From fac5d1330d77c57e0ff535da175e898220af2f8b Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Tue, 25 Jun 2024 15:26:34 +0800
Subject: [PATCH] Fix CVE-2023-23913

---
 CVE-2023-23913.patch    | 132 ++++++++++++++++++++++++++++++++++++++++
 rubygem-actionview.spec |   7 ++-
 2 files changed, 138 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-23913.patch

diff --git a/CVE-2023-23913.patch b/CVE-2023-23913.patch
new file mode 100644
index 0000000..b4bf93f
--- /dev/null
+++ b/CVE-2023-23913.patch
@@ -0,0 +1,132 @@
+Refer:
+https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd
+https://build.opensuse.org/projects/SUSE:SLE-15:Update/packages/rubygem-actionview-5_1/files/rubygem-actionview-5_1-CVE-2023-23913.patch?expand=1
+
+From 5037a13614di71727af8a175063bcf6ba1a74bdbd Mon Sep 17 00:00:00 2001
+From: Zack Deveau <zack.ref@gmail.com>
+Date: Mon, 16 Jan 2023 09:43:54 -0500
+Subject: [PATCH] Ignore certain data-* attributes in rails-ujs when element is
+ contenteditable
+
+There is a potential DOM based cross-site scripting issue in rails-ujs
+which leverages the Clipboard API to target HTML elements that are
+assigned the contenteditable attribute. This has the potential to occur
+when pasting malicious HTML content from the clipboard that includes
+a data-method, data-disable-with or data-remote attribute.
+
+[CVE-2023-23913]
+
+---
+ lib/assets/compiled/rails-ujs.js | 41 ++++++++++++++++++++++++++++----
+ 1 file changed, 36 insertions(+), 5 deletions(-)
+
+diff --git a/lib/assets/compiled/rails-ujs.js b/lib/assets/compiled/rails-ujs.js
+index 34e78aa..89450be 100644
+--- a/lib/assets/compiled/rails-ujs.js
++++ b/lib/assets/compiled/rails-ujs.js
+@@ -73,6 +73,22 @@ Released under the MIT license
+         return element[expando][key] = value;
+       };
+ 
++      Rails.isContentEditable = function(element) {
++        var isEditable;
++        isEditable = false;
++        while (true) {
++          if (element.isContentEditable) {
++            isEditable = true;
++            break;
++          }
++          element = element.parentElement;
++          if (!element) {
++            break;
++          }
++        }
++        return isEditable;
++      };
++
+       Rails.$ = function(selector) {
+         return Array.prototype.slice.call(document.querySelectorAll(selector));
+       };
+@@ -388,9 +404,9 @@ Released under the MIT license
+ 
+     }).call(this);
+     (function() {
+-      var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, matches, setData, stopEverything;
++      var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isContentEditable, matches, setData, stopEverything;
+ 
+-      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements;
++      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements, isContentEditable = Rails.isContentEditable;
+ 
+       Rails.handleDisabledElement = function(e) {
+         var element;
+@@ -403,6 +419,9 @@ Released under the MIT license
+       Rails.enableElement = function(e) {
+         var element;
+         element = e instanceof Event ? e.target : e;
++        if (isContentEditable(element)) {
++          return;
++        }
+         if (matches(element, Rails.linkDisableSelector)) {
+           return enableLinkElement(element);
+         } else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formEnableSelector)) {
+@@ -415,6 +434,9 @@ Released under the MIT license
+       Rails.disableElement = function(e) {
+         var element;
+         element = e instanceof Event ? e.target : e;
++        if (isContentEditable(element)) {
++          return;
++        }
+         if (matches(element, Rails.linkDisableSelector)) {
+           return disableLinkElement(element);
+         } else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formDisableSelector)) {
+@@ -487,10 +509,12 @@ Released under the MIT license
+ 
+     }).call(this);
+     (function() {
+-      var stopEverything;
++      var isContentEditable, stopEverything;
+ 
+       stopEverything = Rails.stopEverything;
+ 
++      isContentEditable = Rails.isContentEditable;
++
+       Rails.handleMethod = function(e) {
+         var csrfParam, csrfToken, form, formContent, href, link, method;
+         link = this;
+@@ -498,6 +522,9 @@ Released under the MIT license
+         if (!method) {
+           return;
+         }
++        if (isContentEditable(this)) {
++          return;
++        }
+         href = Rails.href(link);
+         csrfToken = Rails.csrfToken();
+         csrfParam = Rails.csrfParam();
+@@ -519,10 +546,10 @@ Released under the MIT license
+ 
+     }).call(this);
+     (function() {
+-      var ajax, fire, getData, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
++      var ajax, fire, getData, isContentEditable, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
+         slice = [].slice;
+ 
+-      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement;
++      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement, isContentEditable = Rails.isContentEditable;
+ 
+       isRemote = function(element) {
+         var value;
+@@ -540,6 +567,10 @@ Released under the MIT license
+           fire(element, 'ajax:stopped');
+           return false;
+         }
++        if (isContentEditable(element)) {
++          fire(element, 'ajax:stopped');
++          return false;
++        }
+         withCredentials = element.getAttribute('data-with-credentials');
+         dataType = element.getAttribute('data-type') || 'script';
+         if (matches(element, Rails.formSubmitSelector)) {
+-- 
+2.33.0
+
diff --git a/rubygem-actionview.spec b/rubygem-actionview.spec
index fcab388..fd1d174 100644
--- a/rubygem-actionview.spec
+++ b/rubygem-actionview.spec
@@ -3,13 +3,14 @@
 %global bootstrap 1
 Name:                rubygem-%{gem_name}
 Version:             5.2.4.4
-Release:             1
+Release:             2
 Summary:             Rendering framework putting the V in MVC (part of Rails)
 License:             MIT
 URL:                 http://rubyonrails.org
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1:             https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
 Patch0:              rubygem-actionview-5.1.2-Prevent-negative-IDs-in-output-of-inspect.patch
+Patch3000:           CVE-2023-23913.patch
 BuildRequires:       ruby(release) rubygems-devel
 %if ! 0%{?bootstrap}
 BuildRequires:       rubygem(activesupport) = %{version} rubygem(activerecord) = %{version}
@@ -32,6 +33,7 @@ Documentation for %{name}.
 %gem_install -n %{SOURCE0}
 pushd .%{gem_instdir}
 %patch0 -p2
+%patch3000 -p1
 popd
 
 %build
@@ -66,6 +68,9 @@ popd
 %doc %{gem_instdir}/CHANGELOG.md
 
 %changelog
+* Tue Jun 25 2024 wangkai <13474090681@163.com> - 5.2.4.4-2
+- Fix CVE-2023-23913
+
 * Mon Feb  8 2021sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1
 - Upgrade to 5.2.4.4
 
-- 
Gitee