[SECURITY] CSS Parser Has http.verify_mode = OpenSSL::SSL::VERIFY_NONE

[JLLeitschuh]

css_parser/lib/css_parser/parser.rb

Line 646 in 3f91e8d

http.verify_mode = OpenSSL::SSL::VERIFY_NONE

The CSS parser will not validate HTTPS connections to determine if the HTTPS connection is secure. Thus allowing a MITM to inject/modify additional CSS.

[JLLeitschuh]

Once addressed, this issue should have a CVE number assigned to it using GitHub's Security Advisories feature.

https://github.com/premailer/css_parser/security

Also, I've got a follow-up security vulnerability to report. Please enable GitHub Security Advisories and I'll reach out there to report the more severe issue privately.

[grosser]

nice find

:D

[grosser]

#186

[grosser]

enabled private reporting

[grosser]

2.1.0

[mogest]

Hi @grosser, would you consider putting out a 1.x release with the fix? I use your package in prawn-svg, and asciidoctor-pdf uses prawn-svg, and they have a strong requirement to maintain support for Ruby 2.7 due to the number of people who use JRuby with their product. Thanks for the consideration.

[JLLeitschuh]

For documentation purposes: This issue is tied to GHSA-ff6c-w6qf-7xqc

[grosser]

1.22.0

[grosser]

don't think that version help you much since cve detectors will still alert on it :(

[grosser]

updated github fields in case that helps

[JLLeitschuh]

I'll ping GItHub to ask them to update the CVE so they add the additional patched version