actionpack 5.2.4.2 → 5.2.4.3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 96e28e2da73fb0ace4e8c62221ba405c625b91a1a5a66c691862543b557fb193
|
|
4
|
+
data.tar.gz: 0eb0326558ad0f1e88d21cff30e29d24a3dbee244140d1099aca3d9fb2610d3c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b29c5f753ceebd2fea0b9ef51563c3b728fafb0d45d9cba7dc6ed16507557d986114a323071c6fa4ad81c0e10534483dd9e374039c1d9827ccedc010c7ac528c
|
|
7
|
+
data.tar.gz: eac84dbeb5610ea6327a32268820fcf214ad84fb943fd3f98f4b4b905287afe22e33993e075081bf7cc9fd534eb8d7fef100e938ae5d75dabe977e778852b329
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,10 @@
|
|
|
1
|
+
## Rails 5.2.4.3 (May 18, 2020) ##
|
|
2
|
+
|
|
3
|
+
* [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
|
|
4
|
+
|
|
5
|
+
* [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
|
|
6
|
+
|
|
7
|
+
|
|
1
8
|
## Rails 5.2.4.1 (December 18, 2019) ##
|
|
2
9
|
|
|
3
10
|
* Fix possible information leak / session hijacking vulnerability.
|
|
@@ -318,13 +318,15 @@ module ActionController #:nodoc:
|
|
|
318
318
|
action_path = normalize_action_path(action)
|
|
319
319
|
per_form_csrf_token(session, action_path, method)
|
|
320
320
|
else
|
|
321
|
-
|
|
321
|
+
global_csrf_token(session)
|
|
322
322
|
end
|
|
323
323
|
|
|
324
324
|
one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
|
|
325
325
|
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
|
|
326
326
|
masked_token = one_time_pad + encrypted_csrf_token
|
|
327
|
-
Base64.
|
|
327
|
+
Base64.urlsafe_encode64(masked_token, padding: false)
|
|
328
|
+
|
|
329
|
+
mask_token(raw_token)
|
|
328
330
|
end
|
|
329
331
|
|
|
330
332
|
# Checks the client's masked token to see if it matches the
|
|
@@ -354,7 +356,8 @@ module ActionController #:nodoc:
|
|
|
354
356
|
elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
|
|
355
357
|
csrf_token = unmask_token(masked_token)
|
|
356
358
|
|
|
357
|
-
|
|
359
|
+
compare_with_global_token(csrf_token, session) ||
|
|
360
|
+
compare_with_real_token(csrf_token, session) ||
|
|
358
361
|
valid_per_form_csrf_token?(csrf_token, session)
|
|
359
362
|
else
|
|
360
363
|
false # Token is malformed.
|
|
@@ -369,10 +372,21 @@ module ActionController #:nodoc:
|
|
|
369
372
|
xor_byte_strings(one_time_pad, encrypted_csrf_token)
|
|
370
373
|
end
|
|
371
374
|
|
|
375
|
+
def mask_token(raw_token) # :doc:
|
|
376
|
+
one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
|
|
377
|
+
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
|
|
378
|
+
masked_token = one_time_pad + encrypted_csrf_token
|
|
379
|
+
Base64.strict_encode64(masked_token)
|
|
380
|
+
end
|
|
381
|
+
|
|
372
382
|
def compare_with_real_token(token, session) # :doc:
|
|
373
383
|
ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
|
|
374
384
|
end
|
|
375
385
|
|
|
386
|
+
def compare_with_global_token(token, session) # :doc:
|
|
387
|
+
ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, global_csrf_token(session))
|
|
388
|
+
end
|
|
389
|
+
|
|
376
390
|
def valid_per_form_csrf_token?(token, session) # :doc:
|
|
377
391
|
if per_form_csrf_tokens
|
|
378
392
|
correct_token = per_form_csrf_token(
|
|
@@ -393,10 +407,21 @@ module ActionController #:nodoc:
|
|
|
