actionpack 5.2.4.3 → 5.2.6

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 96e28e2da73fb0ace4e8c62221ba405c625b91a1a5a66c691862543b557fb193
4
- data.tar.gz: 0eb0326558ad0f1e88d21cff30e29d24a3dbee244140d1099aca3d9fb2610d3c
3
+ metadata.gz: 63b72a20df1a2ed50dd3c7bc20791c4979eb1a886770734721d7ffca4d9a4cfb
4
+ data.tar.gz: f9c384ee114ec9e287a157fb5150cdcf86c79256cfaec9611edccc2ba18b7ff2
5
5
  SHA512:
6
- metadata.gz: b29c5f753ceebd2fea0b9ef51563c3b728fafb0d45d9cba7dc6ed16507557d986114a323071c6fa4ad81c0e10534483dd9e374039c1d9827ccedc010c7ac528c
7
- data.tar.gz: eac84dbeb5610ea6327a32268820fcf214ad84fb943fd3f98f4b4b905287afe22e33993e075081bf7cc9fd534eb8d7fef100e938ae5d75dabe977e778852b329
6
+ metadata.gz: f33d0e9bb9cfb6a2ede9b0d11fad30752d92c3f81d07efd249cd7621b39430d0b5464e58f244d9cdbfce41e511d8dcc89f8539ee34218b369c6d0660b9d56340
7
+ data.tar.gz: c964bc901dc5baf4fa6f049005f8a6d164bd705c3c958614c13ec1f3b8cb30a31d12ca10577f72fc3cdf446bfa9b05d95bd186da6b2815426b464ece0dc596ab
data/CHANGELOG.md CHANGED
@@ -1,3 +1,64 @@
1
+ ## Rails 5.2.6 (May 05, 2021) ##
2
+
3
+ * Accept base64_urlsafe CSRF tokens to make forward compatible.
4
+
5
+ Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
6
+ them difficult to deal with. For example, the common practice of sending
7
+ the CSRF token to a browser in a client-readable cookie does not work properly
8
+ out of the box: the value has to be url-encoded and decoded to survive transport.
9
+
10
+ In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
11
+ safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
12
+ tokens for backwards compatibility.
13
+
14
+ How the tokes are encoded is controllr by the `action_controller.urlsafe_csrf_tokens`
15
+ config.
16
+
17
+ In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.
18
+
19
+ **Atention**: If you already upgraded your application to 5.2.5, set the config
20
+ `urlsafe_csrf_tokens` to `true`, otherwise your form submission will start to fail
21
+ during the deploy of this new version.
22
+
23
+ ```ruby
24
+ Rails.application.config.action_controller.urlsafe_csrf_tokens = true
25
+ ```
26
+
27
+ If you are upgrading from 5.2.4.x, you don't need to change this configuration.
28
+
29
+ *Scott Blum*, *Étienne Barrié*
30
+
31
+
32
+ ## Rails 5.2.5 (March 26, 2021) ##
33
+
34
+ * No changes.
35
+
36
+
37
+ ## Rails 5.2.4.6 (May 05, 2021) ##
38
+
39
+ * Prevent regex DoS in HTTP token authentication
40
+ CVE-2021-22904
41
+
42
+ * Prevent string polymorphic route arguments.
43
+
44
+ `url_for` supports building polymorphic URLs via an array
45
+ of arguments (usually symbols and records). If a developer passes a
46
+ user input array, strings can result in unwanted route helper calls.
47
+
48
+ CVE-2021-22885
49
+
50
+ *Gannon McGibbon*
51
+
52
+ ## Rails 5.2.4.5 (February 10, 2021) ##
53
+
54
+ * No changes.
55
+
56
+
57
+ ## Rails 5.2.4.4 (September 09, 2020) ##
58
+
59
+ * No changes.
60
+
61
+
1
62
  ## Rails 5.2.4.3 (May 18, 2020) ##
2
63
 
3
64
  * [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
@@ -5,6 +66,11 @@
5
66
  * [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
6
67
 
7
68
 
69
+ ## Rails 5.2.4.2 (March 19, 2020) ##
70
+
71
+ * No changes.
72
+
73
+
8
74
  ## Rails 5.2.4.1 (December 18, 2019) ##
9
75
 
10
76
  * Fix possible information leak / session hijacking vulnerability.
@@ -12,6 +78,11 @@
12
78
  The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
13
79
  gem dalli to be updated as well.
14
80
 
