actionpack 6.0.3.1 → 6.0.3.6
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: fab060574d42079154040a9edaf49c8b6667dfd510196c1f6224237b1ba89059
|
4
|
+
data.tar.gz: e2ec4deaeba7ec71e39ef196eeef0aaf14b6b54ff906d587903eb1e7dabeca9a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9795ff64ab0308ba97f6be07db499d681c13d363bb15515a704a84a7251c8873334319b411106e1d3901a975a9554394c66aa4f9a99ac311da2768e27080734a
|
7
|
+
data.tar.gz: 05b9e7e3acbc4ea5b38e378c0b09bdbc458c3f6d273d369205baf6c5bfc038721a1ab0ed48150ae07ff17adee5830b012302d064fda7a0cb349e6a0d9f3514a2
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,34 @@
|
|
1
|
+
## Rails 6.0.3.6 (March 26, 2021) ##
|
2
|
+
|
3
|
+
* No changes.
|
4
|
+
|
5
|
+
|
6
|
+
## Rails 6.0.3.5 (February 10, 2021) ##
|
7
|
+
|
8
|
+
* Prevent open redirect when allowed host starts with a dot
|
9
|
+
|
10
|
+
[CVE-2021-22881]
|
11
|
+
|
12
|
+
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
|
13
|
+
issue and the patch!
|
14
|
+
|
15
|
+
*Aaron Patterson*
|
16
|
+
|
17
|
+
|
18
|
+
## Rails 6.0.3.4 (October 07, 2020) ##
|
19
|
+
|
20
|
+
* [CVE-2020-8264] Prevent XSS in Actionable Exceptions
|
21
|
+
|
22
|
+
|
23
|
+
## Rails 6.0.3.3 (September 09, 2020) ##
|
24
|
+
|
25
|
+
* No changes.
|
26
|
+
|
27
|
+
|
28
|
+
## Rails 6.0.3.2 (June 17, 2020) ##
|
29
|
+
|
30
|
+
* [CVE-2020-8185] Only allow ActionableErrors if show_detailed_exceptions is enabled
|
31
|
+
|
1
32
|
## Rails 6.0.3.1 (May 18, 2020) ##
|
2
33
|
|
3
34
|
* [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
|
@@ -1,6 +1,7 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require "erb"
|
4
|
+
require "uri"
|
4
5
|
require "action_dispatch/http/request"
|
5
6
|
require "active_support/actionable_error"
|
6
7
|
|
@@ -23,11 +24,17 @@ module ActionDispatch
|
|
23
24
|
|
24
25
|
private
|
25
26
|
def actionable_request?(request)
|
26
|
-
request.
|
27
|
+
request.get_header("action_dispatch.show_detailed_exceptions") && request.post? && request.path == endpoint
|
27
28
|
end
|
28
29
|
|
29
30
|
def redirect_to(location)
|
30
|
-
|
31
|
+
uri = URI.parse location
|
32
|
+
|
33
|
+
if uri.relative? || uri.scheme == "http" || uri.scheme == "https"
|
34
|
+
body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>"
|
35
|
+
else
|
36
|
+
return [400, {"Content-Type" => "text/plain"}, ["Invalid redirection URI"]]
|
37
|
+
end
|
31
38
|
|
32
39
|
[302, {
|
33
40
|
"Content-Type" => "text/html; charset=#{Response.default_charset}",
|
@@ -87,11 +87,20 @@ module ActionDispatch
|
|
87
87
|
|
88
88
|
private
|
89
89
|
def authorized?(request)
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
90
|
+
valid_host = /
|
91
|
+
\A
|
92
|
+
(?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])
|
93
|
+
(:\d+)?
|
94
|
+
\z
|
95
|
+
/x
|
96
|
+
|
97
|
+
origin_host = valid_host.match(
|
98
|
+
request.get_header("HTTP_HOST").to_s.downcase)
|
99
|
+
forwarded_host = valid_host.match(
|
100
|
+
request.x_forwarded_host.to_s.split(/,\s?/).last)
|
101
|
+
|
102
|
+
origin_host && @permissions.allows?(origin_host[:host]) && (
|
103
|
+
forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
|
95
104
|
end
|
96
105
|
|
97
106
|
def mark_as_authorized(request)
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.0.3.
|
4
|
+
version: 6.0.3.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-03-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 6.0.3.
|
19
|
+
version: 6.0.3.6
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 6.0.3.
|
26
|
+
version: 6.0.3.6
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rack
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -98,28 +98,28 @@ dependencies:
|
|
98
98
|
requirements:
|
99
99
|
- - '='
|
100
100
|
- !ruby/object:Gem::Version
|
101
|
-
version: 6.0.3.
|
101
|
+
version: 6.0.3.6
|
102
102
|
type: :runtime
|
103
103
|
prerelease: false
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
105
105
|
requirements:
|
106
106
|
- - '='
|
107
107
|
- !ruby/object:Gem::Version
|
108
|
-
version: 6.0.3.
|
108
|
+
version: 6.0.3.6
|
109
109
|
- !ruby/object:Gem::Dependency
|
110
110
|
name: activemodel
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
112
112
|
requirements:
|
113
113
|
- - '='
|
114
114
|
- !ruby/object:Gem::Version
|
115
|
-
version: 6.0.3.
|
115
|
+
version: 6.0.3.6
|
116
116
|
type: :development
|
117
117
|
prerelease: false
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
119
119
|
requirements:
|
120
120
|
- - '='
|
121
121
|
- !ruby/object:Gem::Version
|
122
|
-
version: 6.0.3.
|
122
|
+
version: 6.0.3.6
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
125
125
|
email: david@loudthinking.com
|
@@ -310,10 +310,10 @@ licenses:
|
|
310
310
|
- MIT
|
311
311
|
metadata:
|
312
312
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
313
|
-
changelog_uri: https://github.com/rails/rails/blob/v6.0.3.
|
314
|
-
documentation_uri: https://api.rubyonrails.org/v6.0.3.
|
313
|
+
changelog_uri: https://github.com/rails/rails/blob/v6.0.3.6/actionpack/CHANGELOG.md
|
314
|
+
documentation_uri: https://api.rubyonrails.org/v6.0.3.6/
|
315
315
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
316
|
-
source_code_uri: https://github.com/rails/rails/tree/v6.0.3.
|
316
|
+
source_code_uri: https://github.com/rails/rails/tree/v6.0.3.6/actionpack
|
317
317
|
post_install_message:
|
318
318
|
rdoc_options: []
|
319
319
|
require_paths:
|