06 Feb '13, 1pm

XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256)

RDoc documentation generated by rdoc bundled with ruby are vulnerable to an XSS exploit. All ruby users are recommended to update ruby to newer version which includes security-fixed RDoc. If you are publishing RDoc documentation generated by rdoc, you are recommended to apply a patch for the documentaion or re-generate it with security-fixed RDoc. Impact RDoc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit may lead to cookie disclosure to third parties. Details The exploit exists in darkfish.js which is copied from the RDoc install location to the generated documentation. RDoc is a static documentation generation tool. Patching the library itself is insufficient to correct this exploit. Those hosting rdoc documentation will need to apply the following patch. Solution Please a...

Full article: http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-...

Tweets

[ruby-list:49181] [ANN] Ruby 1.9.3 patchlevel 3...

ruby-lang.org 06 Feb '13, 1pm

diff --git darkfish.js darkfish.js index 4be722f..f26fd45 100644 --- darkfish.js +++ darkfish.js @@ -109,13 +109,15 @@ fun...

ジェイクエリー、ジェイクエリーやないか

ruby-lang.org 06 Feb '13, 2pm

diff --git darkfish.js darkfish.js index 4be722f..f26fd45 100644 --- darkfish.js +++ darkfish.js @@ -109,13 +109,15 @@ fun...