Ruby on Rails 'sanitize_css()'方法跨站脚本漏洞(CVE-2013-1855)

BUGTRAQ ID: 58552
CVE(CAN) ID: CVE-2013-1855

Ruby on Rails简称RoR或Rails，是一个使用Ruby语言写的开源Web应用框架，它是严格按照MVC结构开发的。

Ruby on Rails 2.3.18, 3.1.12, 3.2.13之前版本在Action Pack内的sanitize_css中存在XSS漏洞，特制的文本可以绕过sanitize_css方法提供的过滤，攻击者可利用此漏洞在浏览器中执行任意脚本代码。
0
Ruby on Rails 3.x
Ruby on Rails 2.x
临时解决方法：

如果您不能立刻安装补丁或者升级，建议您采取以下措施以降低威胁：

*应用下面的monkey patch:

module HTML
  class WhiteListSanitizer
      # Sanitizes a block of css code. Used by #sanitize when it comes across a style attribute
    def sanitize_css(style)
      # disallow urls
      style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')

      # gauntlet
      if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
          style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
        return ''
      end

      clean = []
      style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val|
        if allowed_css_properties.include?(prop.downcase)
          clean <<  prop + ': ' + val + ';'
        elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
          unless val.split().any? do |keyword|
            !allowed_css_keywords.include?(keyword) &&
              keyword !~
/\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
          end
            clean << prop + ': ' + val + ';'
          end
        end
      end
      clean.join(' ')
    end
  end
end

厂商补丁：

Ruby on Rails

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.rubyonrails.com/
http://seclists.org/oss-sec/2013/q1/att-679/2-3-css_sanitize.patch
http://seclists.org/oss-sec/2013/q1/att-679/3-0-css_sanitize.patch
http://seclists.org/oss-sec/2013/q1/att-679/3-1-css_sanitize.patch
http://seclists.org/oss-sec/2013/q1/att-679/3-2-css_sanitize.patch