actionpack 5.2.4.6 → 5.2.6.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +60 -0
- data/lib/action_controller/metal/request_forgery_protection.rb +60 -9
- data/lib/action_controller/test_case.rb +2 -2
- data/lib/action_dispatch/middleware/executor.rb +1 -1
- data/lib/action_dispatch/request/session.rb +1 -1
- data/lib/action_dispatch/testing/integration.rb +1 -0
- data/lib/action_pack/gem_version.rb +2 -2
- metadata +11 -11
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9f9af66072f929c34de682b51f5cfb47cec4d02f0f175207b86cf2f2aa591a39
|
4
|
+
data.tar.gz: 55bb9db3377da585dec4073005de050bee5adbd234035bc27a47f0a8ff6aaf0b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 42d752746dc20a7f2e0d83ed1e8c47f591de78eb8bc4e936fb6946da278fa29ab8c1ce64d5201d56eabe611ac8b63251ca6297518bce29f02b090d66776766c9
|
7
|
+
data.tar.gz: 3bcf56a282fdc5f35bd4f9076bcd9cb20d61c0f650306bd0ad0b732c8fb729dcdf2ae028c9bda285c61a5fbcfdc625c19aaf2ba8ec7b90d2a32c7138734086d8
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,53 @@
|
|
1
|
+
## Rails 5.2.6.2 (February 11, 2022) ##
|
2
|
+
|
3
|
+
* No changes.
|
4
|
+
|
5
|
+
|
6
|
+
## Rails 5.2.6.1 (February 11, 2022) ##
|
7
|
+
|
8
|
+
* Under certain circumstances, the middleware isn't informed that the
|
9
|
+
response body has been fully closed which result in request state not
|
10
|
+
being fully reset before the next request
|
11
|
+
|
12
|
+
[CVE-2022-23633]
|
13
|
+
|
14
|
+
|
15
|
+
## Rails 5.2.6 (May 05, 2021) ##
|
16
|
+
|
17
|
+
* Accept base64_urlsafe CSRF tokens to make forward compatible.
|
18
|
+
|
19
|
+
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
20
|
+
them difficult to deal with. For example, the common practice of sending
|
21
|
+
the CSRF token to a browser in a client-readable cookie does not work properly
|
22
|
+
out of the box: the value has to be url-encoded and decoded to survive transport.
|
23
|
+
|
24
|
+
In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
|
25
|
+
safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
|
26
|
+
tokens for backwards compatibility.
|
27
|
+
|
28
|
+
How the tokes are encoded is controllr by the `action_controller.urlsafe_csrf_tokens`
|
29
|
+
config.
|
30
|
+
|
31
|
+
In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.
|
32
|
+
|
33
|
+
**Atention**: If you already upgraded your application to 5.2.5, set the config
|
34
|
+
`urlsafe_csrf_tokens` to `true`, otherwise your form submission will start to fail
|
35
|
+
during the deploy of this new version.
|
36
|
+
|
37
|
+
```ruby
|
38
|
+
Rails.application.config.action_controller.urlsafe_csrf_tokens = true
|
39
|
+
```
|
40
|
+
|
41
|
+
If you are upgrading from 5.2.4.x, you don't need to change this configuration.
|
42
|
+
|
43
|
+
*Scott Blum*, *Étienne Barrié*
|
44
|
+
|
45
|
+
|
46
|
+
## Rails 5.2.5 (March 26, 2021) ##
|
47
|
+
|
48
|
+
* No changes.
|
49
|
+
|
50
|
+
|
1
51
|
## Rails 5.2.4.6 (May 05, 2021) ##
|
2
52
|
|
3
53
|
* Prevent regex DoS in HTTP token authentication
|
@@ -30,6 +80,11 @@
|
|
30
80
|
* [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
|
31
81
|
|
32
82
|
|
83
|
+
## Rails 5.2.4.2 (March 19, 2020) ##
|
84
|
+
|
85
|
+
* No changes.
|
86
|
+
|
87
|
+
|
33
88
|
## Rails 5.2.4.1 (December 18, 2019) ##
|
34
89
|
|
35
90
|
* Fix possible information leak / session hijacking vulnerability.
|
@@ -37,6 +92,11 @@
|
|
37
92
|
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
38
93
|
gem dalli to be updated as well.