81
+ _Breaking changes:_
82
+ * `session.id` now returns an instance of `Rack::Session::SessionId` and not a String (use `session.id.public_id` to restore the old behaviour, see #38063)
83
+ * Accessing the session id using `session[:session_id]`/`session['session_id']` no longer works with
84
+ ruby 2.2 (see https://github.com/rails/rails/commit/2a52a38cb51b65d71cf91fc960777213cf96f962#commitcomment-37929811)
85
+
15
86
  CVE-2019-16782.
16
87
 
17
88
 
@@ -406,7 +406,7 @@ module ActionController
406
406
  module Token
407
407
  TOKEN_KEY = "token="
408
408
  TOKEN_REGEX = /^(Token|Bearer)\s+/
409
- AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
409
+ AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
410
410
  extend self
411
411
 
412
412
  module ControllerMethods
@@ -92,6 +92,10 @@ module ActionController #:nodoc:
92
92
  config_accessor :default_protect_from_forgery
93
93
  self.default_protect_from_forgery = false
94
94
 
95
+ # Controls whether URL-safe CSRF tokens are generated.
96
+ config_accessor :urlsafe_csrf_tokens, instance_writer: false
97
+ self.urlsafe_csrf_tokens = false
98
+
95
99
  helper_method :form_authenticity_token
96
100
  helper_method :protect_against_forgery?
97
101
  end
@@ -321,11 +325,6 @@ module ActionController #:nodoc:
321
325
  global_csrf_token(session)
322
326
  end
323
327
 
324
- one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
325
- encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
326
- masked_token = one_time_pad + encrypted_csrf_token
327
- Base64.urlsafe_encode64(masked_token, padding: false)
328
-
329
328
  mask_token(raw_token)
330
329
  end
331
330
 
@@ -338,7 +337,7 @@ module ActionController #:nodoc:
338
337
  end
339
338
 
340
339
  begin
341
- masked_token = Base64.strict_decode64(encoded_masked_token)
340
+ masked_token = decode_csrf_token(encoded_masked_token)
342
341
  rescue ArgumentError # encoded_masked_token is invalid Base64
343
342
  return false
344
343
  end
@@ -376,7 +375,7 @@ module ActionController #:nodoc:
376
375
  one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
377
376
  encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
378
377
  masked_token = one_time_pad + encrypted_csrf_token
379
- Base64.strict_encode64(masked_token)
378
+ encode_csrf_token(masked_token)
380
379
  end
381
380
 
382
381
  def compare_with_real_token(token, session) # :doc:
@@ -402,8 +401,8 @@ module ActionController #:nodoc:
402
401
  end
403
402
 
404
403
  def real_csrf_token(session) # :doc:
405
- session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
406
- Base64.strict_decode64(session[:_csrf_token])
404
+ session[:_csrf_token] ||= generate_csrf_token
405
+ decode_csrf_token(session[:_csrf_token])
407
406
  end
408
407
 
409
408
  def per_form_csrf_token(session, action_path, method) # :doc:
@@ -466,5 +465,57 @@ module ActionController #:nodoc:
466
465
  uri = URI.parse(action_path)
467
466
  uri.path.chomp("/")
468
467
  end
468
+
469
+ def generate_csrf_token # :nodoc:
470
+ if urlsafe_csrf_tokens
471
+ SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH, padding: false)
472
+ else
473
+ SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
474
+ end
475
+ end
476
+
477
+ if RUBY_VERSION.start_with?("2.2")
478
+ # Backported https://github.com/ruby/ruby/commit/6b6680945ed3274cddbc34fdfd410d74081a3e94
479
+ using Module.new {
480
+ refine Base64.singleton_class do
481
+ def urlsafe_encode64(bin, padding: true)
482
+ str = strict_encode64(bin).tr("+/", "-_")
483
+ str = str.delete("=") unless padding
484
+ str
485
+ end
486
+
487
+ def urlsafe_decode64(str)
488
+ # NOTE: RFC 4648 does say nothing about unpadded input, but says that
489
+ # "the excess pad characters MAY also be ignored", so it is inferred that
490
+ # unpadded input is also acceptable.
491
+ str = str.tr("-_", "+/")
492
+ if !str.end_with?("=") && str.length % 4 != 0
493
+ str = str.ljust((str.length + 3) & ~3, "=")
494
+ end
495
+ strict_decode64(str)
496
+ end
497
+ end
498
+ }
499
+ end
500
+
501
+ def encode_csrf_token(csrf_token) # :nodoc:
502
+ if urlsafe_csrf_tokens
503
+ Base64.urlsafe_encode64(csrf_token, padding: false)
504
+ else
505
+ Base64.strict_encode64(csrf_token)
506
+ end
507
+ end
508
+
509
+ def decode_csrf_token(encoded_csrf_token) # :nodoc:
510
+ if urlsafe_csrf_tokens
511
+ Base64.urlsafe_decode64(encoded_csrf_token)
512
+ else
513
+ begin
514
+ Base64.strict_decode64(encoded_csrf_token)
515
+ rescue ArgumentError
516
+ Base64.urlsafe_decode64(encoded_csrf_token)
517
+ end
518
+ end
519
+ end
469
520
  end
470
521
  end
@@ -177,12 +177,12 @@ module ActionController
177
177
 
