From 1e9418c0c070feda45618039de84111a7c641027 Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Tue, 25 Jun 2024 16:00:49 +0800
Subject: [PATCH] Fix CVE-2023-23913

(cherry picked from commit 0d9523c2849be010a72a8b226f02379f252f239c)
---
 CVE-2023-23913.patch    | 132 ++++++++++++++++++++++++++++++++++++++++
 rubygem-actionview.spec |   7 ++-
 2 files changed, 138 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-23913.patch

diff --git a/CVE-2023-23913.patch b/CVE-2023-23913.patch
new file mode 100644
index 0000000..89c52eb
--- /dev/null
+++ b/CVE-2023-23913.patch
@@ -0,0 +1,132 @@
+Refer:
+https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd
+https://build.opensuse.org/projects/SUSE:SLE-15:Update/packages/rubygem-actionview-5_1/files/rubygem-actionview-5_1-CVE-2023-23913.patch?expand=1
+
+From 5037a13614di71727af8a175063bcf6ba1a74bdbd Mon Sep 17 00:00:00 2001
+From: Zack Deveau <zack.ref@gmail.com>
+Date: Mon, 16 Jan 2023 09:43:54 -0500
+Subject: [PATCH] Ignore certain data-* attributes in rails-ujs when element is
+ contenteditable
+
+There is a potential DOM based cross-site scripting issue in rails-ujs
+which leverages the Clipboard API to target HTML elements that are
+assigned the contenteditable attribute. This has the potential to occur
+when pasting malicious HTML content from the clipboard that includes
+a data-method, data-disable-with or data-remote attribute.
+
+[CVE-2023-23913]
+
+---
+ lib/assets/compiled/rails-ujs.js | 41 ++++++++++++++++++++++++++++----
+ 1 file changed, 36 insertions(+), 5 deletions(-)
+
+diff --git a/lib/assets/compiled/rails-ujs.js b/lib/assets/compiled/rails-ujs.js
+index 2176247..d428163 100644
+--- a/lib/assets/compiled/rails-ujs.js
++++ b/lib/assets/compiled/rails-ujs.js
+@@ -73,6 +73,22 @@ Released under the MIT license
+         return element[expando][key] = value;
+       };
+ 
++      Rails.isContentEditable = function(element) {
++        var isEditable;
++        isEditable = false;
++        while (true) {
++          if (element.isContentEditable) {
++            isEditable = true;
++            break;
++          }
++          element = element.parentElement;
++          if (!element) {
++            break;
++          }
++        }
++        return isEditable;
++      };
++
+       Rails.$ = function(selector) {
+         return Array.prototype.slice.call(document.querySelectorAll(selector));
+       };
+@@ -395,9 +411,9 @@ Released under the MIT license
+ 
+     }).call(this);
+     (function() {
+-      var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isXhrRedirect, matches, setData, stopEverything;
++      var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isContentEditable, isXhrRedirect, matches, setData, stopEverything;
+ 
+-      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements;
++      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements, isContentEditable = Rails.isContentEditable;
+ 
+       Rails.handleDisabledElement = function(e) {
+         var element;
+@@ -417,6 +433,9 @@ Released under the MIT license
+         } else {
+           element = e;
+         }
++        if (isContentEditable(element)) {
++          return;
++        }
+         if (matches(element, Rails.linkDisableSelector)) {
+           return enableLinkElement(element);
+         } else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formEnableSelector)) {
+@@ -429,6 +448,9 @@ Released under the MIT license
+       Rails.disableElement = function(e) {
+         var element;
+         element = e instanceof Event ? e.target : e;
++        if (isContentEditable(element)) {
++          return;
++        }
+         if (matches(element, Rails.linkDisableSelector)) {
+           return disableLinkElement(element);
+         } else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formDisableSelector)) {
+@@ -513,10 +535,12 @@ Released under the MIT license
+ 
+     }).call(this);
+     (function() {
+-      var stopEverything;
++      var isContentEditable, stopEverything;
+ 
+       stopEverything = Rails.stopEverything;
+ 
++      isContentEditable = Rails.isContentEditable;
++
+       Rails.handleMethod = function(e) {
+         var csrfParam, csrfToken, form, formContent, href, link, method;
+         link = this;
+@@ -524,6 +548,9 @@ Released under the MIT license
+         if (!method) {
+           return;
+         }
++        if (isContentEditable(this)) {
++          return;
++        }
+         href = Rails.href(link);
+         csrfToken = Rails.csrfToken();
+         csrfParam = Rails.csrfParam();
+@@ -545,10 +572,10 @@ Released under the MIT license
+ 
+     }).call(this);
+     (function() {
+-      var ajax, fire, getData, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
++      var ajax, fire, getData, isContentEditable, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
+         slice = [].slice;
+ 
+-      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement;
++      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement, isContentEditable = Rails.isContentEditable;
+ 
+       isRemote = function(element) {
+         var value;
+@@ -566,6 +593,10 @@ Released under the MIT license
+           fire(element, 'ajax:stopped');
+           return false;
+         }
++        if (isContentEditable(element)) {
++          fire(element, 'ajax:stopped');
++          return false;
++        }
+         withCredentials = element.getAttribute('data-with-credentials');
+         dataType = element.getAttribute('data-type') || 'script';
+         if (matches(element, Rails.formSubmitSelector)) {
+-- 
+2.33.0
+
diff --git a/rubygem-actionview.spec b/rubygem-actionview.spec
index fdee18b..a7eb48f 100644
--- a/rubygem-actionview.spec
+++ b/rubygem-actionview.spec
@@ -3,13 +3,14 @@
 
 Name:		rubygem-%{gem_name}
 Version:	6.1.4.1
-Release:	1
+Release:	2
 Summary:	Rendering framework putting the V in MVC (part of Rails)
 License:	MIT
 URL:		http://rubyonrails.org
 Source0:	https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1:	%{gem_name}-%{version}-tests.txz
 Source2:	rails-%{version}-tools.txz
+Patch3000:	CVE-2023-23913.patch
 
 BuildRequires:	ruby(release)
 BuildRequires:	rubygems-devel
@@ -36,6 +37,7 @@ Documentation for %{name}.
 
 %prep
 %setup -q -n %{gem_name}-%{version} -b1 -b2
+%patch3000 -p1
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -76,6 +78,9 @@ popd
 %doc %{gem_instdir}/CHANGELOG.md
 
 %changelog
+* Tue Jun 25 2024 wangkai <13474090681@163.com> - 6.1.4.1-2
+- Fix CVE-2023-23913
+
 * Mon May 02 2022 wangkerong <wangkerong@h-partners.com>- 6.1.4.1-1
 - Upgrade to 6.1.4.1
 
-- 
Gitee