actionpack 6.0.3 → 6.0.3.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: cea1a6e97ad71b6bdb89d088483a226435d5f816fe7ed4c84bc86181f89e9970
|
4
|
+
data.tar.gz: 35dde1277befcd899fb4c05a9d87b995928bcc212e18ff5e5b7bb213fc5bc480
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 475424613f5ed1166d535bf17838d2614a12993935823dbe6e325b368425de9826a96c9a23bdf7045b92a3392605cb69809551506a4af66c1ccc91180cf802e8
|
7
|
+
data.tar.gz: b0fdf9842a0871fd87f8a4f6a46a112a75c27ab9f0f923f5b8a87becc1a33aac1326e75c5f205b61b2419e5a3f617eb3e2deaaf0da4fe861258dd4266ddf25ab
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,9 @@
|
|
1
|
+
## Rails 6.0.3.1 (May 18, 2020) ##
|
2
|
+
|
3
|
+
* [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
|
4
|
+
|
5
|
+
* [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
|
6
|
+
|
1
7
|
## Rails 6.0.3 (May 06, 2020) ##
|
2
8
|
|
3
9
|
* Include child session assertion count in ActionDispatch::IntegrationTest
|
@@ -322,13 +322,10 @@ module ActionController #:nodoc:
|
|
322
322
|
action_path = normalize_action_path(action)
|
323
323
|
per_form_csrf_token(session, action_path, method)
|
324
324
|
else
|
325
|
-
|
325
|
+
global_csrf_token(session)
|
326
326
|
end
|
327
327
|
|
328
|
-
|
329
|
-
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
|
330
|
-
masked_token = one_time_pad + encrypted_csrf_token
|
331
|
-
Base64.strict_encode64(masked_token)
|
328
|
+
mask_token(raw_token)
|
332
329
|
end
|
333
330
|
|
334
331
|
# Checks the client's masked token to see if it matches the
|
@@ -358,7 +355,8 @@ module ActionController #:nodoc:
|
|
358
355
|
elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
|
359
356
|
csrf_token = unmask_token(masked_token)
|
360
357
|
|
361
|
-
|
358
|
+
compare_with_global_token(csrf_token, session) ||
|
359
|
+
compare_with_real_token(csrf_token, session) ||
|
362
360
|
valid_per_form_csrf_token?(csrf_token, session)
|
363
361
|
else
|
364
362
|
false # Token is malformed.
|
@@ -373,10 +371,21 @@ module ActionController #:nodoc:
|
|
373
371
|
xor_byte_strings(one_time_pad, encrypted_csrf_token)
|
374
372
|
end
|
375
373
|
|
374
|
+
def mask_token(raw_token) # :doc:
|
375
|
+
one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
|
376
|
+
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
|
377
|
+
masked_token = one_time_pad + encrypted_csrf_token
|
378
|
+
Base64.strict_encode64(masked_token)
|
379
|
+
end
|
380
|
+
|
376
381
|
def compare_with_real_token(token, session) # :doc:
|
377
382
|
ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
|
378
383
|
end
|
379
384
|
|
385
|
+
def compare_with_global_token(token, session) # :doc:
|
386
|
+
ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, global_csrf_token(session))
|
387
|
+
end
|
388
|
+
|
380
389
|
def valid_per_form_csrf_token?(token, session) # :doc:
|
381
390
|
if per_form_csrf_tokens
|
382
391
|
correct_token = per_form_csrf_token(
|
@@ -397,10 +406,21 @@ module ActionController #:nodoc:
|
|
397
406
|
end
|
398
407
|
|
399
408
|
def per_form_csrf_token(session, action_path, method) # :doc:
|
409
|
+
csrf_token_hmac(session, [action_path, method.downcase].join("#"))
|
410
|
+
end
|
411
|
+
|
412
|
+
GLOBAL_CSRF_TOKEN_IDENTIFIER = "!real_csrf_token"
|
413
|
+
