actionpack 5.2.4.5 → 5.2.6.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +70 -0
- data/lib/action_controller/metal/http_authentication.rb +1 -1
- data/lib/action_controller/metal/request_forgery_protection.rb +60 -9
- data/lib/action_controller/test_case.rb +2 -2
- data/lib/action_dispatch/middleware/executor.rb +1 -1
- data/lib/action_dispatch/request/session.rb +1 -1
- data/lib/action_dispatch/routing/polymorphic_routes.rb +8 -4
- data/lib/action_dispatch/testing/integration.rb +1 -0
- data/lib/action_pack/gem_version.rb +2 -2
- metadata +14 -14
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 207e46fe00d2cea08b2802e3241a809c1fd7541a9adf1aa0f83247d602c92166
|
4
|
+
data.tar.gz: 2b6f9099eedfe6261be1a46fc379d6047095dab0b085718abb12de7812eeda41
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ec7d7aea81c92eae580cf01aaae6c01c8baf6ea32be0296cb369a207d06630d0ffbb776a87a1463b7c42c8ffc85c08a705729ce4317192d4deac37ee9d898471
|
7
|
+
data.tar.gz: ac2bd8b6a8e10d25a2bdc92088e518c8f37bd1f2dde97d90b2f6ce8382b70859486d4da7c27d14d62e61780e53187611e91a13ecb759647bbe652958cbbed818
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,63 @@
|
|
1
|
+
## Rails 5.2.6.1 (February 11, 2022) ##
|
2
|
+
|
3
|
+
* Under certain circumstances, the middleware isn't informed that the
|
4
|
+
response body has been fully closed which result in request state not
|
5
|
+
being fully reset before the next request
|
6
|
+
|
7
|
+
[CVE-2022-23633]
|
8
|
+
|
9
|
+
|
10
|
+
## Rails 5.2.6 (May 05, 2021) ##
|
11
|
+
|
12
|
+
* Accept base64_urlsafe CSRF tokens to make forward compatible.
|
13
|
+
|
14
|
+
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
15
|
+
them difficult to deal with. For example, the common practice of sending
|
16
|
+
the CSRF token to a browser in a client-readable cookie does not work properly
|
17
|
+
out of the box: the value has to be url-encoded and decoded to survive transport.
|
18
|
+
|
19
|
+
In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
|
20
|
+
safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
|
21
|
+
tokens for backwards compatibility.
|
22
|
+
|
23
|
+
How the tokes are encoded is controllr by the `action_controller.urlsafe_csrf_tokens`
|
24
|
+
config.
|
25
|
+
|
26
|
+
In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.
|
27
|
+
|
28
|
+
**Atention**: If you already upgraded your application to 5.2.5, set the config
|
29
|
+
`urlsafe_csrf_tokens` to `true`, otherwise your form submission will start to fail
|
30
|
+
during the deploy of this new version.
|
31
|
+
|
32
|
+
```ruby
|
33
|
+
Rails.application.config.action_controller.urlsafe_csrf_tokens = true
|
34
|
+
```
|
35
|
+
|
36
|
+
If you are upgrading from 5.2.4.x, you don't need to change this configuration.
|
37
|
+
|
38
|
+
*Scott Blum*, *Étienne Barrié*
|
39
|
+
|
40
|
+
|
41
|
+
## Rails 5.2.5 (March 26, 2021) ##
|
42
|
+
|
43
|
+
* No changes.
|
44
|
+
|
45
|
+
|
46
|
+
## Rails 5.2.4.6 (May 05, 2021) ##
|
47
|
+
|
48
|
+
* Prevent regex DoS in HTTP token authentication
|
49
|
+
CVE-2021-22904
|
50
|
+
|
51
|
+
* Prevent string polymorphic route arguments.
|
52
|
+
|
53
|
+
`url_for` supports building polymorphic URLs via an array
|
54
|
+
of arguments (usually symbols and records). If a developer passes a
|
55
|
+
user input array, strings can result in unwanted route helper calls.
|
56
|
+
|
57
|
+
CVE-2021-22885
|
58
|
+
|
59
|
+
*Gannon McGibbon*
|
60
|
+
|
1
61
|
## Rails 5.2.4.5 (February 10, 2021) ##
|
2
62
|
|
3
63
|
* No changes.
|
@@ -15,6 +75,11 @@
|
|
15
75
|
* [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
|
16
76
|
|
17
77
|
|
78
|
+
## Rails 5.2.4.2 (March 19, 2020) ##
|
79
|
+
|
80
|
+
* No changes.
|
81
|
+
|
82
|
+
|
18
83
|
## Rails 5.2.4.1 (December 18, 2019) ##
|
19
84
|
|
20
85
|
* Fix possible information leak / session hijacking vulnerability.
|
@@ -22,6 +87,11 @@
|
|
22
87
|
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
23
88
|
gem dalli to be updated as well.
