actionpack 6.0.3.4 → 6.0.3.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f3767927eaf2709c272ca4da197a4e356dbd7d4fffaf78a10eb4f4f9ee5b0d0d
-  data.tar.gz: cf187c693653a55c75afd103afc829422ea107936e03aabddb594ac52f6cfad8
+  metadata.gz: 689cadf2c5055a30bce24daa0dbd2c5f4e9b62b8e05f318527556df6a1bbc0bd
+  data.tar.gz: db971eb4537c26d3c61aaeb5933a936ab80465ab7533c3a1fd96fed34bc98159
 SHA512:
-  metadata.gz: 3b93fe304a8ec1ed90fc09a076fd54d6beee63fff8e7594e4b71c0c67b57515f0c53f9ac11435ca7f81940dd03b17a671f6b5d1065d2c063d6c40fe367a5808e
-  data.tar.gz: ec62a4e0f89af114bfe4d00e88ca875fec9c2f68f81ee1fd27aef57629ea0e2680968b5a10d092813b054c55b4c654cf0b57dd029d4d55bfaf4fb1f3ba409176
+  metadata.gz: bb3325660659b91dd7917b48dfd211078d28812bfae7695e224599573835d7c42994ead64ebeb5c121d1dbc4ac30da9ae0f3a0be304892c914ce2309d8b3fc2b
+  data.tar.gz: 826160c64038886b1bc08301f8d4782cd1564f5b167d452bd87b8870043581dc971bb9f5a54075001fe254148fc8845187f660f4cf4fcb84f5dfdf17bfb85dda

data/CHANGELOG.md

@@ -1,3 +1,38 @@
+## Rails 6.0.3.7 (May 05, 2021) ##
+
+*   Prevent catastrophic backtracking during mime parsing
+    CVE-2021-22902
+
+*   Prevent regex DoS in HTTP token authentication
+    CVE-2021-22904
+
+*   Prevent string polymorphic route arguments.
+
+    `url_for` supports building polymorphic URLs via an array
+    of arguments (usually symbols and records). If a developer passes a
+    user input array, strings can result in unwanted route helper calls.
+
+    CVE-2021-22885
+
+    *Gannon McGibbon*
+
+## Rails 6.0.3.6 (March 26, 2021) ##
+
+*   No changes.
+
+
+## Rails 6.0.3.5 (February 10, 2021) ##
+
+*   Prevent open redirect when allowed host starts with a dot
+
+    [CVE-2021-22881]
+
+    Thanks to @tktech (https://hackerone.com/tktech) for reporting this
+    issue and the patch!
+
+    *Aaron Patterson*
+
+
 ## Rails 6.0.3.4 (October 07, 2020) ##
 
 *   [CVE-2020-8264] Prevent XSS in Actionable Exceptions

data/lib/action_controller/metal/http_authentication.rb

@@ -405,7 +405,7 @@ module ActionController
     module Token
       TOKEN_KEY = "token="
       TOKEN_REGEX = /^(Token|Bearer)\s+/
-      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
+      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
       extend self
 
       module ControllerMethods

data/lib/action_dispatch/http/mime_type.rb

@@ -226,7 +226,7 @@ module Mime
     MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
     MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
     MIME_PARAMETER = "\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
-    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?:\s*#{MIME_PARAMETER}\s*)*)\z/
+    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
 
     class InvalidMimeType < StandardError; end
 

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -87,11 +87,20 @@ module ActionDispatch
 
     private
       def authorized?(request)
-        origin_host = request.get_header("HTTP_HOST").to_s.sub(/:\d+\z/, "")
-        forwarded_host = request.x_forwarded_host.to_s.split(/,\s?/).last.to_s.sub(/:\d+\z/, "")
-
-        @permissions.allows?(origin_host) &&
-          (forwarded_host.blank? || @permissions.allows?(forwarded_host))
+        valid_host = /
+          \A
+          (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])
+          (:\d+)?
+          \z
+        /x
+
+        origin_host = valid_host.match(
+          request.get_header("HTTP_HOST").to_s.downcase)
+        forwarded_host = valid_host.match(
+          request.x_forwarded_host.to_s.split(/,\s?/).last)
+
+        origin_host && @permissions.allows?(origin_host[:host]) && (
+          forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
       end
 
       def mark_as_authorized(request)

data/lib/action_dispatch/routing/polymorphic_routes.rb

@@ -286,10 +286,12 @@ module ActionDispatch
 
             args = []
 
-            route = record_list.map { |parent|
+            route = record_list.map do |parent|
               case parent
-              when Symbol, String
+              when Symbol
                 parent.to_s
+              when String
+                raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
               when Class
                 args << parent
                 parent.model_name.singular_route_key
@@ -297,12 +299,14 @@ module ActionDispatch
                 args << parent.to_model
                 parent.to_model.model_name.singular_route_key
               end
-            }
+            end
 
             route <<
             case record
-            when Symbol, String
+            when Symbol
               record.to_s
+            when String
+              raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
             when Class
               @key_strategy.call record.model_name
             else

data/lib/action_pack/gem_version.rb

@@ -10,7 +10,7 @@ module ActionPack
     MAJOR = 6
     MINOR = 0
     TINY  = 3
-    PRE   = "4"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 6.0.3.4
+  version: 6.0.3.7
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-10-07 00:00:00.000000000 Z
+date: 2021-05-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.4
+        version: 6.0.3.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.4
+        version: 6.0.3.7
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.4
+        version: 6.0.3.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.4
+        version: 6.0.3.7
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.4
+        version: 6.0.3.7
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.4
+        version: 6.0.3.7
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -310,10 +310,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.0.3.4/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.0.3.4/
+  changelog_uri: https://github.com/rails/rails/blob/v6.0.3.7/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.0.3.7/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.0.3.4/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v6.0.3.7/actionpack
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -330,7 +330,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.1.4
+rubygems_version: 3.1.2
 signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).