393
407
|
end
|
|
394
408
|
|
|
395
409
|
def per_form_csrf_token(session, action_path, method) # :doc:
|
|
410
|
+
csrf_token_hmac(session, [action_path, method.downcase].join("#"))
|
|
411
|
+
end
|
|
412
|
+
|
|
413
|
+
GLOBAL_CSRF_TOKEN_IDENTIFIER = "!real_csrf_token"
|
|
414
|
+
private_constant :GLOBAL_CSRF_TOKEN_IDENTIFIER
|
|
415
|
+
|
|
416
|
+
def global_csrf_token(session) # :doc:
|
|
417
|
+
csrf_token_hmac(session, GLOBAL_CSRF_TOKEN_IDENTIFIER)
|
|
418
|
+
end
|
|
419
|
+
|
|
420
|
+
def csrf_token_hmac(session, identifier) # :doc:
|
|
396
421
|
OpenSSL::HMAC.digest(
|
|
397
422
|
OpenSSL::Digest::SHA256.new,
|
|
398
423
|
real_csrf_token(session),
|
|
399
|
-
|
|
424
|
+
identifier
|
|
400
425
|
)
|
|
401
426
|
end
|
|
402
427
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: actionpack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.2.4.
|
|
4
|
+
version: 5.2.4.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-05-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 5.2.4.
|
|
19
|
+
version: 5.2.4.3
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 5.2.4.
|
|
26
|
+
version: 5.2.4.3
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: rack
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -98,28 +98,28 @@ dependencies:
|
|
|
98
98
|
requirements:
|
|
99
99
|
- - '='
|
|
100
100
|
- !ruby/object:Gem::Version
|
|
101
|
-
version: 5.2.4.
|
|
101
|
+
version: 5.2.4.3
|
|
102
102
|
type: :runtime
|
|
103
103
|
prerelease: false
|
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
|
105
105
|
requirements:
|
|
106
106
|
- - '='
|
|
107
107
|
- !ruby/object:Gem::Version
|
|
108
|
-
version: 5.2.4.
|
|
108
|
+
version: 5.2.4.3
|
|
109
109
|
- !ruby/object:Gem::Dependency
|
|
110
110
|
name: activemodel
|
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
|
112
112
|
requirements:
|
|
113
113
|
- - '='
|
|
114
114
|
- !ruby/object:Gem::Version
|
|
115
|
-
version: 5.2.4.
|
|
115
|
+
version: 5.2.4.3
|
|
116
116
|
type: :development
|
|
117
117
|
prerelease: false
|
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
|
119
119
|
requirements:
|
|
120
120
|
- - '='
|
|
121
121
|
- !ruby/object:Gem::Version
|
|
122
|
-
version: 5.2.4.
|
|
122
|
+
version: 5.2.4.3
|
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
|
125
125
|
email: david@loudthinking.com
|
|
@@ -299,8 +299,8 @@ homepage: http://rubyonrails.org
|
|
|
299
299
|
licenses:
|
|
300
300
|
- MIT
|
|
301
301
|
metadata:
|
|
302
|
-
source_code_uri: https://github.com/rails/rails/tree/v5.2.4.
|
|
303
|
-
changelog_uri: https://github.com/rails/rails/blob/v5.2.4.
|
|
302
|
+
source_code_uri: https://github.com/rails/rails/tree/v5.2.4.3/actionpack
|
|
303
|
+
changelog_uri: https://github.com/rails/rails/blob/v5.2.4.3/actionpack/CHANGELOG.md
|
|
304
304
|
post_install_message:
|
|
305
305
|
rdoc_options: []
|
|
306
306
|
require_paths:
|
|
@@ -317,7 +317,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
317
317
|
version: '0'
|
|
318
318
|
requirements:
|
|
319
319
|
- none
|
|
320
|
-
rubygems_version: 3.
|
|
320
|
+
rubygems_version: 3.1.2
|
|
321
321
|
signing_key:
|
|
322
322
|
specification_version: 4
|
|
323
323
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|