actionpack 5.2.4.1 → 5.2.5

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 17edac04681c0d3a1f49b81fc2f1d6a19ca548cd1907dd84b93bd9bb4eaf7c13
4
- data.tar.gz: c7903d709cebde205a7d7aec99b8f6d5d3ce39d7f1f54e9a829f4180b236c9bc
3
+ metadata.gz: 3b9466cc66aef89ae39a6f759279293fa180454f543f7149d1ab8de9ed9ae899
4
+ data.tar.gz: a72f72e877d142cc9c377615429190f6327fbd6d8e522f7ada200c30ec02bba8
5
5
  SHA512:
6
- metadata.gz: c0eb2ce0a52c4bde406f914e23ee6ce0785d836c171769bb9da1a5342f2a0b0a2132dee11a9f15f348fb66f5be2b9aaab49e00d951c4ea9fa838a6da36595770
7
- data.tar.gz: 2ab7695a61113cf2c52f0ea1fb33136a3d1e10fbc00c7c5fa06875006a2d8c62544cd20e9bff019f512c61d2bc64d7463359c57dc6a46e39c6267768b1c23d7e
6
+ metadata.gz: caf16e1e2886b217f359e358d24d6eb33e692f40165c96a324571b009ceb7d1b97df22320c2e320106aad26e4f7874db26790ba7cc4f61c9a6a21fae13f9e366
7
+ data.tar.gz: 30094a122031f1a4cff32d7cc0ad6fe4a14e318267e3cfea6ff85f9ca172f8b1f6677299634c776df580c4b3a44200e494fa06f6933821d4d5b8838d9a7a4815
data/CHANGELOG.md CHANGED
@@ -1,9 +1,41 @@
1
+ ## Rails 5.2.5 (March 26, 2021) ##
2
+
3
+ * No changes.
4
+
5
+
6
+ ## Rails 5.2.4.5 (February 10, 2021) ##
7
+
8
+ * No changes.
9
+
10
+
11
+ ## Rails 5.2.4.4 (September 09, 2020) ##
12
+
13
+ * No changes.
14
+
15
+
16
+ ## Rails 5.2.4.3 (May 18, 2020) ##
17
+
18
+ * [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
19
+
20
+ * [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
21
+
22
+
23
+ ## Rails 5.2.4.2 (March 19, 2020) ##
24
+
25
+ * No changes.
26
+
27
+
1
28
  ## Rails 5.2.4.1 (December 18, 2019) ##
2
29
 
3
30
  * Fix possible information leak / session hijacking vulnerability.
4
31
 
5
32
  The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
6
33
  gem dalli to be updated as well.
34
+
35
+ _Breaking changes:_
36
+ * `session.id` now returns an instance of `Rack::Session::SessionId` and not a String (use `session.id.public_id` to restore the old behaviour, see #38063)
37
+ * Accessing the session id using `session[:session_id]`/`session['session_id']` no longer works with
38
+ ruby 2.2 (see https://github.com/rails/rails/commit/2a52a38cb51b65d71cf91fc960777213cf96f962#commitcomment-37929811)
7
39
 
8
40
  CVE-2019-16782.
9
41
 
@@ -318,13 +318,10 @@ module ActionController #:nodoc:
318
318
  action_path = normalize_action_path(action)
319
319
  per_form_csrf_token(session, action_path, method)
320
320
  else
321
- real_csrf_token(session)
321
+ global_csrf_token(session)
322
322
  end
323
323
 
324
- one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
325
- encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
326
- masked_token = one_time_pad + encrypted_csrf_token
327
- Base64.strict_encode64(masked_token)
324
+ mask_token(raw_token)
328
325
  end
329
326
 
330
327
  # Checks the client's masked token to see if it matches the
@@ -336,7 +333,7 @@ module ActionController #:nodoc:
336
333
  end
337
334
 
338
335
  begin
339
- masked_token = Base64.strict_decode64(encoded_masked_token)
336
+ masked_token = Base64.urlsafe_decode64(encoded_masked_token)
340
337
  rescue ArgumentError # encoded_masked_token is invalid Base64
341
338
  return false
342
339
  end
@@ -354,7 +351,8 @@ module ActionController #:nodoc:
354
351
  elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
355
352
  csrf_token = unmask_token(masked_token)
356
353
 
357
- compare_with_real_token(csrf_token, session) ||
354
+ compare_with_global_token(csrf_token, session) ||
355
+ compare_with_real_token(csrf_token, session) ||
358
356
  valid_per_form_csrf_token?(csrf_token, session)
359
357
  else
360
358
  false # Token is malformed.
@@ -369,10 +367,21 @@ module ActionController #:nodoc:
369
367
  xor_byte_strings(one_time_pad, encrypted_csrf_token)
370
368
  end
371
369
 
370
+ def mask_token(raw_token) # :doc:
371
+ one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
372
+ encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
373
+ masked_token = one_time_pad + encrypted_csrf_token
374
+ Base64.urlsafe_encode64(masked_token).delete("=")
375
+ end
376
+
372
377
  def compare_with_real_token(token, session) # :doc:
373
378
  ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
374
379
  end
375
380
 
