Apply security fixes for:

CVE-2011-0446: Potential XSS Problem with mail_to :encode => :javascript
CVE-2011-0447: CSRF Protection Bypass

OK ajacoutot@

devel/ruby-actionpack/Makefile

@@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.28 2011/01/06 04:24:22 jeremy Exp $
+# $OpenBSD: Makefile,v 1.29 2011/02/10 01:42:21 jeremy Exp $
 
 COMMENT =	eases web-request routing, handling, and response
 
 VERSION =	3.0.3
 DISTNAME =	actionpack-${VERSION}
-REVISION =	0
+REVISION =	1
 CATEGORIES =	devel
 
 # MIT License

devel/ruby-actionpack/patches/patch-lib_action_controller_metal_request_forgery_protection_rb

@@ -0,0 +1,41 @@
+$OpenBSD: patch-lib_action_controller_metal_request_forgery_protection_rb,v 1.1 2011/02/10 01:42:22 jeremy Exp $
+
+Fix for CVE-2011-0447.
+
+--- lib/action_controller/metal/request_forgery_protection.rb.orig	Wed Dec 31 16:00:00 1969
++++ lib/action_controller/metal/request_forgery_protection.rb	Wed Feb  9 08:48:24 2011
+@@ -85,25 +85,24 @@ module ActionController #:nodoc:
+     end
+ 
+     protected
+-
+-      def protect_from_forgery(options = {})
+-        self.request_forgery_protection_token ||= :authenticity_token
+-        before_filter :verify_authenticity_token, options
+-      end
+-
+       # The actual before_filter that is used.  Modify this to change how you handle unverified requests.
+       def verify_authenticity_token
+-        verified_request? || raise(ActionController::InvalidAuthenticityToken)
++        verified_request? || handle_unverified_request
+       end
+ 
++      def handle_unverified_request
++        reset_session
++      end
++
+       # Returns true or false if a request is verified.  Checks:
+       #
+-      # * is the format restricted?  By default, only HTML requests are checked.
+       # * is it a GET request?  Gets should be safe and idempotent
+       # * Does the form_authenticity_token match the given token value from the params?
++      # * Does the X-CSRF-Token header match the form_authenticity_token
+       def verified_request?
+-        !protect_against_forgery? || request.forgery_whitelisted? ||
+-          form_authenticity_token == params[request_forgery_protection_token]
++        !protect_against_forgery? || request.get? ||
++          form_authenticity_token == params[request_forgery_protection_token] ||
++          form_authenticity_token == request.headers['X-CSRF-Token']
+       end
+ 
+       # Sets the token value for the current session.

devel/ruby-actionpack/patches/patch-lib_action_dispatch_http_request_rb

@@ -0,0 +1,17 @@
+$OpenBSD: patch-lib_action_dispatch_http_request_rb,v 1.1 2011/02/10 01:42:22 jeremy Exp $
+
+Fix for CVE-2011-0447.
+
+--- lib/action_dispatch/http/request.rb.orig	Wed Dec 31 16:00:00 1969
++++ lib/action_dispatch/http/request.rb	Wed Feb  9 08:48:24 2011
+@@ -141,8 +141,9 @@ module ActionDispatch
+     end
+ 
+     def forgery_whitelisted?
+-      get? || xhr? || content_mime_type.nil? || !content_mime_type.verify_request?
++      get?
+     end
++    deprecate :forgery_whitelisted? => "it is just an alias for 'get?' now, update your code"
+ 
+     def media_type
+       content_mime_type.to_s

devel/ruby-actionpack/patches/patch-lib_action_view_helpers_url_helper_rb

@@ -0,0 +1,17 @@
+$OpenBSD: patch-lib_action_view_helpers_url_helper_rb,v 1.1 2011/02/10 01:42:22 jeremy Exp $
+
+Fix for CVE-2011-0446.
+
+--- lib/action_view/helpers/url_helper.rb.orig	Wed Dec 31 16:00:00 1969
++++ lib/action_view/helpers/url_helper.rb	Wed Feb  9 08:48:17 2011
+@@ -490,7 +490,9 @@ module ActionView
+         string = ''
+ 
+         if encode == "javascript"
+-          "document.write('#{content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe))}');".each_byte do |c|
++          html   = content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe))
++          html   = escape_javascript(html)
++          "document.write('#{html}');".each_byte do |c|
+             string << sprintf("%%%x", c)
+           end
+           "<script type=\"#{Mime::JS}\">eval(decodeURIComponent('#{string}'))</script>".html_safe