actionpack 5.2.4.1 → 5.2.5
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +32 -0
- data/lib/action_controller/metal/request_forgery_protection.rb +30 -10
- data/lib/action_controller/metal/strong_parameters.rb +2 -0
- data/lib/action_controller/test_case.rb +2 -2
- data/lib/action_dispatch/request/session.rb +1 -1
- data/lib/action_dispatch/testing/integration.rb +1 -0
- data/lib/action_pack/gem_version.rb +2 -2
- metadata +11 -11
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3b9466cc66aef89ae39a6f759279293fa180454f543f7149d1ab8de9ed9ae899
|
4
|
+
data.tar.gz: a72f72e877d142cc9c377615429190f6327fbd6d8e522f7ada200c30ec02bba8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: caf16e1e2886b217f359e358d24d6eb33e692f40165c96a324571b009ceb7d1b97df22320c2e320106aad26e4f7874db26790ba7cc4f61c9a6a21fae13f9e366
|
7
|
+
data.tar.gz: 30094a122031f1a4cff32d7cc0ad6fe4a14e318267e3cfea6ff85f9ca172f8b1f6677299634c776df580c4b3a44200e494fa06f6933821d4d5b8838d9a7a4815
|
data/CHANGELOG.md
CHANGED
@@ -1,9 +1,41 @@
|
|
1
|
+
## Rails 5.2.5 (March 26, 2021) ##
|
2
|
+
|
3
|
+
* No changes.
|
4
|
+
|
5
|
+
|
6
|
+
## Rails 5.2.4.5 (February 10, 2021) ##
|
7
|
+
|
8
|
+
* No changes.
|
9
|
+
|
10
|
+
|
11
|
+
## Rails 5.2.4.4 (September 09, 2020) ##
|
12
|
+
|
13
|
+
* No changes.
|
14
|
+
|
15
|
+
|
16
|
+
## Rails 5.2.4.3 (May 18, 2020) ##
|
17
|
+
|
18
|
+
* [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
|
19
|
+
|
20
|
+
* [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
|
21
|
+
|
22
|
+
|
23
|
+
## Rails 5.2.4.2 (March 19, 2020) ##
|
24
|
+
|
25
|
+
* No changes.
|
26
|
+
|
27
|
+
|
1
28
|
## Rails 5.2.4.1 (December 18, 2019) ##
|
2
29
|
|
3
30
|
* Fix possible information leak / session hijacking vulnerability.
|
4
31
|
|
5
32
|
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
6
33
|
gem dalli to be updated as well.
|
34
|
+
|
35
|
+
_Breaking changes:_
|
36
|
+
* `session.id` now returns an instance of `Rack::Session::SessionId` and not a String (use `session.id.public_id` to restore the old behaviour, see #38063)
|
37
|
+
* Accessing the session id using `session[:session_id]`/`session['session_id']` no longer works with
|
38
|
+
ruby 2.2 (see https://github.com/rails/rails/commit/2a52a38cb51b65d71cf91fc960777213cf96f962#commitcomment-37929811)
|
7
39
|
|
8
40
|
CVE-2019-16782.
|
9
41
|
|
@@ -318,13 +318,10 @@ module ActionController #:nodoc:
|
|
318
318
|
action_path = normalize_action_path(action)
|
319
319
|
per_form_csrf_token(session, action_path, method)
|
320
320
|
else
|
321
|
-
|
321
|
+
global_csrf_token(session)
|
322
322
|
end
|
323
323
|
|
324
|
-
|
325
|
-
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
|
326
|
-
masked_token = one_time_pad + encrypted_csrf_token
|
327
|
-
Base64.strict_encode64(masked_token)
|
324
|
+
mask_token(raw_token)
|
328
325
|
end
|
329
326
|
|
330
327
|
# Checks the client's masked token to see if it matches the
|
@@ -336,7 +333,7 @@ module ActionController #:nodoc:
|
|
336
333
|
end
|
337
334
|
|
338
335
|
begin
|
339
|
-
masked_token = Base64.
|
336
|
+
masked_token = Base64.urlsafe_decode64(encoded_masked_token)
|
340
337
|
rescue ArgumentError # encoded_masked_token is invalid Base64
|
341
338
|
return false
|
342
339
|
end
|
@@ -354,7 +351,8 @@ module ActionController #:nodoc:
|
|
354
351
|
elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
|
355
352
|
csrf_token = unmask_token(masked_token)
|
356
353
|
|
357
|
-
|
354
|
+
compare_with_global_token(csrf_token, session) ||
|
355
|
+
compare_with_real_token(csrf_token, session) ||
|
358
356
|
valid_per_form_csrf_token?(csrf_token, session)
|
359
357
|
else
|
360
358
|
false # Token is malformed.
