actionpack 6.0.4 → 6.0.4.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 678219232b512e4e26f212b806cdf7b43bd5659acea529b2b28e2c302abbfced
4
- data.tar.gz: c2069babda9aba85e6fd8d2f922803909877c06b8a0c3a3597dc51b1de411924
3
+ metadata.gz: 77d0c31e55cac2f1197378000339e0def3f018ab55493703905c3fb3969e7625
4
+ data.tar.gz: 645430d4e7b0515b72ca93abdca82c4f3bc95840e4e51d2766af835013d4815b
5
5
  SHA512:
6
- metadata.gz: 43e407ce89353f04be46d92411267bc9eb3dc52a95578f5f7d9b5800a06f89b729fd9be33939792b1e9b56e702a13be4117d9303f4ce62e6d740da89c6d51137
7
- data.tar.gz: a0f47e4c5f9a88be9566030b9b69566d8ba11f796adf9b4684e4fbee0617ebfb0e60c1f700b5b52c311959dfe192ba1bca21db64398f6988faf0eca48538a232
6
+ metadata.gz: 9354a9e8747dfc352e007f1f6218abd5ea2518ea60d249b2d84b9499c5edfca3a198a2ee0217acd39cc4b858eef76abdbc73a68b761dfc97a2a5b70c69b3b6aa
7
+ data.tar.gz: 1002a36a0686363c1f585cd5827240ad772d22079d63c02755c18c18dc1bebd9f31c24471d2a9da4c46d3eada96d61edcbc300be016042b1180c40fd61f59fc2
data/CHANGELOG.md CHANGED
@@ -1,3 +1,25 @@
1
+ ## Rails 6.0.4.4 (December 15, 2021) ##
2
+
3
+ * Fix issue with host protection not allowing host with port in development.
4
+
5
+
6
+ ## Rails 6.0.4.3 (December 14, 2021) ##
7
+
8
+ * Fix issue with host protection not allowing localhost in development.
9
+
10
+
11
+ ## Rails 6.0.4.2 (December 14, 2021) ##
12
+
13
+ * Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
14
+
15
+ ## Rails 6.1.4.1 (August 19, 2021) ##
16
+
17
+ * [CVE-2021-22942] Fix possible open redirect in Host Authorization middleware.
18
+
19
+ Specially crafted "X-Forwarded-Host" headers in combination with certain
20
+ "allowed host" formats can cause the Host Authorization middleware in Action
21
+ Pack to redirect users to a malicious website.
22
+
1
23
  ## Rails 6.0.4 (June 15, 2021) ##
2
24
 
3
25
  * Accept base64_urlsafe CSRF tokens to make forward compatible.
@@ -10,6 +10,17 @@ module ActionDispatch
10
10
  # application will be executed and rendered. If no +response_app+ is given, a
11
11
  # default one will run, which responds with +403 Forbidden+.
12
12
  class HostAuthorization
13
+ ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
14
+ PORT_REGEX = /(?::\d+)/ # :nodoc:
15
+ IPV4_HOSTNAME = /(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/ # :nodoc:
16
+ IPV6_HOSTNAME = /(?<host>[a-f0-9]*:[a-f0-9.:]+)/i # :nodoc:
17
+ IPV6_HOSTNAME_WITH_PORT = /\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i # :nodoc:
18
+ VALID_IP_HOSTNAME = Regexp.union( # :nodoc:
19
+ /\A#{IPV4_HOSTNAME}\z/,
20
+ /\A#{IPV6_HOSTNAME}\z/,
21
+ /\A#{IPV6_HOSTNAME_WITH_PORT}\z/,
22
+ )
23
+
13
24
  class Permissions # :nodoc:
14
25
  def initialize(hosts)
15
26
  @hosts = sanitize_hosts(hosts)
@@ -21,11 +32,17 @@ module ActionDispatch
21
32
 
22
33
  def allows?(host)
23
34
  @hosts.any? do |allowed|
24
- allowed === host
25
- rescue
26
- # IPAddr#=== raises an error if you give it a hostname instead of
27
- # IP. Treat similar errors as blocked access.
28
- false
35
+ if allowed.is_a?(IPAddr)
36
+ begin
37
+ allowed === extract_hostname(host)
38
+ rescue
39
+ # IPAddr#=== raises an error if you give it a hostname instead of
40
+ # IP. Treat similar errors as blocked access.
41
+ false
42
+ end
43
+ else
44
+ allowed === host
45
+ end
29
46
  end
30
47
  end
31
48
 
@@ -41,16 +58,20 @@ module ActionDispatch
41
58
  end
42
59
 
43
60
  def sanitize_regexp(host)
44
- /\A#{host}\z/
61
+ /\A#{host}#{PORT_REGEX}?\z/
45
62
  end
46
63
 
47
64
  def sanitize_string(host)
48
65
  if host.start_with?(".")
49
- /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
66
+ /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
50
67
  else
51
- /\A#{Regexp.escape host}\z/i
68
+ /\A#{Regexp.escape host}#{PORT_REGEX}?\z/i
52
69
  end
53
70
  end
71
+
72
+ def extract_hostname(host)
73
+ host.slice(VALID_IP_HOSTNAME, "host") || host
74
+ end
54
75
  end
55
76
 
56
77
  DEFAULT_RESPONSE_APP = -> env do
@@ -87,20 +108,10 @@ module ActionDispatch
87
108
 
88
109
  private
89
110
  def authorized?(request)
90
- valid_host = /
91
- \A
92
- (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])
93
- (:\d+)?
94
- \z
95
- /x
96
-
97
- origin_host = valid_host.match(
98
- request.get_header("HTTP_HOST").to_s.downcase)
99
- forwarded_host = valid_host.match(
100
- request.x_forwarded_host.to_s.split(/,\s?/).last)
101
-
102
- origin_host && @permissions.allows?(origin_host[:host]) && (
103
- forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
111
+ origin_host = request.get_header("HTTP_HOST")
112
+ forwarded_host = request.x_forwarded_host&.split(/,\s?/)&.last
113
+
114
+ @permissions.allows?(origin_host) && (forwarded_host.blank? || @permissions.allows?(forwarded_host))
104
115
  end
105
116
 
106
117
  def mark_as_authorized(request)
@@ -10,7 +10,7 @@ module ActionPack
10
10
  MAJOR = 6
11
11
  MINOR = 0
12
12
  TINY = 4
13
- PRE = nil
13
+ PRE = "4"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.0.4
4
+ version: 6.0.4.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-06-15 00:00:00.000000000 Z
11
+ date: 2021-12-15 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 6.0.4
19
+ version: 6.0.4.4
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 6.0.4
26
+ version: 6.0.4.4
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 6.0.4
101
+ version: 6.0.4.4
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 6.0.4
108
+ version: 6.0.4.4
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 6.0.4
115
+ version: 6.0.4.4
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 6.0.4
122
+ version: 6.0.4.4
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -310,10 +310,10 @@ licenses:
310
310
  - MIT
311
311
  metadata:
312
312
  bug_tracker_uri: https://github.com/rails/rails/issues
313
- changelog_uri: https://github.com/rails/rails/blob/v6.0.4/actionpack/CHANGELOG.md
314
- documentation_uri: https://api.rubyonrails.org/v6.0.4/
313
+ changelog_uri: https://github.com/rails/rails/blob/v6.0.4.4/actionpack/CHANGELOG.md
314
+ documentation_uri: https://api.rubyonrails.org/v6.0.4.4/
315
315
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
316
- source_code_uri: https://github.com/rails/rails/tree/v6.0.4/actionpack
316
+ source_code_uri: https://github.com/rails/rails/tree/v6.0.4.4/actionpack
317
317
  post_install_message:
318
318
  rdoc_options: []
319
319
  require_paths:
@@ -330,7 +330,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
330
330
  version: '0'
331
331
  requirements:
332
332
  - none
333
- rubygems_version: 3.1.2
333
+ rubygems_version: 3.2.32
334
334
  signing_key:
335
335
  specification_version: 4
336
336
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).