actionpack 5.2.5 → 5.2.6

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3b9466cc66aef89ae39a6f759279293fa180454f543f7149d1ab8de9ed9ae899
4
- data.tar.gz: a72f72e877d142cc9c377615429190f6327fbd6d8e522f7ada200c30ec02bba8
3
+ metadata.gz: 63b72a20df1a2ed50dd3c7bc20791c4979eb1a886770734721d7ffca4d9a4cfb
4
+ data.tar.gz: f9c384ee114ec9e287a157fb5150cdcf86c79256cfaec9611edccc2ba18b7ff2
5
5
  SHA512:
6
- metadata.gz: caf16e1e2886b217f359e358d24d6eb33e692f40165c96a324571b009ceb7d1b97df22320c2e320106aad26e4f7874db26790ba7cc4f61c9a6a21fae13f9e366
7
- data.tar.gz: 30094a122031f1a4cff32d7cc0ad6fe4a14e318267e3cfea6ff85f9ca172f8b1f6677299634c776df580c4b3a44200e494fa06f6933821d4d5b8838d9a7a4815
6
+ metadata.gz: f33d0e9bb9cfb6a2ede9b0d11fad30752d92c3f81d07efd249cd7621b39430d0b5464e58f244d9cdbfce41e511d8dcc89f8539ee34218b369c6d0660b9d56340
7
+ data.tar.gz: c964bc901dc5baf4fa6f049005f8a6d164bd705c3c958614c13ec1f3b8cb30a31d12ca10577f72fc3cdf446bfa9b05d95bd186da6b2815426b464ece0dc596ab
data/CHANGELOG.md CHANGED
@@ -1,8 +1,54 @@
1
+ ## Rails 5.2.6 (May 05, 2021) ##
2
+
3
+ * Accept base64_urlsafe CSRF tokens to make forward compatible.
4
+
5
+ Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
6
+ them difficult to deal with. For example, the common practice of sending
7
+ the CSRF token to a browser in a client-readable cookie does not work properly
8
+ out of the box: the value has to be url-encoded and decoded to survive transport.
9
+
10
+ In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
11
+ safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
12
+ tokens for backwards compatibility.
13
+
14
+ How the tokes are encoded is controllr by the `action_controller.urlsafe_csrf_tokens`
15
+ config.
16
+
17
+ In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.
18
+
19
+ **Atention**: If you already upgraded your application to 5.2.5, set the config
20
+ `urlsafe_csrf_tokens` to `true`, otherwise your form submission will start to fail
21
+ during the deploy of this new version.
22
+
23
+ ```ruby
24
+ Rails.application.config.action_controller.urlsafe_csrf_tokens = true
25
+ ```
26
+
27
+ If you are upgrading from 5.2.4.x, you don't need to change this configuration.
28
+
29
+ *Scott Blum*, *Étienne Barrié*
30
+
31
+
1
32
  ## Rails 5.2.5 (March 26, 2021) ##
2
33
 
3
34
  * No changes.
4
35
 
5
36
 
37
+ ## Rails 5.2.4.6 (May 05, 2021) ##
38
+
39
+ * Prevent regex DoS in HTTP token authentication
40
+ CVE-2021-22904
41
+
42
+ * Prevent string polymorphic route arguments.
43
+
44
+ `url_for` supports building polymorphic URLs via an array
45
+ of arguments (usually symbols and records). If a developer passes a
46
+ user input array, strings can result in unwanted route helper calls.
47
+
48
+ CVE-2021-22885
49
+
50
+ *Gannon McGibbon*
51
+
6
52
  ## Rails 5.2.4.5 (February 10, 2021) ##
7
53
 
8
54
  * No changes.
@@ -31,7 +77,7 @@
31
77
 
32
78
  The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
33
79
  gem dalli to be updated as well.
34
-
80
+
35
81
  _Breaking changes:_
36
82
  * `session.id` now returns an instance of `Rack::Session::SessionId` and not a String (use `session.id.public_id` to restore the old behaviour, see #38063)
37
83
  * Accessing the session id using `session[:session_id]`/`session['session_id']` no longer works with
@@ -406,7 +406,7 @@ module ActionController
406
406
  module Token
407
407
  TOKEN_KEY = "token="
408
408
  TOKEN_REGEX = /^(Token|Bearer)\s+/
409
- AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
409
+ AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
410
410
  extend self
411
411
 
412
412
  module ControllerMethods
@@ -92,6 +92,10 @@ module ActionController #:nodoc:
92
92
  config_accessor :default_protect_from_forgery
93
93
  self.default_protect_from_forgery = false
94
94
 
95
+ # Controls whether URL-safe CSRF tokens are generated.
96
+ config_accessor :urlsafe_csrf_tokens, instance_writer: false
97
+ self.urlsafe_csrf_tokens = false
98
+
95
99
  helper_method :form_authenticity_token
96
100
  helper_method :protect_against_forgery?
97
101
  end
@@ -333,7 +337,7 @@ module ActionController #:nodoc:
333
337
  end
334
338
 
335
339
  begin
336
- masked_token = Base64.urlsafe_decode64(encoded_masked_token)
340
+ masked_token = decode_csrf_token(encoded_masked_token)
337
341
  rescue ArgumentError # encoded_masked_token is invalid Base64
338
342
  return false
339
343
  end
@@ -371,7 +375,7 @@ module ActionController #:nodoc:
371
375
  one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
372
376
  encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
373
377
  masked_token = one_time_pad + encrypted_csrf_token
374
- Base64.urlsafe_encode64(masked_token).delete("=")
378
+ encode_csrf_token(masked_token)
375
379
  end
376
380
 