|
@@ -369,10 +367,21 @@ module ActionController #:nodoc:
|
|
369
367
|
xor_byte_strings(one_time_pad, encrypted_csrf_token)
|
370
368
|
end
|
371
369
|
|
370
|
+
def mask_token(raw_token) # :doc:
|
371
|
+
one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
|
372
|
+
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
|
373
|
+
masked_token = one_time_pad + encrypted_csrf_token
|
374
|
+
Base64.urlsafe_encode64(masked_token).delete("=")
|
375
|
+
end
|
376
|
+
|
372
377
|
def compare_with_real_token(token, session) # :doc:
|
373
378
|
ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
|
374
379
|
end
|
375
380
|
|
381
|
+
def compare_with_global_token(token, session) # :doc:
|
382
|
+
ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, global_csrf_token(session))
|
383
|
+
end
|
384
|
+
|
376
385
|
def valid_per_form_csrf_token?(token, session) # :doc:
|
377
386
|
if per_form_csrf_tokens
|
378
387
|
correct_token = per_form_csrf_token(
|
@@ -388,15 +397,26 @@ module ActionController #:nodoc:
|
|
388
397
|
end
|
389
398
|
|
390
399
|
def real_csrf_token(session) # :doc:
|
391
|
-
session[:_csrf_token] ||= SecureRandom.
|
392
|
-
Base64.
|
400
|
+
session[:_csrf_token] ||= SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH)
|
401
|
+
Base64.urlsafe_decode64(session[:_csrf_token])
|
393
402
|
end
|
394
403
|
|
395
404
|
def per_form_csrf_token(session, action_path, method) # :doc:
|
405
|
+
csrf_token_hmac(session, [action_path, method.downcase].join("#"))
|
406
|
+
end
|
407
|
+
|
408
|
+
GLOBAL_CSRF_TOKEN_IDENTIFIER = "!real_csrf_token"
|
409
|
+
private_constant :GLOBAL_CSRF_TOKEN_IDENTIFIER
|
410
|
+
|
411
|
+
def global_csrf_token(session) # :doc:
|
412
|
+
csrf_token_hmac(session, GLOBAL_CSRF_TOKEN_IDENTIFIER)
|
413
|
+
end
|
414
|
+
|
415
|
+
def csrf_token_hmac(session, identifier) # :doc:
|
396
416
|
OpenSSL::HMAC.digest(
|
397
417
|
OpenSSL::Digest::SHA256.new,
|
398
418
|
real_csrf_token(session),
|
399
|
-
|
419
|
+
identifier
|
400
420
|
)
|
401
421
|
end
|
402
422
|
|
@@ -177,12 +177,12 @@ module ActionController
|
|
177
177
|
|
178
178
|
# Methods #destroy and #load! are overridden to avoid calling methods on the
|
179
179
|
# @store object, which does not exist for the TestSession class.
|
180
|
-
class TestSession < Rack::Session::Abstract::
|
180
|
+
class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash #:nodoc:
|
181
181
|
DEFAULT_OPTIONS = Rack::Session::Abstract::Persisted::DEFAULT_OPTIONS
|
182
182
|
|
183
183
|
def initialize(session = {})
|
184
184
|
super(nil, nil)
|
185
|
-
@id = SecureRandom.hex(16)
|
185
|
+
@id = Rack::Session::SessionId.new(SecureRandom.hex(16))
|
186
186
|
@data = stringify_keys(session)
|
187
187
|
@loaded = true
|
188
188
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.2.
|
4
|
+
version: 5.2.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-03-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 5.2.
|
19
|
+
version: 5.2.5
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 5.2.
|
26
|
+
version: 5.2.5
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rack
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -98,28 +98,28 @@ dependencies:
|
|
98
98
|
requirements:
|
99
99
|
- - '='
|
100
100
|
- !ruby/object:Gem::Version
|
101
|
-
version: 5.2.
|
101
|
+
version: 5.2.5
|
102
102
|
type: :runtime
|
103
103
|
prerelease: false
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
105
105
|
requirements:
|
106
106
|
- - '='
|
107
107
|
- !ruby/object:Gem::Version
|
108
|
-
version: 5.2.
|
108
|
+
version: 5.2.5
|
109
109
|
- !ruby/object:Gem::Dependency
|
110
110
|
name: activemodel
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
112
112
|
requirements:
|
113
113
|
- - '='
|
114
114
|
- !ruby/object:Gem::Version
|
115
|
-
version: 5.2.
|
115
|
+
version: 5.2.5
|
116
116
|
type: :development
|
117
117
|
prerelease: false
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
119
119
|
requirements:
|
120
120
|
- - '='
|
121
121
|
- !ruby/object:Gem::Version
|
122
|
-
version: 5.2.
|
122
|
+
version: 5.2.5
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
125
125
|
email: david@loudthinking.com
|
@@ -299,8 +299,8 @@ homepage: http://rubyonrails.org
|
|
299
299
|
licenses:
|
300
300
|
- MIT
|
301
301
|
metadata:
|
302
|
-
source_code_uri: https://github.com/rails/rails/tree/v5.2.
|
303
|
-
changelog_uri: https://github.com/rails/rails/blob/v5.2.
|
302
|
+
source_code_uri: https://github.com/rails/rails/tree/v5.2.5/actionpack
|
303
|
+
changelog_uri: https://github.com/rails/rails/blob/v5.2.5/actionpack/CHANGELOG.md
|
304
304
|
post_install_message:
|
305
305
|
rdoc_options: []
|
306
306
|
require_paths:
|
@@ -317,7 +317,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
317
317
|
version: '0'
|
318
318
|
requirements:
|
319
319
|
- none
|
320
|
-
rubygems_version: 3.
|
320
|
+
rubygems_version: 3.1.2
|
321
321
|
signing_key:
|
322
322
|
specification_version: 4
|
323
323
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|