Fix CVE-2013-0256

Fixed an XSS exploit in darkfish.js.  This could lead to cookie
disclosure to third parties.  See CVE-2012-0256.rdoc for full details
including a patch you can apply to generated RDoc documentation.

Author: drbrain

CVE-2013-0256.rdoc

@@ -0,0 +1,49 @@
+= RDoc 2.3.0 through 3.12 XSS Exploit
+
+RDoc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases up
+to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit.  This exploit may
+lead to cookie disclosure to third parties.
+
+The exploit exists in darkfish.js which is copied from the RDoc install
+location to the generated documentation.
+
+RDoc is a static documentation generation tool.  Patching the library itself
+is insufficient to correct this exploit.  Those hosting rdoc documentation will
+need to apply the following patch.  If applied while ignoring whitespace, this
+patch will correct all affected versions:
+
+  diff --git darkfish.js darkfish.js
+  index 4be722f..f26fd45 100644
+  --- darkfish.js
+  +++ darkfish.js
+  @@ -109,13 +109,15 @@ function hookSearch() {
+   function highlightTarget( anchor ) {
+     console.debug( "Highlighting target '%s'.", anchor );
+   
+  -  $("a[name=" + anchor + "]").each( function() {
+  -    if ( !$(this).parent().parent().hasClass('target-section') ) {
+  -      console.debug( "Wrapping the target-section" );
+  -      $('div.method-detail').unwrap( 'div.target-section' );
+  -      $(this).parent().wrap( '<div class="target-section"></div>' );
+  -    } else {
+  -      console.debug( "Already wrapped." );
+  +  $("a[name]").each( function() {
+  +    if ( $(this).attr("name") == anchor ) {
+  +      if ( !$(this).parent().parent().hasClass('target-section') ) {
+  +        console.debug( "Wrapping the target-section" );
+  +        $('div.method-detail').unwrap( 'div.target-section' );
+  +        $(this).parent().wrap( '<div class="target-section"></div>' );
+  +      } else {
+  +        console.debug( "Already wrapped." );
+  +      }
+       }
+     });
+   };
+
+RDoc 3.9.5, 3.12.1 and RDoc 4.0.0.rc.2 and newer are not vulnerable to this
+exploit.
+
+This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.
+
+This vulnerability has been assigned the CVE identifier CVE-2013-0256.
+

History.txt

@@ -1,3 +1,10 @@
+=== 3.9.5 / 2013-02-05
+
+* Bug fixes
+  * Fixed an XSS exploit in darkfish.js.  This could lead to cookie disclosure
+    to third parties.  See CVE-2012-0256.rdoc for full details including a
+    patch you can apply to generated RDoc documentation.
+
 === 3.9.4 / 2011-08-26
 
 * Bug fixes

Manifest.txt

@@ -1,5 +1,6 @@
 .autotest
 .document
+CVE-2013-0256.rdoc
 History.txt
 LICENSE.txt
 Manifest.txt

Rakefile

@@ -41,7 +41,7 @@ Depending on your version of ruby, you may need to install ruby rdoc/ri data:
   extra_dev_deps << ['isolate',  '~> 3']
   extra_dev_deps << ['ZenTest',  '~> 4'] # for autotest/isolate
 
-  extra_rdoc_files << 'Rakefile'
+  extra_rdoc_files << 'Rakefile' << 'CVE-2013-0256.rdoc'
   spec_extras['required_rubygems_version'] = '>= 1.3'
   spec_extras['homepage'] = 'http://docs.seattlerb.org/rdoc'
 end

lib/rdoc.rb

@@ -104,7 +104,7 @@ def self.const_missing const_name # :nodoc:
   ##
   # RDoc version you are using
 
-  VERSION = '3.9.4'
+  VERSION = '3.9.5'
 
   ##
   # Method visibilities

lib/rdoc/generator/template/darkfish/js/darkfish.js

@@ -73,13 +73,15 @@ function hookQuickSearch() {
 function highlightTarget( anchor ) {
 	console.debug( "Highlighting target '%s'.", anchor );
 
-	$("a[name=" + anchor + "]").each( function() {
-		if ( !$(this).parent().parent().hasClass('target-section') ) {
-			console.debug( "Wrapping the target-section" );
-			$('div.method-detail').unwrap( 'div.target-section' );
-			$(this).parent().wrap( '<div class="target-section"></div>' );
-		} else {
-			console.debug( "Already wrapped." );
+	$("a[name]").each( function() {
+		if ( $(this).attr("name") == anchor ) {
+			if ( !$(this).parent().parent().hasClass('target-section') ) {
+				console.debug( "Wrapping the target-section" );
+				$('div.method-detail').unwrap( 'div.target-section' );
+				$(this).parent().wrap( '<div class="target-section"></div>' );
+			} else {
+				console.debug( "Already wrapped." );
+			}
 		}
 	});
 };