|
24
89
|
|
90
|
+
_Breaking changes:_
|
91
|
+
* `session.id` now returns an instance of `Rack::Session::SessionId` and not a String (use `session.id.public_id` to restore the old behaviour, see #38063)
|
92
|
+
* Accessing the session id using `session[:session_id]`/`session['session_id']` no longer works with
|
93
|
+
ruby 2.2 (see https://github.com/rails/rails/commit/2a52a38cb51b65d71cf91fc960777213cf96f962#commitcomment-37929811)
|
94
|
+
|
25
95
|
CVE-2019-16782.
|
26
96
|
|
27
97
|
|
@@ -92,6 +92,10 @@ module ActionController #:nodoc:
|
|
92
92
|
config_accessor :default_protect_from_forgery
|
93
93
|
self.default_protect_from_forgery = false
|
94
94
|
|
95
|
+
# Controls whether URL-safe CSRF tokens are generated.
|
96
|
+
config_accessor :urlsafe_csrf_tokens, instance_writer: false
|
97
|
+
self.urlsafe_csrf_tokens = false
|
98
|
+
|
95
99
|
helper_method :form_authenticity_token
|
96
100
|
helper_method :protect_against_forgery?
|
97
101
|
end
|
@@ -321,11 +325,6 @@ module ActionController #:nodoc:
|
|
321
325
|
global_csrf_token(session)
|
322
326
|
end
|
323
327
|
|
324
|
-
one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
|
325
|
-
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
|
326
|
-
masked_token = one_time_pad + encrypted_csrf_token
|
327
|
-
Base64.urlsafe_encode64(masked_token, padding: false)
|
328
|
-
|
329
328
|
mask_token(raw_token)
|
330
329
|
end
|
331
330
|
|
@@ -338,7 +337,7 @@ module ActionController #:nodoc:
|
|
338
337
|
end
|
339
338
|
|
340
339
|
begin
|
341
|
-
masked_token =
|
340
|
+
masked_token = decode_csrf_token(encoded_masked_token)
|
342
341
|
rescue ArgumentError # encoded_masked_token is invalid Base64
|
343
342
|
return false
|
344
343
|
end
|
@@ -376,7 +375,7 @@ module ActionController #:nodoc:
|
|
376
375
|
one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
|
377
376
|
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
|
378
377
|
masked_token = one_time_pad + encrypted_csrf_token
|
379
|
-
|
378
|
+
encode_csrf_token(masked_token)
|
380
379
|
end
|
381
380
|
|
382
381
|
def compare_with_real_token(token, session) # :doc:
|
@@ -402,8 +401,8 @@ module ActionController #:nodoc:
|
|
402
401
|
end
|
403
402
|
|
404
403
|
def real_csrf_token(session) # :doc:
|
405
|
-
session[:_csrf_token] ||=
|
406
|
-
|
404
|
+
session[:_csrf_token] ||= generate_csrf_token
|
405
|
+
decode_csrf_token(session[:_csrf_token])
|
407
406
|
end
|
408
407
|
|
409
408
|
def per_form_csrf_token(session, action_path, method) # :doc:
|
@@ -466,5 +465,57 @@ module ActionController #:nodoc:
|
|
466
465
|
uri = URI.parse(action_path)
|
467
466
|
uri.path.chomp("/")
|
468
467
|
end
|
468
|
+
|
469
|
+
def generate_csrf_token # :nodoc:
|
470
|
+
if urlsafe_csrf_tokens
|
471
|
+
SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH, padding: false)
|
472
|
+
else
|
473
|
+
SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
|
474
|
+
end
|
475
|
+
end
|
476
|
+
|
477
|
+
if RUBY_VERSION.start_with?("2.2")
|
478
|
+
# Backported https://github.com/ruby/ruby/commit/6b6680945ed3274cddbc34fdfd410d74081a3e94
|
479
|
+
using Module.new {
|
480
|
+
refine Base64.singleton_class do
|
481
|
+
def urlsafe_encode64(bin, padding: true)
|
482
|
+
str = strict_encode64(bin).tr("+/", "-_")
|
483
|
+
str = str.delete("=") unless padding
|
484
|
+
str
|
485
|
+
end
|
486
|
+
|
487
|
+
def urlsafe_decode64(str)
|
488
|
+
# NOTE: RFC 4648 does say nothing about unpadded input, but says that
|
489
|
+
# "the excess pad characters MAY also be ignored", so it is inferred that
|
490
|
+
# unpadded input is also acceptable.
|
491
|
+
str = str.tr("-_", "+/")
|
492
|
+
if !str.end_with?("=") && str.length % 4 != 0
|
493
|
+
str = str.ljust((str.length + 3) & ~3, "=")
|
494
|
+
end
|
495
|
+
strict_decode64(str)
|
496
|
+
end
|
497
|
+
end
|
498
|
+
}
|
499
|
+
end
|
500
|
+
|
501
|
+
def encode_csrf_token(csrf_token) # :nodoc:
|
502
|
+
if urlsafe_csrf_tokens
|
503
|
+
Base64.urlsafe_encode64(csrf_token, padding: false)
|
504
|
+
else
|
505
|
+
Base64.strict_encode64(csrf_token)
|
506
|
+
end
|
507
|
+
end
|
508
|
+
|
509
|
+
def decode_csrf_token(encoded_csrf_token) # :nodoc:
|
510
|
+
if urlsafe_csrf_tokens
|
511
|
+
Base64.urlsafe_decode64(encoded_csrf_token)
|
512
|
+
else
|
513
|
+
begin
|
514
|
+
Base64.strict_decode64(encoded_csrf_token)
|
515
|
+
rescue ArgumentError
|
516
|
+
Base64.urlsafe_decode64(encoded_csrf_token)
