actionpack 4.2.5 → 4.2.11.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 78c248276d4ad520e704762a3d993ab9952c7d0d
-  data.tar.gz: 4666bc83ad5465fd9f759888e3dfa5bd324b3d0a
+SHA256:
+  metadata.gz: 6f66b2bf3de01ffbb228cdb182413c6f0db67c97889118cd7d838192e1caed03
+  data.tar.gz: de433afa32a058562cea4ba9bd53d9adeb5d359e0f1594d033c6d5ae1e55ea2e
 SHA512:
-  metadata.gz: 9599c768364cffbb6d5df4548a77e622c2033162579e6181abe0b09474a2ab620caaa196782b18da4d6812dd693cb3c1cddc61458294d4223309bd83dd426f23
-  data.tar.gz: 37057c94d34f84b30726e7b269239fe1e6d1084814ff2e530b4b7826bc35790701c79c8556d1d96d1958ce9f102af60a6112a311510126392837fd978487f29e
+  metadata.gz: d15461d87b2063f0c2267a455457fa1375ffada1b0d8311c9c43cd660934108ad2db34486d2e29124911cfb0a342706319a5be1d6ac65aecf911231d306454e7
+  data.tar.gz: 5e5ee8c7e0efa99a88b1a0f9aceb1e2c9458dce7f4e628ff5fd4f031dabe18b5ea97e3bc1e19f4a302a66f29f559ee650d023677860070aed7f8deee419aebe1

data/CHANGELOG.md

@@ -1,3 +1,81 @@
+## Rails 4.2.11.1 (March 11, 2019) ##
+
+*   No changes.
+
+
+## Rails 4.2.11 (November 27, 2018) ##
+
+*   No changes.
+
+
+## Rails 4.2.10 (September 27, 2017) ##
+
+*   Fix regression in behavior of `normalize_path`.
+
+    In Rails 5 there was a change to ensure the encoding of the original string
+    in a path was maintained. This was incorrectly backported to Rails 4.2 which
+    caused a regression.
+
+    *Eileen M. Uchitelle*
+
+## Rails 4.2.9 (June 26, 2017) ##
+
+*   Use more specific check for :format in route path
+
+    The current check for whether to add an optional format to the path is very lax
+    and will match things like `:format_id` where there are nested resources, e.g:
+
+    ``` ruby
+    resources :formats do
+      resources :items
+    end
+    ```
+
+    Fix this by using a more restrictive regex pattern that looks for the patterns
+    `(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
+    allow for multiple closing parenthesis since the route may be of this form:
+
+    ``` ruby
+    get "/books(/:action(.:format))", controller: "books"
+    ```
+
+    This probably isn't what's intended since it means that the default index action
+    route doesn't support a format but we have a test for it so we need to allow it.
+
+    Fixes #28517.
+
+    *Andrew White*
+
+
+## Rails 4.2.8 (February 21, 2017) ##
+
+*   No changes.
+
+
+## Rails 4.2.7 (July 12, 2016) ##
+
+*   No changes.
+
+
+## Rails 4.2.6 (March 07, 2016) ##
+
+*   No changes.
+
+
+## Rails 4.2.5.2 (February 26, 2016) ##
+
+*   Do not allow render with unpermitted parameter.
+
+    Fixes CVE-2016-2098.
+
+    *Arthur Neves*
+
+
+## Rails 4.2.5.1 (January 25, 2015) ##
+
+*   No changes.
+
+
 ## Rails 4.2.5 (November 12, 2015) ##
 
 *   `ActionController::TestCase` can teardown gracefully if an error is raised

data/lib/abstract_controller/rendering.rb

@@ -77,7 +77,13 @@ module AbstractController
     # render "foo/bar" to render :file => "foo/bar".
     # :api: plugin
     def _normalize_args(action=nil, options={})
-      if action.is_a? Hash
+      if action.respond_to?(:permitted?)
+        if action.permitted?
+          action
+        else
+          raise ArgumentError, "render parameters are not permitted"
+        end
+      elsif action.is_a?(Hash)
         action
       else
         options

data/lib/action_controller/metal/http_authentication.rb

@@ -1,4 +1,5 @@
 require 'base64'
+require 'active_support/security_utils'
 
 module ActionController
   # Makes it dead easy to do HTTP Basic, Digest and Token authentication.
@@ -68,7 +69,11 @@ module ActionController
           def http_basic_authenticate_with(options = {})
             before_action(options.except(:name, :password, :realm)) do
               authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
-                name == options[:name] && password == options[:password]
+                # This comparison uses & so that it doesn't short circuit and
+                # uses `variable_size_secure_compare` so that length information
+                # isn't leaked.
+                ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
+                  ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
               end
             end
           end

data/lib/action_controller/metal/renderers.rb

@@ -85,8 +85,6 @@ module ActionController
     #       format.csv { render csv: @csvable, filename: @csvable.name }
     #     end
     #   end
-    # To use renderers and their mime types in more concise ways, see
-    # <tt>ActionController::MimeResponds::ClassMethods.respond_to</tt>
     def self.add(key, &block)
       define_method(_render_with_renderer_method_name(key), &block)
       RENDERERS << key.to_sym

