4_2-4.2.9-3.3.1, rubygem-rails-html-sanitizer-1.0.3-8.3.1, rubygem-railties-4_2-4.2.9-3.3.1

Comment 8 Johannes Segitz 2018-04-16 11:59:16 UTC

fixed

Comment 9 Marcus Meissner 2018-06-11 15:17:15 UTC