actionpack 6.0.2 → 6.0.2.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8f7246f24a9df271c75ef6414d3508051e6081939be38345b3eecaf2b0de687e
4
- data.tar.gz: 37136a7416097b294ce52c275ee5a752fe37f42e0caedb04328d1484ba05b852
3
+ metadata.gz: fb4d2886c2ddd45b39d89f4adb1d70764435a236d046d4db4d703ad93318e464
4
+ data.tar.gz: 776bd2d00abd923d4a80437fb99fd77741d90ca0269b16ca2e03b3de99e966aa
5
5
  SHA512:
6
- metadata.gz: 66a86fdd9a72d5e8c6e243a47092a25f92a3d702fe6463cc144919a75433a7309105d9f76fc54b29d697d41e02e6e57972bbb3800e7c190bcf30b5252f25c8c3
7
- data.tar.gz: 751c2c6c7b5c5d87b7f2959d22853b2427170b19d8ae8395d3ee17070761812ef37705e9b23c59dc6acd057c9caa2b3b24a2544e61a8a3eb9bc357bfd03ab0d8
6
+ metadata.gz: 9858771c2bcabdc985dcd72927c56ec47fc4e54d3c1a1e0e116111fcf70046f8add6a4cde9448611552fae7131b6e87e68eec389212ff989174ebd7e997bb675
7
+ data.tar.gz: 3761566fbc2835aa652aee777633857b29e3dfab4556c3fc0a1f16ffa53f28cb3f7166fb42f04917bdf3df79e75320e0eea865f12ad4762deb6c5e0d47a969c8
@@ -1,3 +1,13 @@
1
+ ## Rails 6.0.2.1 (December 18, 2019) ##
2
+
3
+ * Fix possible information leak / session hijacking vulnerability.
4
+
5
+ The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
6
+ gem dalli to be updated as well.
7
+
8
+ CVE-2019-16782.
9
+
10
+
1
11
  ## Rails 6.0.2 (December 13, 2019) ##
2
12
 
3
13
  * Allow using mountable engine route helpers in System Tests.
@@ -85,10 +85,11 @@ module ActionDispatch
85
85
  end
86
86
 
87
87
  module Session
88
- autoload :AbstractStore, "action_dispatch/middleware/session/abstract_store"
89
- autoload :CookieStore, "action_dispatch/middleware/session/cookie_store"
90
- autoload :MemCacheStore, "action_dispatch/middleware/session/mem_cache_store"
91
- autoload :CacheStore, "action_dispatch/middleware/session/cache_store"
88
+ autoload :AbstractStore, "action_dispatch/middleware/session/abstract_store"
89
+ autoload :AbstractSecureStore, "action_dispatch/middleware/session/abstract_store"
90
+ autoload :CookieStore, "action_dispatch/middleware/session/cookie_store"
91
+ autoload :MemCacheStore, "action_dispatch/middleware/session/mem_cache_store"
92
+ autoload :CacheStore, "action_dispatch/middleware/session/cache_store"
92
93
  end
93
94
 
94
95
  mattr_accessor :test_app
@@ -83,7 +83,21 @@ module ActionDispatch
83
83
  include SessionObject
84
84
 
85
85
  private
86
+ def set_cookie(request, session_id, cookie)
87
+ request.cookie_jar[key] = cookie
88
+ end
89
+ end
90
+
91
+ class AbstractSecureStore < Rack::Session::Abstract::PersistedSecure
92
+ include Compatibility
93
+ include StaleSessionCheck
94
+ include SessionObject
95
+
96
+ def generate_sid
97
+ Rack::Session::SessionId.new(super)
98
+ end
86
99
 
100
+ private
87
101
  def set_cookie(request, session_id, cookie)
88
102
  request.cookie_jar[key] = cookie
89
103
  end
@@ -12,7 +12,7 @@ module ActionDispatch
12
12
  # * <tt>cache</tt> - The cache to use. If it is not specified, <tt>Rails.cache</tt> will be used.
13
13
  # * <tt>expire_after</tt> - The length of time a session will be stored before automatically expiring.
14
14
  # By default, the <tt>:expires_in</tt> option of the cache is used.
15
- class CacheStore < AbstractStore
15
+ class CacheStore < AbstractSecureStore
16
16
  def initialize(app, options = {})
17
17
  @cache = options[:cache] || Rails.cache
18
18
  options[:expire_after] ||= @cache.options[:expires_in]
@@ -21,7 +21,7 @@ module ActionDispatch
21
21
 