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -61,7 +61,7 @@ module ActionDispatch
                               false
                             end
 
-          if params_readable
+          v = if params_readable
             Array(Mime[parameters[:format]])
           elsif use_accept_header && valid_accept_header
             accepts
@@ -70,6 +70,10 @@ module ActionDispatch
           else
             [Mime::HTML]
           end
+
+          v.select do |format|
+            format.symbol || format.ref == "*/*"
+          end
         end
       end
 

data/lib/action_dispatch/http/mime_type.rb

@@ -23,7 +23,7 @@ module Mime
 
   SET              = Mimes.new
   EXTENSION_LOOKUP = {}
-  LOOKUP           = Hash.new { |h, k| h[k] = Type.new(k) unless k.blank? }
+  LOOKUP           = {}
 
   class << self
     def [](type)
@@ -146,7 +146,7 @@ module Mime
       end
 
       def lookup(string)
-        LOOKUP[string]
+        LOOKUP[string] || Type.new(string)
       end
 
       def lookup_by_extension(extension)
@@ -225,9 +225,12 @@ module Mime
       end
     end
 
+    attr_reader :hash
+
     def initialize(string, symbol = nil, synonyms = [])
       @symbol, @synonyms = symbol, synonyms
       @string = string
+      @hash = [@string, @synonyms, @symbol].hash
     end
 
     def to_s
@@ -261,6 +264,13 @@ module Mime
       end
     end
 
+    def eql?(other)
+      super || (self.class == other.class &&
+                @string    == other.string &&
+                @synonyms  == other.synonyms &&
+                @symbol    == other.symbol)
+    end
+
     def =~(mime_type)
       return false if mime_type.blank?
       regexp = Regexp.new(Regexp.quote(mime_type.to_s))
@@ -274,6 +284,10 @@ module Mime
     end
 
 
+    protected
+
+    attr_reader :string, :synonyms
+
     private
 
     def to_ary; end

data/lib/action_dispatch/journey/router/utils.rb

@@ -13,7 +13,7 @@ module ActionDispatch
         #   normalize_path("")      # => "/"
         #   normalize_path("/%ab")  # => "/%AB"
         def self.normalize_path(path)
-          path = "/#{path}"
+          path = "/#{path}".force_encoding(Encoding::UTF_8)
           path.squeeze!('/')
           path.sub!(%r{/+\Z}, '')
           path.gsub!(/(%[a-f0-9]{2})/) { $1.upcase }

data/lib/action_dispatch/middleware/cookies.rb

@@ -311,7 +311,7 @@ module ActionDispatch
 
         handle_options(options)
 
-        if @cookies[name.to_s] != value or options[:expires]
+        if @cookies[name.to_s] != value || options[:expires]
           @cookies[name.to_s] = value
           @set_cookies[name.to_s] = options
           @delete_cookies.delete(name.to_s)
@@ -506,7 +506,7 @@ module ActionDispatch
 
         @parent_jar = parent_jar
         @options = options
-        secret = key_generator.generate_key(@options[:encrypted_cookie_salt])
+        secret = key_generator.generate_key(@options[:encrypted_cookie_salt])[0, ActiveSupport::MessageEncryptor.key_len]
         sign_secret = key_generator.generate_key(@options[:encrypted_signed_cookie_salt])
         @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, digest: digest, serializer: ActiveSupport::MessageEncryptor::NullSerializer)
       end

data/lib/action_dispatch/middleware/static.rb

@@ -22,7 +22,7 @@ module ActionDispatch
 
     def match?(path)
       path = URI.parser.unescape(path)
-      return false unless path.valid_encoding?
+      return false unless valid_path?(path)
 
       paths = [path, "#{path}#{ext}", "#{path}/index#{ext}"].map { |v|
         Rack::Utils.clean_path_info v
@@ -86,6 +86,10 @@ module ActionDispatch
           false
         end
       end
+
+      def valid_path?(path)
+        path.valid_encoding? && !path.include?("\0")
+      end
   end
 
