me
/
guix
Archived
1
0
Fork 0
Code

gnu: ruby-sanitize: Update to 5.1.0. 

* gnu/packages/patches/ruby-sanitize-system-libxml.patch: New file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/ruby.scm (ruby-sanitize): Update to 5.1.0.
[source]: Change to GIT-FETCH.  Add patch.
[native-inputs]: Remove BUNDLER, RUBY-REDCARPET, and RUBY-YARD.
master
Marius Bakke 2020-05-29 14:31:29 +02:00
parent 2e366b0a83
commit f362b53c40
No known key found for this signature in database
GPG Key ID: A2A06DF2A33A54FA
3 changed files with 51 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
gnu/local.mk
View File

@ -1464,7 +1464,8 @@ dist_patch_DATA = \
%D%/packages/patches/rtags-separate-rct.patch \ %D%/packages/patches/rtags-separate-rct.patch \
%D%/packages/patches/racket-store-checksum-override.patch \ %D%/packages/patches/racket-store-checksum-override.patch \
%D%/packages/patches/retroarch-disable-online-updater.patch \ %D%/packages/patches/retroarch-disable-online-updater.patch \
%D%/packages/patches/ruby-rack-ignore-failing-test.patch \ %D%/packages/patches/ruby-rack-ignore-failing-test.patch \
%D%/packages/patches/ruby-sanitize-system-libxml.patch \
%D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\ %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\
%D%/packages/patches/runc-CVE-2019-5736.patch \ %D%/packages/patches/runc-CVE-2019-5736.patch \
%D%/packages/patches/rust-1.19-mrustc.patch \ %D%/packages/patches/rust-1.19-mrustc.patch \

38
gnu/packages/patches/ruby-sanitize-system-libxml.patch 100644
View File

@ -0,0 +1,38 @@
Fix test failures that occur when nokogiri is using system libxml:
https://github.com/rgrove/sanitize/issues/198
Taken from upstream:
https://github.com/rgrove/sanitize/commit/21da9b62baf9ea659811d92e6b574130aee57eba
diff --git a/test/test_malicious_html.rb b/test/test_malicious_html.rb
index 2c23074..0756de0 100644
--- a/test/test_malicious_html.rb
+++ b/test/test_malicious_html.rb
@@ -135,6 +135,8 @@
# The relevant libxml2 code is here:
# <https://github.com/GNOME/libxml2/commit/960f0e275616cadc29671a218d7fb9b69eb35588>
describe 'unsafe libxml2 server-side includes in attributes' do
+ using_unpatched_libxml2 = Nokogiri::VersionInfo.instance.libxml2_using_system?
+
tag_configs = [
{
tag_name: 'a',
@@ -166,6 +168,8 @@
input = %[<#{tag_name} #{attr_name}='examp<!--" onmouseover=alert(1)>-->le.com'>foo</#{tag_name}>]
it 'should escape unsafe characters in attributes' do
+ skip "behavior should only exist in nokogiri's patched libxml" if using_unpatched_libxml2
+
# This uses Nokogumbo's HTML-compliant serializer rather than
# libxml2's.
@s.fragment(input).
@@ -191,6 +195,8 @@
input = %[<#{tag_name} #{attr_name}='examp<!--" onmouseover=alert(1)>-->le.com'>foo</#{tag_name}>]
it 'should not escape characters unnecessarily' do
+ skip "behavior should only exist in nokogiri's patched libxml" if using_unpatched_libxml2
+
# This uses Nokogumbo's HTML-compliant serializer rather than
# libxml2's.
@s.fragment(input).

23
gnu/packages/ruby.scm
View File

@ -5319,33 +5319,32 @@ access the result as a Nokogiri parsed document.")
(define-public ruby-sanitize (define-public ruby-sanitize
(package (package
(name "ruby-sanitize") (name "ruby-sanitize")
(version "4.6.3") (version "5.1.0")
(home-page "https://github.com/rgrove/sanitize")
(source (origin (source (origin
(method url-fetch) (method git-fetch)
;; The gem does not include the Rakefile, so we download the ;; The gem does not include the Rakefile, so we download the
;; release tarball from Github. ;; source from Github.
(uri (string-append "https://github.com/rgrove/" (uri (git-reference
"sanitize/archive/v" version ".tar.gz")) (url home-page)
(file-name (string-append name "-" version ".tar.gz")) (commit (string-append "v" version))))
(file-name (git-file-name name version))
(patches (search-patches "ruby-sanitize-system-libxml.patch"))
(sha256 (sha256
(base32 (base32
"1fmqppwif3cm8h79006jfzkdnlxxzlry9kzk03psk0d5xpg55ycc")))) "0lj0q9yhjp0q0in5majkshnki07mw8m2vxgndx4m5na6232aszl0"))))
(build-system ruby-build-system) (build-system ruby-build-system)
(propagated-inputs (propagated-inputs
`(("ruby-crass" ,ruby-crass) `(("ruby-crass" ,ruby-crass)
("ruby-nokogiri" ,ruby-nokogiri) ("ruby-nokogiri" ,ruby-nokogiri)
("ruby-nokogumbo" ,ruby-nokogumbo))) ("ruby-nokogumbo" ,ruby-nokogumbo)))
(native-inputs (native-inputs
`(("bundler" ,bundler) `(("ruby-minitest" ,ruby-minitest)))
("ruby-minitest" ,ruby-minitest)
("ruby-redcarpet" ,ruby-redcarpet)
("ruby-yard" ,ruby-yard)))
(synopsis "Whitelist-based HTML and CSS sanitizer") (synopsis "Whitelist-based HTML and CSS sanitizer")
(description (description
"Sanitize is a whitelist-based HTML and CSS sanitizer. Given a list of "Sanitize is a whitelist-based HTML and CSS sanitizer. Given a list of
acceptable elements, attributes, and CSS properties, Sanitize will remove all acceptable elements, attributes, and CSS properties, Sanitize will remove all
unacceptable HTML and/or CSS from a string.") unacceptable HTML and/or CSS from a string.")
(home-page "https://github.com/rgrove/sanitize/")
(license license:expat))) (license license:expat)))
(define-public ruby-oj (define-public ruby-oj