actionpack 6.0.3 → 6.0.3.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 83e2bf0b5fc55b0a124c11102a56872aee141828a3cfe5cd23ed4fade856a989
4
- data.tar.gz: 3b647d17bd0ed5076ac0a12966cdfa271b1a4e67a680df373c0553beeaab83c3
3
+ metadata.gz: cea1a6e97ad71b6bdb89d088483a226435d5f816fe7ed4c84bc86181f89e9970
4
+ data.tar.gz: 35dde1277befcd899fb4c05a9d87b995928bcc212e18ff5e5b7bb213fc5bc480
5
5
  SHA512:
6
- metadata.gz: c7ff17b8e1abc4205e8c52f741a09b77cac48df7343db0d5c76d8946e47ac51d41b182b464e19e3c3de2004e558dd5161bbbb1c8c45f33efeda0ab1037d28111
7
- data.tar.gz: be46931210b005daf32e2c9f7408a050e41806d554d1b5d24056557a84bd76ebc20911a83ef1c8e727c43798f4ff3836acd03d82a4f07ae3562be52346a051a8
6
+ metadata.gz: 475424613f5ed1166d535bf17838d2614a12993935823dbe6e325b368425de9826a96c9a23bdf7045b92a3392605cb69809551506a4af66c1ccc91180cf802e8
7
+ data.tar.gz: b0fdf9842a0871fd87f8a4f6a46a112a75c27ab9f0f923f5b8a87becc1a33aac1326e75c5f205b61b2419e5a3f617eb3e2deaaf0da4fe861258dd4266ddf25ab
@@ -1,3 +1,9 @@
1
+ ## Rails 6.0.3.1 (May 18, 2020) ##
2
+
3
+ * [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
4
+
5
+ * [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
6
+
1
7
  ## Rails 6.0.3 (May 06, 2020) ##
2
8
 
3
9
  * Include child session assertion count in ActionDispatch::IntegrationTest
@@ -322,13 +322,10 @@ module ActionController #:nodoc:
322
322
  action_path = normalize_action_path(action)
323
323
  per_form_csrf_token(session, action_path, method)
324
324
  else
325
- real_csrf_token(session)
325
+ global_csrf_token(session)
326
326
  end
327
327
 
328
- one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
329
- encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
330
- masked_token = one_time_pad + encrypted_csrf_token
331
- Base64.strict_encode64(masked_token)
328
+ mask_token(raw_token)
332
329
  end
333
330
 
334
331
  # Checks the client's masked token to see if it matches the
@@ -358,7 +355,8 @@ module ActionController #:nodoc:
358
355
  elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
359
356
  csrf_token = unmask_token(masked_token)
360
357
 
361
- compare_with_real_token(csrf_token, session) ||
358
+ compare_with_global_token(csrf_token, session) ||
359
+ compare_with_real_token(csrf_token, session) ||
362
360
  valid_per_form_csrf_token?(csrf_token, session)
363
361
  else
364
362
  false # Token is malformed.
@@ -373,10 +371,21 @@ module ActionController #:nodoc:
373
371
  xor_byte_strings(one_time_pad, encrypted_csrf_token)
374
372
  end
375
373
 
374
+ def mask_token(raw_token) # :doc:
375
+ one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
376
+ encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
377
+ masked_token = one_time_pad + encrypted_csrf_token
378
+ Base64.strict_encode64(masked_token)
379
+ end
380
+
376
381
  def compare_with_real_token(token, session) # :doc:
377
382
  ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
378
383
  end
379
384
 
385
+ def compare_with_global_token(token, session) # :doc:
386
+ ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, global_csrf_token(session))
387
+ end
388
+
380
389
  def valid_per_form_csrf_token?(token, session) # :doc:
381
390
  if per_form_csrf_tokens
382
391
  correct_token = per_form_csrf_token(
@@ -397,10 +406,21 @@ module ActionController #:nodoc:
397
406
  end
398
407
 
399
408
  def per_form_csrf_token(session, action_path, method) # :doc:
409
+ csrf_token_hmac(session, [action_path, method.downcase].join("#"))
410
+ end
411
+
412
+ GLOBAL_CSRF_TOKEN_IDENTIFIER = "!real_csrf_token"
413
+ private_constant :GLOBAL_CSRF_TOKEN_IDENTIFIER
414
+
415
+ def global_csrf_token(session) # :doc:
416
+ csrf_token_hmac(session, GLOBAL_CSRF_TOKEN_IDENTIFIER)
417
+ end
418
+
419
+ def csrf_token_hmac(session, identifier) # :doc:
400
420
  OpenSSL::HMAC.digest(
401
421
  OpenSSL::Digest::SHA256.new,
402
422
  real_csrf_token(session),
403
- [action_path, method.downcase].join("#")
423
+ identifier
404
424
  )
405
425
  end
406
426
 
@@ -344,6 +344,8 @@ module ActionController
344
344
  @parameters.each_pair do |key, value|
345
345
  yield [key, convert_hashes_to_parameters(key, value)]
346
346
  end
347
+
348
+ self
347
349
  end
348
350
  alias_method :each, :each_pair
349
351
 
@@ -353,6 +355,8 @@ module ActionController
353
355
  @parameters.each_pair do |key, value|
354
356
  yield convert_hashes_to_parameters(key, value)
355
357
  end
358
+
359
+ self
356
360
  end
357
361
 
358
362
  # Attribute that keeps track of converted arrays, if any, to avoid double
@@ -10,7 +10,7 @@ module ActionPack
10
10
  MAJOR = 6
11
11
  MINOR = 0
12
12
  TINY = 3
13
- PRE = nil
13
+ PRE = "1"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.0.3
4
+ version: 6.0.3.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-05-06 00:00:00.000000000 Z
11
+ date: 2020-05-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 6.0.3
19
+ version: 6.0.3.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 6.0.3
26
+ version: 6.0.3.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 6.0.3
101
+ version: 6.0.3.1
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 6.0.3
108
+ version: 6.0.3.1
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 6.0.3
115
+ version: 6.0.3.1
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 6.0.3
122
+ version: 6.0.3.1
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -310,10 +310,10 @@ licenses:
310
310
  - MIT
311
311
  metadata:
312
312
  bug_tracker_uri: https://github.com/rails/rails/issues
313
- changelog_uri: https://github.com/rails/rails/blob/v6.0.3/actionpack/CHANGELOG.md
314
- documentation_uri: https://api.rubyonrails.org/v6.0.3/
313
+ changelog_uri: https://github.com/rails/rails/blob/v6.0.3.1/actionpack/CHANGELOG.md
314
+ documentation_uri: https://api.rubyonrails.org/v6.0.3.1/
315
315
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
316
- source_code_uri: https://github.com/rails/rails/tree/v6.0.3/actionpack
316
+ source_code_uri: https://github.com/rails/rails/tree/v6.0.3.1/actionpack
317
317
  post_install_message:
318
318
  rdoc_options: []
319
319
  require_paths: