From: Chris Lamb <lamby@debian.org>
Date: Tue, 20 Nov 2018 10:25:08 +0100
Subject: CVE-2014-10077: Prevent a remote denial-of-service vulnerability via
an application crash by engineering a situation where `:some_key` is present
in `keep_keys` but not present in the hash.
Backported from https://github.com/svenfuchs/i18n/commit/24e71a9a4901ed18c9cab5c53109fd9bf2416bcb
---
lib/i18n/core_ext/hash.rb | 2 +-
test/core_ext/hash_test.rb | 6 ++++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/lib/i18n/core_ext/hash.rb b/lib/i18n/core_ext/hash.rb
index f2a2422..895f41a 100644
--- a/lib/i18n/core_ext/hash.rb
+++ b/lib/i18n/core_ext/hash.rb
@@ -1,7 +1,7 @@
class Hash
def slice(*keep_keys)
h = {}
- keep_keys.each { |key| h[key] = fetch(key) }
+ keep_keys.each { |key| h[key] = fetch(key) if has_key?(key) }
h
end unless Hash.method_defined?(:slice)
diff --git a/test/core_ext/hash_test.rb b/test/core_ext/hash_test.rb
index 8309336..f7ebd6f 100644
--- a/test/core_ext/hash_test.rb
+++ b/test/core_ext/hash_test.rb
@@ -14,6 +14,12 @@ class I18nCoreExtHashInterpolationTest < I18n::TestCase
assert_equal expected, hash.slice(:foo)
end
+ test "#slice non-existent key" do
+ hash = { :foo => 'bar', :baz => 'bar' }
+ expected = { :foo => 'bar' }
+ assert_equal expected, hash.slice(:foo, :not_here)
+ end
+
test "#except" do
hash = { :foo => 'bar', :baz => 'bar' }
expected = { :foo => 'bar' }
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
80ca2c4bff0ab2698e5cb91d96fa1db8
>
files
>
1
