actionpack 6.0.4 → 6.0.4.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 678219232b512e4e26f212b806cdf7b43bd5659acea529b2b28e2c302abbfced
-  data.tar.gz: c2069babda9aba85e6fd8d2f922803909877c06b8a0c3a3597dc51b1de411924
+  metadata.gz: 77d0c31e55cac2f1197378000339e0def3f018ab55493703905c3fb3969e7625
+  data.tar.gz: 645430d4e7b0515b72ca93abdca82c4f3bc95840e4e51d2766af835013d4815b
 SHA512:
-  metadata.gz: 43e407ce89353f04be46d92411267bc9eb3dc52a95578f5f7d9b5800a06f89b729fd9be33939792b1e9b56e702a13be4117d9303f4ce62e6d740da89c6d51137
-  data.tar.gz: a0f47e4c5f9a88be9566030b9b69566d8ba11f796adf9b4684e4fbee0617ebfb0e60c1f700b5b52c311959dfe192ba1bca21db64398f6988faf0eca48538a232
+  metadata.gz: 9354a9e8747dfc352e007f1f6218abd5ea2518ea60d249b2d84b9499c5edfca3a198a2ee0217acd39cc4b858eef76abdbc73a68b761dfc97a2a5b70c69b3b6aa
+  data.tar.gz: 1002a36a0686363c1f585cd5827240ad772d22079d63c02755c18c18dc1bebd9f31c24471d2a9da4c46d3eada96d61edcbc300be016042b1180c40fd61f59fc2

data/CHANGELOG.md

@@ -1,3 +1,25 @@
+## Rails 6.0.4.4 (December 15, 2021) ##
+
+*   Fix issue with host protection not allowing host with port in development.
+
+
+## Rails 6.0.4.3 (December 14, 2021) ##
+
+*   Fix issue with host protection not allowing localhost in development.
+
+
+## Rails 6.0.4.2 (December 14, 2021) ##
+
+*   Fix X_FORWARDED_HOST protection.  [CVE-2021-44528]
+
+## Rails 6.1.4.1 (August 19, 2021) ##
+
+*   [CVE-2021-22942] Fix possible open redirect in Host Authorization middleware.
+
+    Specially crafted "X-Forwarded-Host" headers in combination with certain
+    "allowed host" formats can cause the Host Authorization middleware in Action
+    Pack to redirect users to a malicious website.
+
 ## Rails 6.0.4 (June 15, 2021) ##
 
 *   Accept base64_urlsafe CSRF tokens to make forward compatible.

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -10,6 +10,17 @@ module ActionDispatch
   # application will be executed and rendered. If no +response_app+ is given, a
   # default one will run, which responds with +403 Forbidden+.
   class HostAuthorization
+    ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
+    PORT_REGEX = /(?::\d+)/ # :nodoc:
+    IPV4_HOSTNAME = /(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/ # :nodoc:
+    IPV6_HOSTNAME = /(?<host>[a-f0-9]*:[a-f0-9.:]+)/i # :nodoc:
+    IPV6_HOSTNAME_WITH_PORT = /\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i # :nodoc:
+    VALID_IP_HOSTNAME = Regexp.union( # :nodoc:
+      /\A#{IPV4_HOSTNAME}\z/,
+      /\A#{IPV6_HOSTNAME}\z/,
+      /\A#{IPV6_HOSTNAME_WITH_PORT}\z/,
+    )
+
     class Permissions # :nodoc:
       def initialize(hosts)
         @hosts = sanitize_hosts(hosts)
@@ -21,11 +32,17 @@ module ActionDispatch
 
       def allows?(host)
         @hosts.any? do |allowed|
-          allowed === host
-        rescue
-          # IPAddr#=== raises an error if you give it a hostname instead of
-          # IP. Treat similar errors as blocked access.
-          false
+          if allowed.is_a?(IPAddr)
+            begin
+              allowed === extract_hostname(host)
+            rescue
+              # IPAddr#=== raises an error if you give it a hostname instead of
+              # IP. Treat similar errors as blocked access.
+              false
+            end
+          else
+            allowed === host
+          end
         end
       end
 
@@ -41,16 +58,20 @@ module ActionDispatch
         end
 
         def sanitize_regexp(host)
-          /\A#{host}\z/
+          /\A#{host}#{PORT_REGEX}?\z/
         end
 
         def sanitize_string(host)
           if host.start_with?(".")
-            /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
+            /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
           else
-            /\A#{Regexp.escape host}\z/i
+            /\A#{Regexp.escape host}#{PORT_REGEX}?\z/i
           end
         end
+
+        def extract_hostname(host)
+          host.slice(VALID_IP_HOSTNAME, "host") || host
+        end
     end
 
     DEFAULT_RESPONSE_APP = -> env do
@@ -87,20 +108,10 @@ module ActionDispatch
 
     private
       def authorized?(request)
-        valid_host = /
-          \A
-          (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])
-          (:\d+)?
-          \z
-        /x
-
-        origin_host = valid_host.match(
-          request.get_header("HTTP_HOST").to_s.downcase)
-        forwarded_host = valid_host.match(
-          request.x_forwarded_host.to_s.split(/,\s?/).last)
-
-        origin_host && @permissions.allows?(origin_host[:host]) && (
-          forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
+        origin_host = request.get_header("HTTP_HOST")
+        forwarded_host = request.x_forwarded_host&.split(/,\s?/)&.last
+
+        @permissions.allows?(origin_host) && (forwarded_host.blank? || @permissions.allows?(forwarded_host))
       end
 
       def mark_as_authorized(request)

data/lib/action_pack/gem_version.rb

@@ -10,7 +10,7 @@ module ActionPack
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = nil
+    PRE   = "4"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 6.0.4
+  version: 6.0.4.4
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-06-15 00:00:00.000000000 Z
+date: 2021-12-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.4
+        version: 6.0.4.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.4
+        version: 6.0.4.4
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.4
+        version: 6.0.4.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.4
+        version: 6.0.4.4
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.4
+        version: 6.0.4.4
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.4
+        version: 6.0.4.4
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -310,10 +310,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.0.4/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.0.4/
+  changelog_uri: https://github.com/rails/rails/blob/v6.0.4.4/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.0.4.4/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.0.4/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v6.0.4.4/actionpack
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -330,7 +330,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.1.2
+rubygems_version: 3.2.32
 signing_key: 
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).