actionpack 6.0.3.1 → 6.0.3.6

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +31 -0
  3. data/lib/action_dispatch/middleware/actionable_exceptions.rb +9 -2
  4. data/lib/action_dispatch/middleware/host_authorization.rb +14 -5
  5. data/lib/action_pack/gem_version.rb +1 -1
  6. metadata +11 -11
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: cea1a6e97ad71b6bdb89d088483a226435d5f816fe7ed4c84bc86181f89e9970
4
- data.tar.gz: 35dde1277befcd899fb4c05a9d87b995928bcc212e18ff5e5b7bb213fc5bc480
3
+ metadata.gz: fab060574d42079154040a9edaf49c8b6667dfd510196c1f6224237b1ba89059
4
+ data.tar.gz: e2ec4deaeba7ec71e39ef196eeef0aaf14b6b54ff906d587903eb1e7dabeca9a
5
5
  SHA512:
6
- metadata.gz: 475424613f5ed1166d535bf17838d2614a12993935823dbe6e325b368425de9826a96c9a23bdf7045b92a3392605cb69809551506a4af66c1ccc91180cf802e8
7
- data.tar.gz: b0fdf9842a0871fd87f8a4f6a46a112a75c27ab9f0f923f5b8a87becc1a33aac1326e75c5f205b61b2419e5a3f617eb3e2deaaf0da4fe861258dd4266ddf25ab
6
+ metadata.gz: 9795ff64ab0308ba97f6be07db499d681c13d363bb15515a704a84a7251c8873334319b411106e1d3901a975a9554394c66aa4f9a99ac311da2768e27080734a
7
+ data.tar.gz: 05b9e7e3acbc4ea5b38e378c0b09bdbc458c3f6d273d369205baf6c5bfc038721a1ab0ed48150ae07ff17adee5830b012302d064fda7a0cb349e6a0d9f3514a2
data/CHANGELOG.md CHANGED
@@ -1,3 +1,34 @@
1
+ ## Rails 6.0.3.6 (March 26, 2021) ##
2
+
3
+ * No changes.
4
+
5
+
6
+ ## Rails 6.0.3.5 (February 10, 2021) ##
7
+
8
+ * Prevent open redirect when allowed host starts with a dot
9
+
10
+ [CVE-2021-22881]
11
+
12
+ Thanks to @tktech (https://hackerone.com/tktech) for reporting this
13
+ issue and the patch!
14
+
15
+ *Aaron Patterson*
16
+
17
+
18
+ ## Rails 6.0.3.4 (October 07, 2020) ##
19
+
20
+ * [CVE-2020-8264] Prevent XSS in Actionable Exceptions
21
+
22
+
23
+ ## Rails 6.0.3.3 (September 09, 2020) ##
24
+
25
+ * No changes.
26
+
27
+
28
+ ## Rails 6.0.3.2 (June 17, 2020) ##
29
+
30
+ * [CVE-2020-8185] Only allow ActionableErrors if show_detailed_exceptions is enabled
31
+
1
32
  ## Rails 6.0.3.1 (May 18, 2020) ##
2
33
 
3
34
  * [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
data/lib/action_dispatch/middleware/actionable_exceptions.rb CHANGED
@@ -1,6 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require "erb"
4
+ require "uri"
4
5
  require "action_dispatch/http/request"
5
6
  require "active_support/actionable_error"
6
7
 
@@ -23,11 +24,17 @@ module ActionDispatch
23
24
 
24
25
  private
25
26
  def actionable_request?(request)
26
- request.show_exceptions? && request.post? && request.path == endpoint
27
+ request.get_header("action_dispatch.show_detailed_exceptions") && request.post? && request.path == endpoint
27
28
  end
28
29
 
29
30
  def redirect_to(location)
30
- body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>"
31
+ uri = URI.parse location
32
+
33
+ if uri.relative? || uri.scheme == "http" || uri.scheme == "https"
34
+ body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>"
35
+ else
36
+ return [400, {"Content-Type" => "text/plain"}, ["Invalid redirection URI"]]
37
+ end
31
38
 
32
39
  [302, {
33
40
  "Content-Type" => "text/html; charset=#{Response.default_charset}",
data/lib/action_dispatch/middleware/host_authorization.rb CHANGED
@@ -87,11 +87,20 @@ module ActionDispatch
87
87
 
88
88
  private
89
89
  def authorized?(request)
90
- origin_host = request.get_header("HTTP_HOST").to_s.sub(/:\d+\z/, "")
91
- forwarded_host = request.x_forwarded_host.to_s.split(/,\s?/).last.to_s.sub(/:\d+\z/, "")
92
-
93
- @permissions.allows?(origin_host) &&
94
- (forwarded_host.blank? || @permissions.allows?(forwarded_host))
90
+ valid_host = /
91
+ \A
92
+ (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])
93
+ (:\d+)?
94
+ \z
95
+ /x
96
+
97
+ origin_host = valid_host.match(
98
+ request.get_header("HTTP_HOST").to_s.downcase)
99
+ forwarded_host = valid_host.match(
100
+ request.x_forwarded_host.to_s.split(/,\s?/).last)
101
+
102
+ origin_host && @permissions.allows?(origin_host[:host]) && (
103
+ forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
95
104
  end
96
105
 
97
106
  def mark_as_authorized(request)
data/lib/action_pack/gem_version.rb CHANGED
@@ -10,7 +10,7 @@ module ActionPack
10
10
  MAJOR = 6
11
11
  MINOR = 0
12
12
  TINY = 3
13
- PRE = "1"
13
+ PRE = "6"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.0.3.1
4
+ version: 6.0.3.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-05-18 00:00:00.000000000 Z
11
+ date: 2021-03-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 6.0.3.1
19
+ version: 6.0.3.6
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 6.0.3.1
26
+ version: 6.0.3.6
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 6.0.3.1
101
+ version: 6.0.3.6
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 6.0.3.1
108
+ version: 6.0.3.6
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 6.0.3.1
115
+ version: 6.0.3.6
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 6.0.3.1
122
+ version: 6.0.3.6
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -310,10 +310,10 @@ licenses:
310
310
  - MIT
311
311
  metadata:
312
312
  bug_tracker_uri: https://github.com/rails/rails/issues
313
- changelog_uri: https://github.com/rails/rails/blob/v6.0.3.1/actionpack/CHANGELOG.md
314
- documentation_uri: https://api.rubyonrails.org/v6.0.3.1/
313
+ changelog_uri: https://github.com/rails/rails/blob/v6.0.3.6/actionpack/CHANGELOG.md
314
+ documentation_uri: https://api.rubyonrails.org/v6.0.3.6/
315
315
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
316
- source_code_uri: https://github.com/rails/rails/tree/v6.0.3.1/actionpack
316
+ source_code_uri: https://github.com/rails/rails/tree/v6.0.3.6/actionpack
317
317
  post_install_message:
318
318
  rdoc_options: []
319
319
  require_paths: