actionpack 6.0.2 → 6.0.2.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/lib/action_dispatch.rb +5 -4
- data/lib/action_dispatch/middleware/session/abstract_store.rb +14 -0
- data/lib/action_dispatch/middleware/session/cache_store.rb +11 -6
- data/lib/action_dispatch/middleware/session/cookie_store.rb +17 -7
- data/lib/action_dispatch/request/session.rb +7 -1
- data/lib/action_pack/gem_version.rb +1 -1
- metadata +17 -11
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: fb4d2886c2ddd45b39d89f4adb1d70764435a236d046d4db4d703ad93318e464
|
4
|
+
data.tar.gz: 776bd2d00abd923d4a80437fb99fd77741d90ca0269b16ca2e03b3de99e966aa
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9858771c2bcabdc985dcd72927c56ec47fc4e54d3c1a1e0e116111fcf70046f8add6a4cde9448611552fae7131b6e87e68eec389212ff989174ebd7e997bb675
|
7
|
+
data.tar.gz: 3761566fbc2835aa652aee777633857b29e3dfab4556c3fc0a1f16ffa53f28cb3f7166fb42f04917bdf3df79e75320e0eea865f12ad4762deb6c5e0d47a969c8
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,13 @@
|
|
1
|
+
## Rails 6.0.2.1 (December 18, 2019) ##
|
2
|
+
|
3
|
+
* Fix possible information leak / session hijacking vulnerability.
|
4
|
+
|
5
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
6
|
+
gem dalli to be updated as well.
|
7
|
+
|
8
|
+
CVE-2019-16782.
|
9
|
+
|
10
|
+
|
1
11
|
## Rails 6.0.2 (December 13, 2019) ##
|
2
12
|
|
3
13
|
* Allow using mountable engine route helpers in System Tests.
|
data/lib/action_dispatch.rb
CHANGED
@@ -85,10 +85,11 @@ module ActionDispatch
|
|
85
85
|
end
|
86
86
|
|
87
87
|
module Session
|
88
|
-
autoload :AbstractStore,
|
89
|
-
autoload :
|
90
|
-
autoload :
|
91
|
-
autoload :
|
88
|
+
autoload :AbstractStore, "action_dispatch/middleware/session/abstract_store"
|
89
|
+
autoload :AbstractSecureStore, "action_dispatch/middleware/session/abstract_store"
|
90
|
+
autoload :CookieStore, "action_dispatch/middleware/session/cookie_store"
|
91
|
+
autoload :MemCacheStore, "action_dispatch/middleware/session/mem_cache_store"
|
92
|
+
autoload :CacheStore, "action_dispatch/middleware/session/cache_store"
|
92
93
|
end
|
93
94
|
|
94
95
|
mattr_accessor :test_app
|
@@ -83,7 +83,21 @@ module ActionDispatch
|
|
83
83
|
include SessionObject
|
84
84
|
|
85
85
|
private
|
86
|
+
def set_cookie(request, session_id, cookie)
|
87
|
+
request.cookie_jar[key] = cookie
|
88
|
+
end
|
89
|
+
end
|
90
|
+
|
91
|
+
class AbstractSecureStore < Rack::Session::Abstract::PersistedSecure
|
92
|
+
include Compatibility
|
93
|
+
include StaleSessionCheck
|
94
|
+
include SessionObject
|
95
|
+
|
96
|
+
def generate_sid
|
97
|
+
Rack::Session::SessionId.new(super)
|
98
|
+
end
|
86
99
|
|
100
|
+
private
|
87
101
|
def set_cookie(request, session_id, cookie)
|
88
102
|
request.cookie_jar[key] = cookie
|
89
103
|
end
|
@@ -12,7 +12,7 @@ module ActionDispatch
|
|
12
12
|
# * <tt>cache</tt> - The cache to use. If it is not specified, <tt>Rails.cache</tt> will be used.
|
13
13
|
# * <tt>expire_after</tt> - The length of time a session will be stored before automatically expiring.
|
14
14
|
# By default, the <tt>:expires_in</tt> option of the cache is used.
|
15
|
-
class CacheStore <
|
15
|
+
class CacheStore < AbstractSecureStore
|
16
16
|
def initialize(app, options = {})
|
17
17
|
@cache = options[:cache] || Rails.cache
|
18
18
|
options[:expire_after] ||= @cache.options[:expires_in]
|
@@ -21,7 +21,7 @@ module ActionDispatch
|
|
21
21
|
|
22
22
|
# Get a session from the cache.
|
23
23
|
def find_session(env, sid)
|
24
|
-
unless sid && (session =
|
24
|
+
unless sid && (session = get_session_with_fallback(sid))
|
25
25
|
sid, session = generate_sid, {}
|
26
26
|
end
|
27
27
|
[sid, session]
|
@@ -29,7 +29,7 @@ module ActionDispatch
|
|
29
29
|
|
30
30
|
# Set a session in the cache.
|
31
31
|
def write_session(env, sid, session, options)
|
32
|
-
key = cache_key(sid)
|
32
|
+
key = cache_key(sid.private_id)
|
33
33
|
if session
|
34
34
|
@cache.write(key, session, expires_in: options[:expire_after])
|
35
35
|
else
|
@@ -40,14 +40,19 @@ module ActionDispatch
|
|
40
40
|
|
41
41
|
# Remove a session from the cache.
|
42
42
|
def delete_session(env, sid, options)
|
43
|
-
@cache.delete(cache_key(sid))
|
43
|
+
@cache.delete(cache_key(sid.private_id))
|
44
|
+
@cache.delete(cache_key(sid.public_id))
|
44
45
|
generate_sid
|
45
46
|
end
|
46
47
|
|
47
48
|
private
|
48
49
|
# Turn the session id into a cache key.
|
49
|
-
def cache_key(
|
50
|
-
"_session_id:#{
|
50
|
+
def cache_key(id)
|
51
|
+
"_session_id:#{id}"
|
52
|
+
end
|
53
|
+
|
54
|
+
def get_session_with_fallback(sid)
|
55
|
+
@cache.read(cache_key(sid.private_id)) || @cache.read(cache_key(sid.public_id))
|
51
56
|
end
|
52
57
|
end
|
53
58
|
end
|
@@ -46,7 +46,16 @@ module ActionDispatch
|
|
46
46
|
# would set the session cookie to expire automatically 14 days after creation.
|
47
47
|
# Other useful options include <tt>:key</tt>, <tt>:secure</tt> and
|
48
48
|
# <tt>:httponly</tt>.
|
49
|
-
class CookieStore <
|
49
|
+
class CookieStore < AbstractSecureStore
|
50
|
+
class SessionId < DelegateClass(Rack::Session::SessionId)
|
51
|
+
attr_reader :cookie_value
|
52
|
+
|
53
|
+
def initialize(session_id, cookie_value = {})
|
54
|
+
super(session_id)
|
55
|
+
@cookie_value = cookie_value
|
56
|
+
end
|
57
|
+
end
|
58
|
+
|
50
59
|
def initialize(app, options = {})
|
51
60
|
super(app, options.merge!(cookie_only: true))
|
52
61
|
end
|
@@ -54,7 +63,7 @@ module ActionDispatch
|
|
54
63
|
def delete_session(req, session_id, options)
|
55
64
|
new_sid = generate_sid unless options[:drop]
|
56
65
|
# Reset hash and Assign the new session id
|
57
|
-
req.set_header("action_dispatch.request.unsigned_session_cookie", new_sid ? { "session_id" => new_sid } : {})
|
66
|
+
req.set_header("action_dispatch.request.unsigned_session_cookie", new_sid ? { "session_id" => new_sid.public_id } : {})
|
58
67
|
new_sid
|
59
68
|
end
|
60
69
|
|
@@ -62,7 +71,7 @@ module ActionDispatch
|
|
62
71
|
stale_session_check! do
|
63
72
|
data = unpacked_cookie_data(req)
|
64
73
|
data = persistent_session_id!(data)
|
65
|
-
[data["session_id"], data]
|
74
|
+
[Rack::Session::SessionId.new(data["session_id"]), data]
|
66
75
|
end
|
67
76
|
end
|
68
77
|
|
@@ -70,7 +79,8 @@ module ActionDispatch
|
|
70
79
|
|
71
80
|
def extract_session_id(req)
|
72
81
|
stale_session_check! do
|
73
|
-
unpacked_cookie_data(req)["session_id"]
|
82
|
+
sid = unpacked_cookie_data(req)["session_id"]
|
83
|
+
sid && Rack::Session::SessionId.new(sid)
|
74
84
|
end
|
75
85
|
end
|
76
86
|
|
@@ -88,13 +98,13 @@ module ActionDispatch
|
|
88
98
|
|
89
99
|
def persistent_session_id!(data, sid = nil)
|
90
100
|
data ||= {}
|
91
|
-
data["session_id"] ||= sid || generate_sid
|
101
|
+
data["session_id"] ||= sid || generate_sid.public_id
|
92
102
|
data
|
93
103
|
end
|
94
104
|
|
95
105
|
def write_session(req, sid, session_data, options)
|
96
|
-
session_data["session_id"] = sid
|
97
|
-
session_data
|
106
|
+
session_data["session_id"] = sid.public_id
|
107
|
+
SessionId.new(sid, session_data)
|
98
108
|
end
|
99
109
|
|
100
110
|
def set_cookie(request, session_id, cookie)
|
@@ -90,7 +90,13 @@ module ActionDispatch
|
|
90
90
|
# +nil+ if the given key is not found in the session.
|
91
91
|
def [](key)
|
92
92
|
load_for_read!