377
381
  def compare_with_real_token(token, session) # :doc:
@@ -397,8 +401,8 @@ module ActionController #:nodoc:
397
401
  end
398
402
 
399
403
  def real_csrf_token(session) # :doc:
400
- session[:_csrf_token] ||= SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH)
401
- Base64.urlsafe_decode64(session[:_csrf_token])
404
+ session[:_csrf_token] ||= generate_csrf_token
405
+ decode_csrf_token(session[:_csrf_token])
402
406
  end
403
407
 
404
408
  def per_form_csrf_token(session, action_path, method) # :doc:
@@ -461,5 +465,57 @@ module ActionController #:nodoc:
461
465
  uri = URI.parse(action_path)
462
466
  uri.path.chomp("/")
463
467
  end
468
+
469
+ def generate_csrf_token # :nodoc:
470
+ if urlsafe_csrf_tokens
471
+ SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH, padding: false)
472
+ else
473
+ SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
474
+ end
475
+ end
476
+
477
+ if RUBY_VERSION.start_with?("2.2")
478
+ # Backported https://github.com/ruby/ruby/commit/6b6680945ed3274cddbc34fdfd410d74081a3e94
479
+ using Module.new {
480
+ refine Base64.singleton_class do
481
+ def urlsafe_encode64(bin, padding: true)
482
+ str = strict_encode64(bin).tr("+/", "-_")
483
+ str = str.delete("=") unless padding
484
+ str
485
+ end
486
+
487
+ def urlsafe_decode64(str)
488
+ # NOTE: RFC 4648 does say nothing about unpadded input, but says that
489
+ # "the excess pad characters MAY also be ignored", so it is inferred that
490
+ # unpadded input is also acceptable.
491
+ str = str.tr("-_", "+/")
492
+ if !str.end_with?("=") && str.length % 4 != 0
493
+ str = str.ljust((str.length + 3) & ~3, "=")
494
+ end
495
+ strict_decode64(str)
496
+ end
497
+ end
498
+ }
499
+ end
500
+
501
+ def encode_csrf_token(csrf_token) # :nodoc:
502
+ if urlsafe_csrf_tokens
503
+ Base64.urlsafe_encode64(csrf_token, padding: false)
504
+ else
505
+ Base64.strict_encode64(csrf_token)
506
+ end
507
+ end
508
+
509
+ def decode_csrf_token(encoded_csrf_token) # :nodoc:
510
+ if urlsafe_csrf_tokens
511
+ Base64.urlsafe_decode64(encoded_csrf_token)
512
+ else
513
+ begin
514
+ Base64.strict_decode64(encoded_csrf_token)
515
+ rescue ArgumentError
516
+ Base64.urlsafe_decode64(encoded_csrf_token)
517
+ end
518
+ end
519
+ end
464
520
  end
465
521
  end
@@ -288,10 +288,12 @@ module ActionDispatch
288
288
 
289
289
  args = []
290
290
 
291
- route = record_list.map { |parent|
291
+ route = record_list.map do |parent|
292
292
  case parent
293
- when Symbol, String
293
+ when Symbol
294
294
  parent.to_s
295
+ when String
296
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
295
297
  when Class
296
298
  args << parent
297
299
  parent.model_name.singular_route_key
@@ -299,12 +301,14 @@ module ActionDispatch
299
301
  args << parent.to_model
300
302
  parent.to_model.model_name.singular_route_key
301
303
  end
302
- }
304
+ end
303
305
 
304
306
  route <<
305
307
  case record
306
- when Symbol, String
308
+ when Symbol
307
309
  record.to_s
310
+ when String
311
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
308
312
  when Class
309
313
  @key_strategy.call record.model_name
310
314
  else
@@ -9,7 +9,7 @@ module ActionPack
9
9
  module VERSION
10
10
  MAJOR = 5
11
11
  MINOR = 2
12
- TINY = 5
12
+ TINY = 6
13
13
  PRE = nil
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.2.5
4
+ version: 5.2.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-03-26 00:00:00.000000000 Z
11
+ date: 2021-05-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 5.2.5
19
+ version: 5.2.6
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 5.2.5
26
+ version: 5.2.6
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 5.2.5
101
+ version: 5.2.6
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 5.2.5
108
+ version: 5.2.6
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 5.2.5
115
+ version: 5.2.6
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 5.2.5
122
+ version: 5.2.6
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -299,8 +299,8 @@ homepage: http://rubyonrails.org
299
299
  licenses:
300
300
  - MIT
301
301
  metadata:
302
- source_code_uri: https://github.com/rails/rails/tree/v5.2.5/actionpack
303
- changelog_uri: https://github.com/rails/rails/blob/v5.2.5/actionpack/CHANGELOG.md
302
+ source_code_uri: https://github.com/rails/rails/tree/v5.2.6/actionpack
303
+ changelog_uri: https://github.com/rails/rails/blob/v5.2.6/actionpack/CHANGELOG.md
304
304
  post_install_message:
305
305
  rdoc_options: []
306
306
  require_paths:
@@ -317,7 +317,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
317
317
  version: '0'
318
318
  requirements:
319
319
  - none
320
- rubygems_version: 3.1.2
320
+ rubygems_version: 3.1.6
321
321
  signing_key:
322
322
  specification_version: 4
323
323
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).