JackDanger/patch-CVE-2013-0156.sh

## patch-CVE-2013-0156.sh
projects=`locate Gemfile.lock | egrep -v "(.rvm|bundler|.passenger)" | xargs egrep "  rails" | cut -d : -f 1 | uniq | xargs egrep -L 'rails \((2.3.15|3.0.19|3.1.10|3.2.11)\)' |cut -d : -f 1 | xargs -n 1 dirname`
for project in $projects; do
  echo '-----------------'
  echo '-- PATCHING' $project ' -- '
  echo '-----------------'
  cd $project
  git stash
  git checkout master
  git pull
  sed -i .bak "s/gem [\"|']rails[\"|'], [\"|']2.*[\"|']/gem 'rails', '2.3.15'/g" Gemfile
  sed -i .bak "s/gem [\"|']rails[\"|'], [\"|']3.0.*[\"|']/gem 'rails', '3.0.19'/g" Gemfile
  sed -i .bak "s/gem [\"|']rails[\"|'], [\"|']3.1.*[\"|']/gem 'rails', '3.1.10'/g" Gemfile
  sed -i .bak "s/gem [\"|']rails[\"|'], [\"|']3.2.*[\"|']/gem 'rails', '3.2.11'/g" Gemfile
  # Per VULN-75/CVE-2013-0156 Disable YAML and symbol parsing from the rails XML parser
  # incase it is used elsewhere in request processing or backend communications
  if [[ -z `egrep "rails '2.3.15'" Gemfile` ]]; then
    echo "
ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)
ActiveSupport::XmlMini::PARSING.delete('symbol')
ActiveSupport::XmlMini::PARSING.delete('yaml')
" > config/initializers/CVE-2013-0156.rb
  else
    echo "
ActionController::Base.param_parsers.delete(Mime::XML)
ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('symbol')
ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('yaml')
" > config/initializers/CVE-2013-0156.rb
  fi;
  bundle
  cd -
  say 'patched' $project
done
	projects=`locate Gemfile.lock \| egrep -v "(.rvm\|bundler\|.passenger)" \| xargs egrep " rails" \| cut -d : -f 1 \| uniq \| xargs egrep -L 'rails \((2.3.15\|3.0.19\|3.1.10\|3.2.11)\)' \|cut -d : -f 1 \| xargs -n 1 dirname`
	for project in $projects; do
	echo '-----------------'
	echo '-- PATCHING' $project ' -- '
	echo '-----------------'
	cd $project
	git stash
	git checkout master
	git pull
	sed -i .bak "s/gem [\"\|']rails[\"\|'], [\"\|']2.*[\"\|']/gem 'rails', '2.3.15'/g" Gemfile
	sed -i .bak "s/gem [\"\|']rails[\"\|'], [\"\|']3.0.*[\"\|']/gem 'rails', '3.0.19'/g" Gemfile
	sed -i .bak "s/gem [\"\|']rails[\"\|'], [\"\|']3.1.*[\"\|']/gem 'rails', '3.1.10'/g" Gemfile
	sed -i .bak "s/gem [\"\|']rails[\"\|'], [\"\|']3.2.*[\"\|']/gem 'rails', '3.2.11'/g" Gemfile
	# Per VULN-75/CVE-2013-0156 Disable YAML and symbol parsing from the rails XML parser
	# incase it is used elsewhere in request processing or backend communications
	if [[ -z `egrep "rails '2.3.15'" Gemfile` ]]; then
	echo "
	ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)
	ActiveSupport::XmlMini::PARSING.delete('symbol')
	ActiveSupport::XmlMini::PARSING.delete('yaml')
	" > config/initializers/CVE-2013-0156.rb
	else
	echo "
	ActionController::Base.param_parsers.delete(Mime::XML)
	ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('symbol')
	ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('yaml')
	" > config/initializers/CVE-2013-0156.rb
	fi;
	bundle
	cd -
	say 'patched' $project
	done