22
22
  # Get a session from the cache.
23
23
  def find_session(env, sid)
24
- unless sid && (session = @cache.read(cache_key(sid)))
24
+ unless sid && (session = get_session_with_fallback(sid))
25
25
  sid, session = generate_sid, {}
26
26
  end
27
27
  [sid, session]
@@ -29,7 +29,7 @@ module ActionDispatch
29
29
 
30
30
  # Set a session in the cache.
31
31
  def write_session(env, sid, session, options)
32
- key = cache_key(sid)
32
+ key = cache_key(sid.private_id)
33
33
  if session
34
34
  @cache.write(key, session, expires_in: options[:expire_after])
35
35
  else
@@ -40,14 +40,19 @@ module ActionDispatch
40
40
 
41
41
  # Remove a session from the cache.
42
42
  def delete_session(env, sid, options)
43
- @cache.delete(cache_key(sid))
43
+ @cache.delete(cache_key(sid.private_id))
44
+ @cache.delete(cache_key(sid.public_id))
44
45
  generate_sid
45
46
  end
46
47
 
47
48
  private
48
49
  # Turn the session id into a cache key.
49
- def cache_key(sid)
50
- "_session_id:#{sid}"
50
+ def cache_key(id)
51
+ "_session_id:#{id}"
52
+ end
53
+
54
+ def get_session_with_fallback(sid)
55
+ @cache.read(cache_key(sid.private_id)) || @cache.read(cache_key(sid.public_id))
51
56
  end
52
57
  end
53
58
  end
@@ -46,7 +46,16 @@ module ActionDispatch
46
46
  # would set the session cookie to expire automatically 14 days after creation.
47
47
  # Other useful options include <tt>:key</tt>, <tt>:secure</tt> and
48
48
  # <tt>:httponly</tt>.
49
- class CookieStore < AbstractStore
49
+ class CookieStore < AbstractSecureStore
50
+ class SessionId < DelegateClass(Rack::Session::SessionId)
51
+ attr_reader :cookie_value
52
+
53
+ def initialize(session_id, cookie_value = {})
54
+ super(session_id)
55
+ @cookie_value = cookie_value
56
+ end
57
+ end
58
+
50
59
  def initialize(app, options = {})
51
60
  super(app, options.merge!(cookie_only: true))
52
61
  end
@@ -54,7 +63,7 @@ module ActionDispatch
54
63
  def delete_session(req, session_id, options)
55
64
  new_sid = generate_sid unless options[:drop]
56
65
  # Reset hash and Assign the new session id
57
- req.set_header("action_dispatch.request.unsigned_session_cookie", new_sid ? { "session_id" => new_sid } : {})
66
+ req.set_header("action_dispatch.request.unsigned_session_cookie", new_sid ? { "session_id" => new_sid.public_id } : {})
58
67
  new_sid
59
68
  end
60
69
 
@@ -62,7 +71,7 @@ module ActionDispatch
62
71
  stale_session_check! do
63
72
  data = unpacked_cookie_data(req)
64
73
  data = persistent_session_id!(data)
65
- [data["session_id"], data]
74
+ [Rack::Session::SessionId.new(data["session_id"]), data]
66
75
  end
67
76
  end
68
77
 
@@ -70,7 +79,8 @@ module ActionDispatch
70
79
 
71
80
  def extract_session_id(req)
72
81
  stale_session_check! do
73
- unpacked_cookie_data(req)["session_id"]
82
+ sid = unpacked_cookie_data(req)["session_id"]
83
+ sid && Rack::Session::SessionId.new(sid)
74
84
  end
75
85
  end
76
86
 
@@ -88,13 +98,13 @@ module ActionDispatch
88
98
 
89
99
  def persistent_session_id!(data, sid = nil)
90
100
  data ||= {}
91
- data["session_id"] ||= sid || generate_sid
101
+ data["session_id"] ||= sid || generate_sid.public_id
92
102
  data
93
103
  end
94
104
 
95
105
  def write_session(req, sid, session_data, options)
96
- session_data["session_id"] = sid
97
- session_data
106
+ session_data["session_id"] = sid.public_id
107
+ SessionId.new(sid, session_data)
98
108
  end
99
109
 
100
110
  def set_cookie(request, session_id, cookie)
@@ -90,7 +90,13 @@ module ActionDispatch
90
90
  # +nil+ if the given key is not found in the session.
91
91
  def [](key)
92
92
  load_for_read!
93
- @delegate[key.to_s]
93
+ key = key.to_s
94
+
95
+ if key == "session_id"
96
+ id&.public_id
97
+ else
98
+ @delegate[key]
99
+ end
94
100
  end
95
101
 
96
102
  # Returns the nested value specified by the sequence of keys, returning
@@ -10,7 +10,7 @@ module ActionPack
10
10
  MAJOR = 6
11
11
  MINOR = 0
12
12
  TINY = 2
13
- PRE = nil
13
+ PRE = "1"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.0.2
4
+ version: 6.0.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-12-13 00:00:00.000000000 Z
11
+ date: 2019-12-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 6.0.2
19
+ version: 6.0.2.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 6.0.2
26
+ version: 6.0.2.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -31,6 +31,9 @@ dependencies:
31
31
  - - "~>"
32
32
  - !ruby/object:Gem::Version
33
33
  version: '2.0'
34
+ - - ">="
35
+ - !ruby/object:Gem::Version
36
+ version: 2.0.8
34
37
  type: :runtime
35
38
  prerelease: false
36
39
  version_requirements: !ruby/object:Gem::Requirement
@@ -38,6 +41,9 @@ dependencies:
38
41
  - - "~>"
39
42
  - !ruby/object:Gem::Version
40
43
  version: '2.0'
44
+ - - ">="
45
+ - !ruby/object:Gem::Version
46
+ version: 2.0.8
41
47
  - !ruby/object:Gem::Dependency
42
48
  name: rack-test
43
49
  requirement: !ruby/object:Gem::Requirement
@@ -92,28 +98,28 @@ dependencies:
92
98
  requirements:
93
99
  - - '='
94
100
  - !ruby/object:Gem::Version
95
- version: 6.0.2
101
+ version: 6.0.2.1
96
102
  type: :runtime
97
103
  prerelease: false
98
104
  version_requirements: !ruby/object:Gem::Requirement
99
105
  requirements:
100
106
  - - '='
101
107
  - !ruby/object:Gem::Version
102
- version: 6.0.2
108
+ version: 6.0.2.1
103
109
  - !ruby/object:Gem::Dependency
104
110
  name: activemodel
105
111
  requirement: !ruby/object:Gem::Requirement
106
112
  requirements:
107
113
  - - '='
108
114
  - !ruby/object:Gem::Version
109
- version: 6.0.2
115
+ version: 6.0.2.1
110
116
  type: :development
111
117
  prerelease: false
112
118
  version_requirements: !ruby/object:Gem::Requirement
113
119
  requirements:
114
120
  - - '='
115
121
  - !ruby/object:Gem::Version
116
- version: 6.0.2
122
+ version: 6.0.2.1
117
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
118
124
  testing MVC web applications. Works with any Rack-compatible server.
119
125
  email: david@loudthinking.com
@@ -304,10 +310,10 @@ licenses:
304
310
  - MIT
305
311
  metadata:
306
312
  bug_tracker_uri: https://github.com/rails/rails/issues
307
- changelog_uri: https://github.com/rails/rails/blob/v6.0.2/actionpack/CHANGELOG.md
308
- documentation_uri: https://api.rubyonrails.org/v6.0.2/
313
+ changelog_uri: https://github.com/rails/rails/blob/v6.0.2.1/actionpack/CHANGELOG.md
314
+ documentation_uri: https://api.rubyonrails.org/v6.0.2.1/
309
315
  mailing_list_uri: https://groups.google.com/forum/#!forum/rubyonrails-talk
310
- source_code_uri: https://github.com/rails/rails/tree/v6.0.2/actionpack
316
+ source_code_uri: https://github.com/rails/rails/tree/v6.0.2.1/actionpack
311
317
  post_install_message:
312
318
  rdoc_options: []
313
319
  require_paths: