actionpack 6.0.3.2 → 6.0.3.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +45 -0
- data/lib/action_controller/metal/http_authentication.rb +1 -1
- data/lib/action_dispatch/http/mime_type.rb +1 -1
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +8 -1
- data/lib/action_dispatch/middleware/host_authorization.rb +14 -5
- data/lib/action_dispatch/routing/polymorphic_routes.rb +8 -4
- data/lib/action_pack/gem_version.rb +1 -1
- metadata +11 -11
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 689cadf2c5055a30bce24daa0dbd2c5f4e9b62b8e05f318527556df6a1bbc0bd
|
|
4
|
+
data.tar.gz: db971eb4537c26d3c61aaeb5933a936ab80465ab7533c3a1fd96fed34bc98159
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bb3325660659b91dd7917b48dfd211078d28812bfae7695e224599573835d7c42994ead64ebeb5c121d1dbc4ac30da9ae0f3a0be304892c914ce2309d8b3fc2b
|
|
7
|
+
data.tar.gz: 826160c64038886b1bc08301f8d4782cd1564f5b167d452bd87b8870043581dc971bb9f5a54075001fe254148fc8845187f660f4cf4fcb84f5dfdf17bfb85dda
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,48 @@
|
|
|
1
|
+
## Rails 6.0.3.7 (May 05, 2021) ##
|
|
2
|
+
|
|
3
|
+
* Prevent catastrophic backtracking during mime parsing
|
|
4
|
+
CVE-2021-22902
|
|
5
|
+
|
|
6
|
+
* Prevent regex DoS in HTTP token authentication
|
|
7
|
+
CVE-2021-22904
|
|
8
|
+
|
|
9
|
+
* Prevent string polymorphic route arguments.
|
|
10
|
+
|
|
11
|
+
`url_for` supports building polymorphic URLs via an array
|
|
12
|
+
of arguments (usually symbols and records). If a developer passes a
|
|
13
|
+
user input array, strings can result in unwanted route helper calls.
|
|
14
|
+
|
|
15
|
+
CVE-2021-22885
|
|
16
|
+
|
|
17
|
+
*Gannon McGibbon*
|
|
18
|
+
|
|
19
|
+
## Rails 6.0.3.6 (March 26, 2021) ##
|
|
20
|
+
|
|
21
|
+
* No changes.
|
|
22
|
+
|
|
23
|
+
|
|
24
|
+
## Rails 6.0.3.5 (February 10, 2021) ##
|
|
25
|
+
|
|
26
|
+
* Prevent open redirect when allowed host starts with a dot
|
|
27
|
+
|
|
28
|
+
[CVE-2021-22881]
|
|
29
|
+
|
|
30
|
+
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
|
|
31
|
+
issue and the patch!
|
|
32
|
+
|
|
33
|
+
*Aaron Patterson*
|
|
34
|
+
|
|
35
|
+
|
|
36
|
+
## Rails 6.0.3.4 (October 07, 2020) ##
|
|
37
|
+
|
|
38
|
+
* [CVE-2020-8264] Prevent XSS in Actionable Exceptions
|
|
39
|
+
|
|
40
|
+
|
|
41
|
+
## Rails 6.0.3.3 (September 09, 2020) ##
|
|
42
|
+
|
|
43
|
+
* No changes.
|
|
44
|
+
|
|
45
|
+
|
|
1
46
|
## Rails 6.0.3.2 (June 17, 2020) ##
|
|
2
47
|
|
|
3
48
|
* [CVE-2020-8185] Only allow ActionableErrors if show_detailed_exceptions is enabled
|
|
@@ -226,7 +226,7 @@ module Mime
|
|
|
226
226
|
MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
|
|
227
227
|
MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
|
|
228
228
|
MIME_PARAMETER = "\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
|
|
229
|
-
MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(
|
|
229
|
+
MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
|
|
230
230
|
|
|
231
231
|
class InvalidMimeType < StandardError; end
|
|
232
232
|
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require "erb"
|
|
4
|
+
require "uri"
|
|
4
5
|
require "action_dispatch/http/request"
|
|
5
6
|
require "active_support/actionable_error"
|
|
6
7
|
|
|
@@ -27,7 +28,13 @@ module ActionDispatch
|
|
|
27
28
|
end
|
|
28
29
|
|
|
29
30
|
def redirect_to(location)
|
|
30
|
-
|
|
31
|
+
uri = URI.parse location
|
|
32
|
+
|
|
33
|
+
if uri.relative? || uri.scheme == "http" || uri.scheme == "https"
|
|
34
|
+
body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>"
|
|
35
|
+
else
|
|
36
|
+
return [400, {"Content-Type" => "text/plain"}, ["Invalid redirection URI"]]
|
|
37
|
+
end
|
|
31
38
|
|
|
32
39
|
[302, {
|
|
33
40
|
"Content-Type" => "text/html; charset=#{Response.default_charset}",
|
|
@@ -87,11 +87,20 @@ module ActionDispatch
|
|
|
87
87
|
|
|
88
88
|
private
|
|
89
89
|
def authorized?(request)
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
90
|
+
valid_host = /
|
|
91
|
+
\A
|
|
92
|
+
(?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])
|
|
93
|
+
(:\d+)?
|
|
94
|
+
\z
|
|
95
|
+
/x
|
|
96
|
+
|
|
97
|
+
origin_host = valid_host.match(
|
|
98
|
+
request.get_header("HTTP_HOST").to_s.downcase)
|
|
99
|
+
forwarded_host = valid_host.match(
|
|
100
|
+
request.x_forwarded_host.to_s.split(/,\s?/).last)
|
|
101
|
+
|
|
102
|
+
origin_host && @permissions.allows?(origin_host[:host]) && (
|
|
103
|
+
forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
|
|
95
104
|
end
|
|
96
105
|
|
|
97
106
|
def mark_as_authorized(request)
|
|
@@ -286,10 +286,12 @@ module ActionDispatch
|
|
|
286
286
|
|
|
287
287
|
args = []
|
|
288
288
|
|
|
289
|
-
route = record_list.map
|
|
289
|
+
route = record_list.map do |parent|
|
|
290
290
|
case parent
|
|
291
|
-
when Symbol
|
|
291
|
+
when Symbol
|
|
292
292
|
parent.to_s
|
|
293
|
+
when String
|
|
294
|
+
raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
|
|
293
295
|
when Class
|
|
294
296
|
args << parent
|
|
295
297
|
parent.model_name.singular_route_key
|
|
@@ -297,12 +299,14 @@ module ActionDispatch
|
|
|
297
299
|
args << parent.to_model
|
|
298
300
|
parent.to_model.model_name.singular_route_key
|
|
299
301
|
end
|
|
300
|
-
|
|
302
|
+
end
|
|
301
303
|
|
|
302
304
|
route <<
|
|
303
305
|
case record
|
|
304
|
-
when Symbol
|
|
306
|
+
when Symbol
|
|
305
307
|
record.to_s
|
|
308
|
+
when String
|
|
309
|
+
raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
|
|
306
310
|
when Class
|
|
307
311
|
@key_strategy.call record.model_name
|
|
308
312
|
else
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: actionpack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.0.3.
|
|
4
|
+
version: 6.0.3.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2021-05-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 6.0.3.
|
|
19
|
+
version: 6.0.3.7
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 6.0.3.
|
|
26
|
+
version: 6.0.3.7
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: rack
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -98,28 +98,28 @@ dependencies:
|
|
|
98
98
|
requirements:
|
|
99
99
|
- - '='
|
|
100
100
|
- !ruby/object:Gem::Version
|
|
101
|
-
version: 6.0.3.
|
|
101
|
+
version: 6.0.3.7
|
|
102
102
|
type: :runtime
|
|
103
103
|
prerelease: false
|
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
|
105
105
|
requirements:
|
|
106
106
|
- - '='
|
|
107
107
|
- !ruby/object:Gem::Version
|
|
108
|
-
version: 6.0.3.
|
|
108
|
+
version: 6.0.3.7
|
|
109
109
|
- !ruby/object:Gem::Dependency
|
|
110
110
|
name: activemodel
|
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
|
112
112
|
requirements:
|
|
113
113
|
- - '='
|
|
114
114
|
- !ruby/object:Gem::Version
|
|
115
|
-
version: 6.0.3.
|
|
115
|
+
version: 6.0.3.7
|
|
116
116
|
type: :development
|
|
117
117
|
prerelease: false
|
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
|
119
119
|
requirements:
|
|
120
120
|
- - '='
|
|
121
121
|
- !ruby/object:Gem::Version
|
|
122
|
-
version: 6.0.3.
|
|
122
|
+
version: 6.0.3.7
|
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
|
125
125
|
email: david@loudthinking.com
|
|
@@ -310,10 +310,10 @@ licenses:
|
|
|
310
310
|
- MIT
|
|
311
311
|
metadata:
|
|
312
312
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
|
313
|
-
changelog_uri: https://github.com/rails/rails/blob/v6.0.3.
|
|
314
|
-
documentation_uri: https://api.rubyonrails.org/v6.0.3.
|
|
313
|
+
changelog_uri: https://github.com/rails/rails/blob/v6.0.3.7/actionpack/CHANGELOG.md
|
|
314
|
+
documentation_uri: https://api.rubyonrails.org/v6.0.3.7/
|
|
315
315
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
|
316
|
-
source_code_uri: https://github.com/rails/rails/tree/v6.0.3.
|
|
316
|
+
source_code_uri: https://github.com/rails/rails/tree/v6.0.3.7/actionpack
|
|
317
317
|
post_install_message:
|
|
318
318
|
rdoc_options: []
|
|
319
319
|
require_paths:
|