   # This middleware will attempt to return the contents of a file's body from

data/lib/action_dispatch/routing/mapper.rb

@@ -60,6 +60,7 @@ module ActionDispatch
 
       class Mapping #:nodoc:
         ANCHOR_CHARACTERS_REGEX = %r{\A(\\A|\^)|(\\Z|\\z|\$)\Z}
+        OPTIONAL_FORMAT_REGEX = %r{(?:\(\.:format\)+|\.:format|/)\Z}
 
         attr_reader :requirements, :conditions, :defaults
         attr_reader :to, :default_controller, :default_action, :as, :anchor
@@ -110,7 +111,7 @@ module ActionDispatch
           if options_constraints.is_a?(Hash)
             split_constraints path_params, options_constraints
             options_constraints.each do |key, default|
-              if URL_OPTIONS.include?(key) && (String === default || Fixnum === default)
+              if URL_OPTIONS.include?(key) && (String === default || Integer === default)
                 @defaults[key] ||= default
               end
             end
@@ -144,7 +145,7 @@ module ActionDispatch
           end
 
           def optional_format?(path, format)
-            format != false && !path.include?(':format') && !path.end_with?('/')
+            format != false && path !~ OPTIONAL_FORMAT_REGEX
           end
 
           def normalize_options!(options, formatted, path_params, path_ast, modyoule)
@@ -790,8 +791,8 @@ module ActionDispatch
           end
 
           if options[:constraints].is_a?(Hash)
-            defaults = options[:constraints].select do
-              |k, v| URL_OPTIONS.include?(k) && (v.is_a?(String) || v.is_a?(Fixnum))
+            defaults = options[:constraints].select do |k, v|
+              URL_OPTIONS.include?(k) && (v.is_a?(String) || v.is_a?(Integer))
             end
 
             (options[:defaults] ||= {}).reverse_merge!(defaults)

data/lib/action_dispatch/routing/route_set.rb

@@ -1,6 +1,5 @@
 require 'action_dispatch/journey'
 require 'forwardable'
-require 'thread_safe'
 require 'active_support/concern'
 require 'active_support/core_ext/object/to_query'
 require 'active_support/core_ext/hash/slice'
@@ -26,7 +25,6 @@ module ActionDispatch
       class Dispatcher < Routing::Endpoint
         def initialize(defaults)
           @defaults = defaults
-          @controller_class_names = ThreadSafe::Cache.new
         end
 
         def dispatcher?; true; end
@@ -68,7 +66,7 @@ module ActionDispatch
       private
 
         def controller_reference(controller_param)
-          const_name = @controller_class_names[controller_param] ||= "#{controller_param.camelize}Controller"
+          const_name = "#{controller_param.camelize}Controller"
           ActiveSupport::Dependencies.constantize(const_name)
         end
 
@@ -471,9 +469,11 @@ module ActionDispatch
         return if MountedHelpers.method_defined?(name)
 
         routes = self
+        helpers = routes.url_helpers
+
         MountedHelpers.class_eval do
           define_method "_#{name}" do
-            RoutesProxy.new(routes, _routes_context)
+            RoutesProxy.new(routes, _routes_context, helpers)
           end
         end
 

data/lib/action_dispatch/routing/routes_proxy.rb

@@ -8,8 +8,9 @@ module ActionDispatch
       attr_accessor :scope, :routes
       alias :_routes :routes
 
-      def initialize(routes, scope)
+      def initialize(routes, scope, helpers)
         @routes, @scope = routes, scope
+        @helpers = helpers
       end
 
       def url_options
@@ -19,16 +20,16 @@ module ActionDispatch
       end
 
       def respond_to?(method, include_private = false)
-        super || routes.url_helpers.respond_to?(method)
+        super || @helpers.respond_to?(method)
       end
 
       def method_missing(method, *args)
-        if routes.url_helpers.respond_to?(method)
+        if @helpers.respond_to?(method)
           self.class.class_eval <<-RUBY, __FILE__, __LINE__ + 1
             def #{method}(*args)
               options = args.extract_options!
               args << url_options.merge((options || {}).symbolize_keys)
-              routes.url_helpers.#{method}(*args)
+              @helpers.#{method}(*args)
             end
           RUBY
           send(method, *args)

data/lib/action_dispatch/testing/integration.rb

@@ -361,6 +361,7 @@ module ActionDispatch
       # simultaneously.
       def open_session
         dup.tap do |session|
+          session.reset!
           yield session if block_given?
         end
       end

data/lib/action_pack/gem_version.rb

@@ -7,8 +7,8 @@ module ActionPack
   module VERSION
     MAJOR = 4
     MINOR = 2
-    TINY  = 5
-    PRE   = nil
+    TINY  = 11
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 4.2.5
+  version: 4.2.11.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-11-12 00:00:00.000000000 Z
+date: 2019-03-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.2.5
+        version: 4.2.11.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.2.5
+        version: 4.2.11.1
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.2.5
+        version: 4.2.11.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.2.5
+        version: 4.2.11.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.2.5
+        version: 4.2.11.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.2.5
+        version: 4.2.11.1
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -299,8 +299,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubyforge_project: 
-rubygems_version: 2.4.5.1
+rubygems_version: 3.0.1
 signing_key: 
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).