178
178
  # Methods #destroy and #load! are overridden to avoid calling methods on the
179
179
  # @store object, which does not exist for the TestSession class.
180
- class TestSession < Rack::Session::Abstract::SessionHash #:nodoc:
180
+ class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash #:nodoc:
181
181
  DEFAULT_OPTIONS = Rack::Session::Abstract::Persisted::DEFAULT_OPTIONS
182
182
 
183
183
  def initialize(session = {})
184
184
  super(nil, nil)
185
- @id = SecureRandom.hex(16)
185
+ @id = Rack::Session::SessionId.new(SecureRandom.hex(16))
186
186
  @data = stringify_keys(session)
187
187
  @loaded = true
188
188
  end
@@ -93,7 +93,7 @@ module ActionDispatch
93
93
  key = key.to_s
94
94
 
95
95
  if key == "session_id"
96
- id&.public_id
96
+ id && id.public_id
97
97
  else
98
98
  @delegate[key]
99
99
  end
@@ -288,10 +288,12 @@ module ActionDispatch
288
288
 
289
289
  args = []
290
290
 
291
- route = record_list.map { |parent|
291
+ route = record_list.map do |parent|
292
292
  case parent
293
- when Symbol, String
293
+ when Symbol
294
294
  parent.to_s
295
+ when String
296
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
295
297
  when Class
296
298
  args << parent
297
299
  parent.model_name.singular_route_key
@@ -299,12 +301,14 @@ module ActionDispatch
299
301
  args << parent.to_model
300
302
  parent.to_model.model_name.singular_route_key
301
303
  end
302
- }
304
+ end
303
305
 
304
306
  route <<
305
307
  case record
306
- when Symbol, String
308
+ when Symbol
307
309
  record.to_s
310
+ when String
311
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
308
312
  when Class
309
313
  @key_strategy.call record.model_name
310
314
  else
@@ -401,6 +401,7 @@ module ActionDispatch
401
401
  super
402
402
  end
403
403
  end
404
+ ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
404
405
  end
405
406
  end
406
407
 
@@ -9,8 +9,8 @@ module ActionPack
9
9
  module VERSION
10
10
  MAJOR = 5
11
11
  MINOR = 2
12
- TINY = 4
13
- PRE = "3"
12
+ TINY = 6
13
+ PRE = nil
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.2.4.3
4
+ version: 5.2.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-05-18 00:00:00.000000000 Z
11
+ date: 2021-05-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 5.2.4.3
19
+ version: 5.2.6
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 5.2.4.3
26
+ version: 5.2.6
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 5.2.4.3
101
+ version: 5.2.6
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 5.2.4.3
108
+ version: 5.2.6
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 5.2.4.3
115
+ version: 5.2.6
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 5.2.4.3
122
+ version: 5.2.6
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -299,8 +299,8 @@ homepage: http://rubyonrails.org
299
299
  licenses:
300
300
  - MIT
301
301
  metadata:
302
- source_code_uri: https://github.com/rails/rails/tree/v5.2.4.3/actionpack
303
- changelog_uri: https://github.com/rails/rails/blob/v5.2.4.3/actionpack/CHANGELOG.md
302
+ source_code_uri: https://github.com/rails/rails/tree/v5.2.6/actionpack
303
+ changelog_uri: https://github.com/rails/rails/blob/v5.2.6/actionpack/CHANGELOG.md
304
304
  post_install_message:
305
305
  rdoc_options: []
306
306
  require_paths:
@@ -317,7 +317,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
317
317
  version: '0'
318
318
  requirements:
319
319
  - none
320
- rubygems_version: 3.1.2
320
+ rubygems_version: 3.1.6
321
321
  signing_key:
322
322
  specification_version: 4
323
323
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).