381
+ def compare_with_global_token(token, session) # :doc:
382
+ ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, global_csrf_token(session))
383
+ end
384
+
376
385
  def valid_per_form_csrf_token?(token, session) # :doc:
377
386
  if per_form_csrf_tokens
378
387
  correct_token = per_form_csrf_token(
@@ -388,15 +397,26 @@ module ActionController #:nodoc:
388
397
  end
389
398
 
390
399
  def real_csrf_token(session) # :doc:
391
- session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
392
- Base64.strict_decode64(session[:_csrf_token])
400
+ session[:_csrf_token] ||= SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH)
401
+ Base64.urlsafe_decode64(session[:_csrf_token])
393
402
  end
394
403
 
395
404
  def per_form_csrf_token(session, action_path, method) # :doc:
405
+ csrf_token_hmac(session, [action_path, method.downcase].join("#"))
406
+ end
407
+
408
+ GLOBAL_CSRF_TOKEN_IDENTIFIER = "!real_csrf_token"
409
+ private_constant :GLOBAL_CSRF_TOKEN_IDENTIFIER
410
+
411
+ def global_csrf_token(session) # :doc:
412
+ csrf_token_hmac(session, GLOBAL_CSRF_TOKEN_IDENTIFIER)
413
+ end
414
+
415
+ def csrf_token_hmac(session, identifier) # :doc:
396
416
  OpenSSL::HMAC.digest(
397
417
  OpenSSL::Digest::SHA256.new,
398
418
  real_csrf_token(session),
399
- [action_path, method.downcase].join("#")
419
+ identifier
400
420
  )
401
421
  end
402
422
 
@@ -337,6 +337,8 @@ module ActionController
337
337
  @parameters.each_pair do |key, value|
338
338
  yield [key, convert_hashes_to_parameters(key, value)]
339
339
  end
340
+
341
+ self
340
342
  end
341
343
  alias_method :each, :each_pair
342
344
 
@@ -177,12 +177,12 @@ module ActionController
177
177
 
178
178
  # Methods #destroy and #load! are overridden to avoid calling methods on the
179
179
  # @store object, which does not exist for the TestSession class.
180
- class TestSession < Rack::Session::Abstract::SessionHash #:nodoc:
180
+ class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash #:nodoc:
181
181
  DEFAULT_OPTIONS = Rack::Session::Abstract::Persisted::DEFAULT_OPTIONS
182
182
 
183
183
  def initialize(session = {})
184
184
  super(nil, nil)
185
- @id = SecureRandom.hex(16)
185
+ @id = Rack::Session::SessionId.new(SecureRandom.hex(16))
186
186
  @data = stringify_keys(session)
187
187
  @loaded = true
188
188
  end
@@ -93,7 +93,7 @@ module ActionDispatch
93
93
  key = key.to_s
94
94
 
95
95
  if key == "session_id"
96
- id&.public_id
96
+ id && id.public_id
97
97
  else
98
98
  @delegate[key]
99
99
  end
@@ -401,6 +401,7 @@ module ActionDispatch
401
401
  super
402
402
  end
403
403
  end
404
+ ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
404
405
  end
405
406
  end
406
407
 
@@ -9,8 +9,8 @@ module ActionPack
9
9
  module VERSION
10
10
  MAJOR = 5
11
11
  MINOR = 2
12
- TINY = 4
13
- PRE = "1"
12
+ TINY = 5
13
+ PRE = nil
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.2.4.1
4
+ version: 5.2.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-12-18 00:00:00.000000000 Z
11
+ date: 2021-03-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 5.2.4.1
19
+ version: 5.2.5
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 5.2.4.1
26
+ version: 5.2.5
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 5.2.4.1
101
+ version: 5.2.5
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 5.2.4.1
108
+ version: 5.2.5
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 5.2.4.1
115
+ version: 5.2.5
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 5.2.4.1
122
+ version: 5.2.5
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -299,8 +299,8 @@ homepage: http://rubyonrails.org
299
299
  licenses:
300
300
  - MIT
301
301
  metadata:
302
- source_code_uri: https://github.com/rails/rails/tree/v5.2.4.1/actionpack
303
- changelog_uri: https://github.com/rails/rails/blob/v5.2.4.1/actionpack/CHANGELOG.md
302
+ source_code_uri: https://github.com/rails/rails/tree/v5.2.5/actionpack
303
+ changelog_uri: https://github.com/rails/rails/blob/v5.2.5/actionpack/CHANGELOG.md
304
304
  post_install_message:
305
305
  rdoc_options: []
306
306
  require_paths:
@@ -317,7 +317,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
317
317
  version: '0'
318
318
  requirements:
319
319
  - none
320
- rubygems_version: 3.0.3
320
+ rubygems_version: 3.1.2
321
321
  signing_key:
322
322
  specification_version: 4
323
323
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).