private_constant :GLOBAL_CSRF_TOKEN_IDENTIFIER
|
414
|
+
|
415
|
+
def global_csrf_token(session) # :doc:
|
416
|
+
csrf_token_hmac(session, GLOBAL_CSRF_TOKEN_IDENTIFIER)
|
417
|
+
end
|
418
|
+
|
419
|
+
def csrf_token_hmac(session, identifier) # :doc:
|
400
420
|
OpenSSL::HMAC.digest(
|
401
421
|
OpenSSL::Digest::SHA256.new,
|
402
422
|
real_csrf_token(session),
|
403
|
-
|
423
|
+
identifier
|
404
424
|
)
|
405
425
|
end
|
406
426
|
|
@@ -344,6 +344,8 @@ module ActionController
|
|
344
344
|
@parameters.each_pair do |key, value|
|
345
345
|
yield [key, convert_hashes_to_parameters(key, value)]
|
346
346
|
end
|
347
|
+
|
348
|
+
self
|
347
349
|
end
|
348
350
|
alias_method :each, :each_pair
|
349
351
|
|
@@ -353,6 +355,8 @@ module ActionController
|
|
353
355
|
@parameters.each_pair do |key, value|
|
354
356
|
yield convert_hashes_to_parameters(key, value)
|
355
357
|
end
|
358
|
+
|
359
|
+
self
|
356
360
|
end
|
357
361
|
|
358
362
|
# Attribute that keeps track of converted arrays, if any, to avoid double
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.0.3
|
4
|
+
version: 6.0.3.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-05-
|
11
|
+
date: 2020-05-18 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 6.0.3
|
19
|
+
version: 6.0.3.1
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 6.0.3
|
26
|
+
version: 6.0.3.1
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rack
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -98,28 +98,28 @@ dependencies:
|
|
98
98
|
requirements:
|
99
99
|
- - '='
|
100
100
|
- !ruby/object:Gem::Version
|
101
|
-
version: 6.0.3
|
101
|
+
version: 6.0.3.1
|
102
102
|
type: :runtime
|
103
103
|
prerelease: false
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
105
105
|
requirements:
|
106
106
|
- - '='
|
107
107
|
- !ruby/object:Gem::Version
|
108
|
-
version: 6.0.3
|
108
|
+
version: 6.0.3.1
|
109
109
|
- !ruby/object:Gem::Dependency
|
110
110
|
name: activemodel
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
112
112
|
requirements:
|
113
113
|
- - '='
|
114
114
|
- !ruby/object:Gem::Version
|
115
|
-
version: 6.0.3
|
115
|
+
version: 6.0.3.1
|
116
116
|
type: :development
|
117
117
|
prerelease: false
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
119
119
|
requirements:
|
120
120
|
- - '='
|
121
121
|
- !ruby/object:Gem::Version
|
122
|
-
version: 6.0.3
|
122
|
+
version: 6.0.3.1
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
125
125
|
email: david@loudthinking.com
|
@@ -310,10 +310,10 @@ licenses:
|
|
310
310
|
- MIT
|
311
311
|
metadata:
|
312
312
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
313
|
-
changelog_uri: https://github.com/rails/rails/blob/v6.0.3/actionpack/CHANGELOG.md
|
314
|
-
documentation_uri: https://api.rubyonrails.org/v6.0.3/
|
313
|
+
changelog_uri: https://github.com/rails/rails/blob/v6.0.3.1/actionpack/CHANGELOG.md
|
314
|
+
documentation_uri: https://api.rubyonrails.org/v6.0.3.1/
|
315
315
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
316
|
-
source_code_uri: https://github.com/rails/rails/tree/v6.0.3/actionpack
|
316
|
+
source_code_uri: https://github.com/rails/rails/tree/v6.0.3.1/actionpack
|
317
317
|
post_install_message:
|
318
318
|
rdoc_options: []
|
319
319
|
require_paths:
|