|
93
|
-
|
93
|
+
key = key.to_s
|
94
|
+
|
95
|
+
if key == "session_id"
|
96
|
+
id&.public_id
|
97
|
+
else
|
98
|
+
@delegate[key]
|
99
|
+
end
|
94
100
|
end
|
95
101
|
|
96
102
|
# Returns the nested value specified by the sequence of keys, returning
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.0.2
|
4
|
+
version: 6.0.2.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-12-
|
11
|
+
date: 2019-12-18 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 6.0.2
|
19
|
+
version: 6.0.2.1
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 6.0.2
|
26
|
+
version: 6.0.2.1
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rack
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -31,6 +31,9 @@ dependencies:
|
|
31
31
|
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
33
|
version: '2.0'
|
34
|
+
- - ">="
|
35
|
+
- !ruby/object:Gem::Version
|
36
|
+
version: 2.0.8
|
34
37
|
type: :runtime
|
35
38
|
prerelease: false
|
36
39
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -38,6 +41,9 @@ dependencies:
|
|
38
41
|
- - "~>"
|
39
42
|
- !ruby/object:Gem::Version
|
40
43
|
version: '2.0'
|
44
|
+
- - ">="
|
45
|
+
- !ruby/object:Gem::Version
|
46
|
+
version: 2.0.8
|
41
47
|
- !ruby/object:Gem::Dependency
|
42
48
|
name: rack-test
|
43
49
|
requirement: !ruby/object:Gem::Requirement
|
@@ -92,28 +98,28 @@ dependencies:
|
|
92
98
|
requirements:
|
93
99
|
- - '='
|
94
100
|
- !ruby/object:Gem::Version
|
95
|
-
version: 6.0.2
|
101
|
+
version: 6.0.2.1
|
96
102
|
type: :runtime
|
97
103
|
prerelease: false
|
98
104
|
version_requirements: !ruby/object:Gem::Requirement
|
99
105
|
requirements:
|
100
106
|
- - '='
|
101
107
|
- !ruby/object:Gem::Version
|
102
|
-
version: 6.0.2
|
108
|
+
version: 6.0.2.1
|
103
109
|
- !ruby/object:Gem::Dependency
|
104
110
|
name: activemodel
|
105
111
|
requirement: !ruby/object:Gem::Requirement
|
106
112
|
requirements:
|
107
113
|
- - '='
|
108
114
|
- !ruby/object:Gem::Version
|
109
|
-
version: 6.0.2
|
115
|
+
version: 6.0.2.1
|
110
116
|
type: :development
|
111
117
|
prerelease: false
|
112
118
|
version_requirements: !ruby/object:Gem::Requirement
|
113
119
|
requirements:
|
114
120
|
- - '='
|
115
121
|
- !ruby/object:Gem::Version
|
116
|
-
version: 6.0.2
|
122
|
+
version: 6.0.2.1
|
117
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
118
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
119
125
|
email: david@loudthinking.com
|
@@ -304,10 +310,10 @@ licenses:
|
|
304
310
|
- MIT
|
305
311
|
metadata:
|
306
312
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
307
|
-
changelog_uri: https://github.com/rails/rails/blob/v6.0.2/actionpack/CHANGELOG.md
|
308
|
-
documentation_uri: https://api.rubyonrails.org/v6.0.2/
|
313
|
+
changelog_uri: https://github.com/rails/rails/blob/v6.0.2.1/actionpack/CHANGELOG.md
|
314
|
+
documentation_uri: https://api.rubyonrails.org/v6.0.2.1/
|
309
315
|
mailing_list_uri: https://groups.google.com/forum/#!forum/rubyonrails-talk
|
310
|
-
source_code_uri: https://github.com/rails/rails/tree/v6.0.2/actionpack
|
316
|
+
source_code_uri: https://github.com/rails/rails/tree/v6.0.2.1/actionpack
|
311
317
|
post_install_message:
|
312
318
|
rdoc_options: []
|
313
319
|
require_paths:
|