|
39
94
|
|
95
|
+
_Breaking changes:_
|
96
|
+
* `session.id` now returns an instance of `Rack::Session::SessionId` and not a String (use `session.id.public_id` to restore the old behaviour, see #38063)
|
97
|
+
* Accessing the session id using `session[:session_id]`/`session['session_id']` no longer works with
|
98
|
+
ruby 2.2 (see https://github.com/rails/rails/commit/2a52a38cb51b65d71cf91fc960777213cf96f962#commitcomment-37929811)
|
99
|
+
|
40
100
|
CVE-2019-16782.
|
41
101
|
|
42
102
|
|
@@ -92,6 +92,10 @@ module ActionController #:nodoc:
|
|
92
92
|
config_accessor :default_protect_from_forgery
|
93
93
|
self.default_protect_from_forgery = false
|
94
94
|
|
95
|
+
# Controls whether URL-safe CSRF tokens are generated.
|
96
|
+
config_accessor :urlsafe_csrf_tokens, instance_writer: false
|
97
|
+
self.urlsafe_csrf_tokens = false
|
98
|
+
|
95
99
|
helper_method :form_authenticity_token
|
96
100
|
helper_method :protect_against_forgery?
|
97
101
|
end
|
@@ -321,11 +325,6 @@ module ActionController #:nodoc:
|
|
321
325
|
global_csrf_token(session)
|
322
326
|
end
|
323
327
|
|
324
|
-
one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
|
325
|
-
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
|
326
|
-
masked_token = one_time_pad + encrypted_csrf_token
|
327
|
-
Base64.urlsafe_encode64(masked_token, padding: false)
|
328
|
-
|
329
328
|
mask_token(raw_token)
|
330
329
|
end
|
331
330
|
|
@@ -338,7 +337,7 @@ module ActionController #:nodoc:
|
|
338
337
|
end
|
339
338
|
|
340
339
|
begin
|
341
|
-
masked_token =
|
340
|
+
masked_token = decode_csrf_token(encoded_masked_token)
|
342
341
|
rescue ArgumentError # encoded_masked_token is invalid Base64
|
343
342
|
return false
|
344
343
|
end
|
@@ -376,7 +375,7 @@ module ActionController #:nodoc:
|
|
376
375
|
one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
|
377
376
|
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
|
378
377
|
masked_token = one_time_pad + encrypted_csrf_token
|
379
|
-
|
378
|
+
encode_csrf_token(masked_token)
|
380
379
|
end
|
381
380
|
|
382
381
|
def compare_with_real_token(token, session) # :doc:
|
@@ -402,8 +401,8 @@ module ActionController #:nodoc:
|
|
402
401
|
end
|
403
402
|
|
404
403
|
def real_csrf_token(session) # :doc:
|
405
|
-
session[:_csrf_token] ||=
|
406
|
-
|
404
|
+
session[:_csrf_token] ||= generate_csrf_token
|
405
|
+
decode_csrf_token(session[:_csrf_token])
|
407
406
|
end
|
408
407
|
|
409
408
|
def per_form_csrf_token(session, action_path, method) # :doc:
|
@@ -466,5 +465,57 @@ module ActionController #:nodoc:
|
|
466
465
|
uri = URI.parse(action_path)
|
467
466
|
uri.path.chomp("/")
|
468
467
|
end
|
468
|
+
|
469
|
+
def generate_csrf_token # :nodoc:
|
470
|
+
if urlsafe_csrf_tokens
|
471
|
+
SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH, padding: false)
|
472
|
+
else
|
473
|
+
SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
|
474
|
+
end
|
475
|
+
end
|
476
|
+
|
477
|
+
if RUBY_VERSION.start_with?("2.2")
|
478
|
+
# Backported https://github.com/ruby/ruby/commit/6b6680945ed3274cddbc34fdfd410d74081a3e94
|
479
|
+
using Module.new {
|
480
|
+
refine Base64.singleton_class do
|
481
|
+
def urlsafe_encode64(bin, padding: true)
|
482
|
+
str = strict_encode64(bin).tr("+/", "-_")
|
483
|
+
str = str.delete("=") unless padding
|
484
|
+
str
|
485
|
+
end
|
486
|
+
|
487
|
+
def urlsafe_decode64(str)
|
488
|
+
# NOTE: RFC 4648 does say nothing about unpadded input, but says that
|
489
|
+
# "the excess pad characters MAY also be ignored", so it is inferred that
|
490
|
+
# unpadded input is also acceptable.
|
491
|
+
str = str.tr("-_", "+/")
|
492
|
+
if !str.end_with?("=") && str.length % 4 != 0
|
493
|
+
str = str.ljust((str.length + 3) & ~3, "=")
|
494
|
+
end
|
495
|
+
strict_decode64(str)
|
496
|
+
end
|
497
|
+
end
|
498
|
+
}
|
499
|
+
end
|
500
|
+
|
501
|
+
def encode_csrf_token(csrf_token) # :nodoc:
|
502
|
+
if urlsafe_csrf_tokens
|
503
|
+
Base64.urlsafe_encode64(csrf_token, padding: false)
|
504
|
+
else
|
505
|
+
Base64.strict_encode64(csrf_token)
|
506
|
+
end
|
507
|
+
end
|
508
|
+
|
509
|
+
def decode_csrf_token(encoded_csrf_token) # :nodoc:
|
510
|
+
if urlsafe_csrf_tokens
|
511
|
+
Base64.urlsafe_decode64(encoded_csrf_token)
|
512
|
+
else
|
513
|
+
begin
|
514
|
+
Base64.strict_decode64(encoded_csrf_token)
|
515
|
+
rescue ArgumentError
|
516
|
+
Base64.urlsafe_decode64(encoded_csrf_token)
|
517
|
+
end
|
518
|
+
end
|
519
|
+
end
|
469
520
|
end
|
470
521
|
end
|
@@ -177,12 +177,12 @@ module ActionController
|
|
177
177
|
|
178
178
|
# Methods #destroy and #load! are overridden to avoid calling methods on the
|
179
179
|
# @store object, which does not exist for the TestSession class.
|
180
|
-
class TestSession < Rack::Session::Abstract::
|
180
|
+
class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash #:nodoc:
|
181
181
|
DEFAULT_OPTIONS = Rack::Session::Abstract::Persisted::DEFAULT_OPTIONS
|
182
182
|
|
183
183
|
def initialize(session = {})
|
184
184
|
super(nil, nil)
|
185
|
-
@id = SecureRandom.hex(16)
|
185
|
+
@id = Rack::Session::SessionId.new(SecureRandom.hex(16))
|
186
186
|
@data = stringify_keys(session)
|
187
187
|
@loaded = true
|
188
188
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.2.
|
4
|
+
version: 5.2.6.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-02-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 5.2.
|
19
|
+
version: 5.2.6.2
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 5.2.
|
26
|
+
version: 5.2.6.2
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rack
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -98,28 +98,28 @@ dependencies:
|
|
98
98
|
requirements:
|
99
99
|
- - '='
|
100
100
|
- !ruby/object:Gem::Version
|
101
|
-
version: 5.2.
|
101
|
+
version: 5.2.6.2
|
102
102
|
type: :runtime
|
103
103
|
prerelease: false
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
105
105
|
requirements:
|
106
106
|
- - '='
|
107
107
|
- !ruby/object:Gem::Version
|
108
|
-
version: 5.2.
|
108
|
+
version: 5.2.6.2
|
109
109
|
- !ruby/object:Gem::Dependency
|
110
110
|
name: activemodel
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
112
112
|
requirements:
|
113
113
|
- - '='
|
114
114
|
- !ruby/object:Gem::Version
|
115
|
-
version: 5.2.
|
115
|
+
version: 5.2.6.2
|
116
116
|
type: :development
|
117
117
|
prerelease: false
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
119
119
|
requirements:
|
120
120
|
- - '='
|
121
121
|
- !ruby/object:Gem::Version
|
122
|
-
version: 5.2.
|
122
|
+
version: 5.2.6.2
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
125
125
|
email: david@loudthinking.com
|
@@ -299,8 +299,8 @@ homepage: http://rubyonrails.org
|
|
299
299
|
licenses:
|
300
300
|
- MIT
|
301
301
|
metadata:
|
302
|
-
source_code_uri: https://github.com/rails/rails/tree/v5.2.
|
303
|
-
changelog_uri: https://github.com/rails/rails/blob/v5.2.
|
302
|
+
source_code_uri: https://github.com/rails/rails/tree/v5.2.6.2/actionpack
|
303
|
+
changelog_uri: https://github.com/rails/rails/blob/v5.2.6.2/actionpack/CHANGELOG.md
|
304
304
|
post_install_message:
|
305
305
|
rdoc_options: []
|
306
306
|
require_paths:
|
@@ -317,7 +317,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
317
317
|
version: '0'
|
318
318
|
requirements:
|
319
319
|
- none
|
320
|
-
rubygems_version: 3.1.
|
320
|
+
rubygems_version: 3.1.6
|
321
321
|
signing_key:
|
322
322
|
specification_version: 4
|
323
323
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|