upgrade nokogiri to 1.4.7

This fixes a segfault we're hitting, https://github.com/tenderlove/nokogiri/issues/439 (We can't upgrade to nokogiri 1.5.x without bumping sanitize from 1.x to 2.x) explanation of spec changes: * the first xss spec started failing because nokogiri no longer drops xml directives. however, it's not exploitable. * the second xss spec started failing due to nokogiri now properly the selected honoring charset. it's also not exploitable, since canvas doesn't use utf-7. * the final spec change is because nokogiri now strips out the invalid newline, where it left it in before. test plan: specs will exercise the upgraded nokogiri gem for compatibility in our use cases Change-Id: Ie152c8c60f3df5150ee4f14ab41dfee95a342fa8 Reviewed-on: https://gerrit.instructure.com/7958 Reviewed-by: Brian Palmer <brianp@instructure.com> Tested-by: Brian Palmer <brianp@instructure.com>
2012-01-10 09:08:35 -07:00 · 2012-01-10 09:08:35 -07:00 · 8eb455c3ff
parent a88e56895d
commit 8eb455c3ff
4 changed files with 2 additions and 9 deletions
--- a/2
+++ b/2
@ -31,7 +31,7 @@ gem 'mime-types',     '1.16',   :require => 'mime/types'
 # with mini_magick 3.1
 gem 'mini_magick',    '1.3.2'
 gem 'netaddr',        '1.5.0'
-gem 'nokogiri',       '1.4.1'
+gem 'nokogiri',       '1.4.7'
 gem 'oauth',          '0.4.5'
 gem 'rack',           '~> 1.1.2' # rails requires ~> 1.1.0 but 1.1.0 has a param quoting bug
 gem 'rake',           '< 0.10'
--- a/spec/fixtures/xss/72.xss
+++ b/spec/fixtures/xss/72.xss
@ -1,5 +0,0 @@
-:xss|htc|implementation|import
-<HTML xmlns:xss>
-  <?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">
-  <xss:xss>XSS</xss:xss>
-</HTML>
--- a/spec/fixtures/xss/81.xss
+++ b/spec/fixtures/xss/81.xss
@ -1,2 +0,0 @@
-head|meta|script|ad4
-<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
--- a/spec/lib/cc/importer/common_cartridge_converter_spec.rb
+++ b/spec/lib/cc/importer/common_cartridge_converter_spec.rb
@ -43,7 +43,7 @@ describe "Standard Common Cartridge importing" do
    dt.attachment_id = file2_id
    
    dt =  @course.discussion_topics.find_by_migration_id("I_00009_R")
-    dt.message.should == %{<p>Monkeys: Go!</p>\n<ul>\n<li>\n<a href="/courses/#{@course.id}/files/#{file2_id}/preview">angry_person.jpg</a>\n</li>\n<li>\n<a href="/courses/#{@course.id}/files/#{file1_id}/preview">smiling_dog.jpg</a>\n</li>\n</ul>} 
+    dt.message.should == %{<p>Monkeys: Go!</p>\n<ul><li>\n<a href="/courses/#{@course.id}/files/#{file2_id}/preview">angry_person.jpg</a>\n</li>\n<li>\n<a href="/courses/#{@course.id}/files/#{file1_id}/preview">smiling_dog.jpg</a>\n</li>\n</ul>} 
  end

  # This also tests the WebLinks, they are just content tags and don't have their own class