|
517
|
+
end
|
518
|
+
end
|
519
|
+
end
|
469
520
|
end
|
470
521
|
end
|
@@ -177,12 +177,12 @@ module ActionController
|
|
177
177
|
|
178
178
|
# Methods #destroy and #load! are overridden to avoid calling methods on the
|
179
179
|
# @store object, which does not exist for the TestSession class.
|
180
|
-
class TestSession < Rack::Session::Abstract::
|
180
|
+
class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash #:nodoc:
|
181
181
|
DEFAULT_OPTIONS = Rack::Session::Abstract::Persisted::DEFAULT_OPTIONS
|
182
182
|
|
183
183
|
def initialize(session = {})
|
184
184
|
super(nil, nil)
|
185
|
-
@id = SecureRandom.hex(16)
|
185
|
+
@id = Rack::Session::SessionId.new(SecureRandom.hex(16))
|
186
186
|
@data = stringify_keys(session)
|
187
187
|
@loaded = true
|
188
188
|
end
|
@@ -288,10 +288,12 @@ module ActionDispatch
|
|
288
288
|
|
289
289
|
args = []
|
290
290
|
|
291
|
-
route = record_list.map
|
291
|
+
route = record_list.map do |parent|
|
292
292
|
case parent
|
293
|
-
when Symbol
|
293
|
+
when Symbol
|
294
294
|
parent.to_s
|
295
|
+
when String
|
296
|
+
raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
|
295
297
|
when Class
|
296
298
|
args << parent
|
297
299
|
parent.model_name.singular_route_key
|
@@ -299,12 +301,14 @@ module ActionDispatch
|
|
299
301
|
args << parent.to_model
|
300
302
|
parent.to_model.model_name.singular_route_key
|
301
303
|
end
|
302
|
-
|
304
|
+
end
|
303
305
|
|
304
306
|
route <<
|
305
307
|
case record
|
306
|
-
when Symbol
|
308
|
+
when Symbol
|
307
309
|
record.to_s
|
310
|
+
when String
|
311
|
+
raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
|
308
312
|
when Class
|
309
313
|
@key_strategy.call record.model_name
|
310
314
|
else
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.2.
|
4
|
+
version: 5.2.6.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-02-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 5.2.
|
19
|
+
version: 5.2.6.1
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 5.2.
|
26
|
+
version: 5.2.6.1
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rack
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -98,28 +98,28 @@ dependencies:
|
|
98
98
|
requirements:
|
99
99
|
- - '='
|
100
100
|
- !ruby/object:Gem::Version
|
101
|
-
version: 5.2.
|
101
|
+
version: 5.2.6.1
|
102
102
|
type: :runtime
|
103
103
|
prerelease: false
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
105
105
|
requirements:
|
106
106
|
- - '='
|
107
107
|
- !ruby/object:Gem::Version
|
108
|
-
version: 5.2.
|
108
|
+
version: 5.2.6.1
|
109
109
|
- !ruby/object:Gem::Dependency
|
110
110
|
name: activemodel
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
112
112
|
requirements:
|
113
113
|
- - '='
|
114
114
|
- !ruby/object:Gem::Version
|
115
|
-
version: 5.2.
|
115
|
+
version: 5.2.6.1
|
116
116
|
type: :development
|
117
117
|
prerelease: false
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
119
119
|
requirements:
|
120
120
|
- - '='
|
121
121
|
- !ruby/object:Gem::Version
|
122
|
-
version: 5.2.
|
122
|
+
version: 5.2.6.1
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
125
125
|
email: david@loudthinking.com
|
@@ -299,9 +299,9 @@ homepage: http://rubyonrails.org
|
|
299
299
|
licenses:
|
300
300
|
- MIT
|
301
301
|
metadata:
|
302
|
-
source_code_uri: https://github.com/rails/rails/tree/v5.2.
|
303
|
-
changelog_uri: https://github.com/rails/rails/blob/v5.2.
|
304
|
-
post_install_message:
|
302
|
+
source_code_uri: https://github.com/rails/rails/tree/v5.2.6.1/actionpack
|
303
|
+
changelog_uri: https://github.com/rails/rails/blob/v5.2.6.1/actionpack/CHANGELOG.md
|
304
|
+
post_install_message:
|
305
305
|
rdoc_options: []
|
306
306
|
require_paths:
|
307
307
|
- lib
|
@@ -317,8 +317,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
317
317
|
version: '0'
|
318
318
|
requirements:
|
319
319
|
- none
|
320
|
-
rubygems_version: 3.
|
321
|
-
signing_key:
|
320
|
+
rubygems_version: 3.1.6
|
321
|
+
signing_key:
|
322
322
|
specification_version: 4
|
323
323
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|
324
324
|
test_files: []
|