actionpack 5.2.4.5 → 5.2.4.6

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8458248b602da029b1e9113db9f0305888fdf99bf83ea4fe679ad0ed49b22175
4
- data.tar.gz: '085825f1ed9d286aa92cf5fa06fb039534331030d5b70da304c237a492f7ded9'
3
+ metadata.gz: 21ea10678c4ef44aa9d770173426c4288f82f6cfd18e203b50d8e8319d59619d
4
+ data.tar.gz: 8a5dae1aba4a1a314a87fdc507507d626f5c1ac4d3707c8394efca683d0035bb
5
5
  SHA512:
6
- metadata.gz: 7a6b62b3afeeb992a981128fbfab64944e897f20a0e75cbef6fd3d972108321ff440f7344935c8d196c1d1e6d3e08d64f040c6c5aa9ad63f06e9b78875da0c54
7
- data.tar.gz: 27a049710288451664d3672a6fb18fe505003d9bb91826408ab507d9de06fa9f1a877a2dfc6b9a9b91e32c0f122cdfd33b1bcd3802e64966e4388c17dcad08e6
6
+ metadata.gz: b8bff063c8bcf5367ad0f2c30e59676d1dea50f1106c95dcb1b1eaf8560df58fc5a5d59fa8fd65cf908455b8699a2488082649e5a7bde25c596ff1e9d5b4a439
7
+ data.tar.gz: e516a770a086884251847855aad0ffebe1d6d7014d23ccc72c04bfe7773ac618401e75eaef71f69c53fb9c803dd983c4b9557680fe1ba63ca9de7ccc723d0d14
data/CHANGELOG.md CHANGED
@@ -1,3 +1,18 @@
1
+ ## Rails 5.2.4.6 (May 05, 2021) ##
2
+
3
+ * Prevent regex DoS in HTTP token authentication
4
+ CVE-2021-22904
5
+
6
+ * Prevent string polymorphic route arguments.
7
+
8
+ `url_for` supports building polymorphic URLs via an array
9
+ of arguments (usually symbols and records). If a developer passes a
10
+ user input array, strings can result in unwanted route helper calls.
11
+
12
+ CVE-2021-22885
13
+
14
+ *Gannon McGibbon*
15
+
1
16
  ## Rails 5.2.4.5 (February 10, 2021) ##
2
17
 
3
18
  * No changes.
@@ -406,7 +406,7 @@ module ActionController
406
406
  module Token
407
407
  TOKEN_KEY = "token="
408
408
  TOKEN_REGEX = /^(Token|Bearer)\s+/
409
- AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
409
+ AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
410
410
  extend self
411
411
 
412
412
  module ControllerMethods
@@ -288,10 +288,12 @@ module ActionDispatch
288
288
 
289
289
  args = []
290
290
 
291
- route = record_list.map { |parent|
291
+ route = record_list.map do |parent|
292
292
  case parent
293
- when Symbol, String
293
+ when Symbol
294
294
  parent.to_s
295
+ when String
296
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
295
297
  when Class
296
298
  args << parent
297
299
  parent.model_name.singular_route_key
@@ -299,12 +301,14 @@ module ActionDispatch
299
301
  args << parent.to_model
300
302
  parent.to_model.model_name.singular_route_key
301
303
  end
302
- }
304
+ end
303
305
 
304
306
  route <<
305
307
  case record
306
- when Symbol, String
308
+ when Symbol
307
309
  record.to_s
310
+ when String
311
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
308
312
  when Class
309
313
  @key_strategy.call record.model_name
310
314
  else
@@ -10,7 +10,7 @@ module ActionPack
10
10
  MAJOR = 5
11
11
  MINOR = 2
12
12
  TINY = 4
13
- PRE = "5"
13
+ PRE = "6"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.2.4.5
4
+ version: 5.2.4.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-02-10 00:00:00.000000000 Z
11
+ date: 2021-05-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 5.2.4.5
19
+ version: 5.2.4.6
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 5.2.4.5
26
+ version: 5.2.4.6
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 5.2.4.5
101
+ version: 5.2.4.6
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 5.2.4.5
108
+ version: 5.2.4.6
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 5.2.4.5
115
+ version: 5.2.4.6
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 5.2.4.5
122
+ version: 5.2.4.6
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -299,9 +299,9 @@ homepage: http://rubyonrails.org
299
299
  licenses:
300
300
  - MIT
301
301
  metadata:
302
- source_code_uri: https://github.com/rails/rails/tree/v5.2.4.5/actionpack
303
- changelog_uri: https://github.com/rails/rails/blob/v5.2.4.5/actionpack/CHANGELOG.md
304
- post_install_message:
302
+ source_code_uri: https://github.com/rails/rails/tree/v5.2.4.6/actionpack
303
+ changelog_uri: https://github.com/rails/rails/blob/v5.2.4.6/actionpack/CHANGELOG.md
304
+ post_install_message:
305
305
  rdoc_options: []
306
306
  require_paths:
307
307
  - lib
@@ -317,8 +317,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
317
317
  version: '0'
318
318
  requirements:
319
319
  - none
320
- rubygems_version: 3.0.3
321
- signing_key:
320
+ rubygems_version: 3.1.2
321
+ signing_key:
322
322
  specification_version: 4
323
323
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
324
324
  test_files: []