From 0bc4066bad9d08a4742ec537dc2df262990308ff Mon Sep 17 00:00:00 2001
From: Mamoru TASAKA <mtasaka@fedoraproject.org>
Date: Sun, 30 Apr 2023 19:59:16 +0900
Subject: [PATCH] Bacckport upstream patch for CVE-2020-26298 (bug 1915370)

---
 redcarpet-3.3.2-CVE-2020-26298.patch | 56 ++++++++++++++++++++++++++++
 rubygem-redcarpet.spec               | 14 ++++++-
 2 files changed, 69 insertions(+), 1 deletion(-)
 create mode 100644 redcarpet-3.3.2-CVE-2020-26298.patch

diff --git a/redcarpet-3.3.2-CVE-2020-26298.patch b/redcarpet-3.3.2-CVE-2020-26298.patch
new file mode 100644
index 0000000..a497676
--- /dev/null
+++ b/redcarpet-3.3.2-CVE-2020-26298.patch
@@ -0,0 +1,56 @@
+From a699c82292b17c8e6a62e1914d5eccc252272793 Mon Sep 17 00:00:00 2001
+From: Robin Dupret <robin.dupret@hey.com>
+Date: Tue, 15 Dec 2020 20:57:32 +0100
+Subject: [PATCH] Fix a security issue using `:quote` with `:escape_html`
+
+Reported by @johan-smits.
+---
+ CHANGELOG.md          |  7 +++++++
+ ext/redcarpet/html.c  |  9 ++++++++-
+ lib/redcarpet.rb      |  2 +-
+ redcarpet.gemspec     |  4 ++--
+ test/markdown_test.rb | 10 ++++++++++
+ 5 files changed, 28 insertions(+), 4 deletions(-)
+
+diff --git a/ext/redcarpet/html.c b/ext/redcarpet/html.c
+index 805ddd8e..785f780f 100644
+--- a/ext/redcarpet/html.c
++++ b/ext/redcarpet/html.c
+@@ -255,8 +255,15 @@ rndr_quote(struct buf *ob, const struct buf *text, void *opaque)
+ 	if (!text || !text->size)
+ 		return 0;
+ 
++	struct html_renderopt *options = opaque;
++
+ 	BUFPUTSL(ob, "<q>");
+-	bufput(ob, text->data, text->size);
++
++	if (options->flags & HTML_ESCAPE)
++		escape_html(ob, text->data, text->size);
++	else
++		bufput(ob, text->data, text->size);
++
+ 	BUFPUTSL(ob, "</q>");
+ 
+ 	return 1;
+diff --git a/test/markdown_test.rb b/test/markdown_test.rb
+index 4347be9b..68de1255 100644
+--- a/test/markdown_test.rb
++++ b/test/markdown_test.rb
+@@ -220,6 +220,16 @@ def test_quote_flag_works
+     assert output.include? '<q>quote</q>'
+   end
+ 
++  def test_quote_flag_honors_escape_html
++    text = 'We are not "<svg/onload=pwned>"'
++
++    output_enabled  = render(text, with: [:quote, :escape_html])
++    output_disabled = render(text, with: [:quote])
++
++    assert_equal "<p>We are not <q>&lt;svg/onload=pwned&gt;</q></p>\n", output_enabled
++    assert_equal "<p>We are not <q><svg/onload=pwned></q></p>\n", output_disabled
++  end
++
+   def test_that_fenced_flag_works
+     text = <<fenced
+ This is a simple test
diff --git a/rubygem-redcarpet.spec b/rubygem-redcarpet.spec
index 8b4ab30..fcfa04c 100644
--- a/rubygem-redcarpet.spec
+++ b/rubygem-redcarpet.spec
@@ -2,13 +2,21 @@
 
 Name:		rubygem-%{gem_name}
 Version:	3.3.2
-Release:	25%{?dist}
+Release:	26%{?dist}
 
 Summary:	A fast, safe and extensible Markdown to (X)HTML parser
 # https://github.com/vmg/redcarpet/issues/502
 License:	MIT and ISC
 URL:		http://github.com/vmg/redcarpet
 Source0:	https://rubygems.org/gems/%{gem_name}-%{version}.gem
+# https://github.com/advisories/GHSA-q3wr-qw3g-3p4h
+# https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793
+# https://nvd.nist.gov/vuln/detail/CVE-2020-26298
+# Fix a security issue using :quote with :escape_html
+# Fixed in 3.5.1
+# A bit modified for 3.3.2
+# Note that 14942b4f5ef8dbaeeff8d9212f098391d7c1fbdc does chomp, reverting this
+Patch0:	%{gem_name}-3.3.2-CVE-2020-26298.patch
 
 BuildRequires:	gcc
 BuildRequires:	ruby(release)
@@ -29,6 +37,7 @@ Documentation for %{name}.
 
 %prep
 %setup -q -n %{gem_name}-%{version}
+%patch -P0 -p1
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -87,6 +96,9 @@ popd
 
 
 %changelog
+* Sun Apr 30 2023 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.3.2-26
+- Bacckport upstream patch for CVE-2020-26298 (bug 1915370)
+
 * Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.2-25
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild