actionpack 6.1.0.rc1 → 6.1.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9a4a41e1ca0c25578fbd6a0ea8a05295194ae1bd4583adec81c901d36df926af
-  data.tar.gz: 8582c26944953ae947cf95b4582f3b000af462b0786476d4dc84a268963bbdd8
+  metadata.gz: 9ddc348fb8652218b5bd5b37bdb59d84478978eef60efa1e6e0ec970975e51fe
+  data.tar.gz: 3cb8f6771faff1498a49741146ee58df760bfaf71736ab90329b44141b600448
 SHA512:
-  metadata.gz: c6ae9cf119acfd74a41566d30f6d499ed3590355134a7a00ebc77b25a8516f1037448bc202c543b0c92cedc842d38e1b787df12f4260bebf5f1595c42c192d2a
-  data.tar.gz: 69965930679b64e98df6a5b4edaefa9f15a7c38480fd179507b3a27c663b07478411a6ae04355dd5a30f97f18be8b4441e083b5c97d0015f95963d5adf29dcda
+  metadata.gz: ca1a39f35896900dad228fdb4174207fcf571407aa3e033a82718bf2411b2d45665bd03db6df7e21d25cc8df4aaa33d83190502be910a528b51fc4ce4871d2f3
+  data.tar.gz: 66aec3e70249c3661662c5357ba2cc53b3845449bca439c3b07e34068fbb99be354e9dfa536d1964d9446d66519c6c515125827e1cc7f3b01c046b3a9a0741b3

data/CHANGELOG.md

@@ -1,4 +1,58 @@
-## Rails 6.1.0.rc1 (November 02, 2020) ##
+## Rails 6.1.2.1 (February 10, 2021) ##
+
+*   Prevent open redirect when allowed host starts with a dot
+
+    [CVE-2021-22881]
+
+    Thanks to @tktech (https://hackerone.com/tktech) for reporting this
+    issue and the patch!
+
+    *Aaron Patterson*
+
+
+## Rails 6.1.2 (February 09, 2021) ##
+
+*   Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
+
+    *Janko Marohnić*
+
+*   Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
+
+    *Eugene Kenny*
+
+
+## Rails 6.1.1 (January 07, 2021) ##
+
+*   Fix nil translation key lookup in controllers/
+
+    *Jan Klimo*
+
+*   Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
+
+    *Alex Robbin*
+
+*   Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
+
+    *Alex Robbin*
+
+
+## Rails 6.1.0 (December 09, 2020) ##
+
+*   Support for the HTTP header `Feature-Policy` has been revised to reflect
+    its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
+
+    ```ruby
+    Rails.application.config.permissions_policy do |p|
+      p.camera     :none
+      p.gyroscope  :none
+      p.microphone :none
+      p.usb        :none
+      p.fullscreen :self
+      p.payment    :self, "https://secure-example.com"
+    end
+    ```
+
+    *Julien Grillot*
 
 *   Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
 

data/README.rdoc

@@ -33,7 +33,7 @@ The latest version of Action Pack can be installed with RubyGems:
 
 Source code can be downloaded as part of the Rails project on GitHub:
 
-* https://github.com/rails/rails/tree/master/actionpack
+* https://github.com/rails/rails/tree/main/actionpack
 
 
 == License

data/lib/abstract_controller/translation.rb

@@ -15,7 +15,7 @@ module AbstractController
     # to translate many keys within the same controller / action and gives you a
     # simple framework for scoping them consistently.
     def translate(key, **options)
-      if key.start_with?(".")
+      if key&.start_with?(".")
         path = controller_path.tr("/", ".")
         defaults = [:"#{path}#{key}"]
         defaults << options[:default] if options[:default]

data/lib/action_controller.rb

@@ -29,7 +29,7 @@ module ActionController
     autoload :DefaultHeaders
     autoload :EtagWithTemplateDigest
     autoload :EtagWithFlash
-    autoload :FeaturePolicy
+    autoload :PermissionsPolicy
     autoload :Flash
     autoload :Head
     autoload :Helpers

data/lib/action_controller/base.rb

@@ -226,7 +226,7 @@ module ActionController
       FormBuilder,
       RequestForgeryProtection,
       ContentSecurityPolicy,
-      FeaturePolicy,
+      PermissionsPolicy,
       Streaming,
       DataStreaming,
       HttpAuthentication::Basic::ControllerMethods,

data/lib/action_controller/log_subscriber.rb

@@ -23,7 +23,7 @@ module ActionController
         additions = ActionController::Base.log_process_action(payload)
         status = payload[:status]
 
-        if status.nil? && (exception_class_name = payload[:exception].first)
+        if status.nil? && (exception_class_name = payload[:exception]&.first)
           status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
         end
 

data/lib/action_controller/metal/conditional_get.rb

@@ -182,7 +182,7 @@ module ActionController
     #
     # You can also pass an object that responds to +maximum+, such as a
     # collection of active records. In this case +last_modified+ will be set by
-    # calling +maximum(:updated_at)+ on the collection (the timestamp of the
+    # calling <tt>maximum(:updated_at)</tt> on the collection (the timestamp of the
     # most recently updated record) and the +etag+ by passing the object itself.
     #
     #   def index

data/lib/action_controller/metal/cookies.rb

@@ -9,7 +9,9 @@ module ActionController #:nodoc:
     end
 
     private
-      def cookies
+      # The cookies for the current request. See ActionDispatch::Cookies for
+      # more information.
+      def cookies # :doc:
         request.cookie_jar
       end
   end

data/lib/action_controller/metal/http_authentication.rb

@@ -484,7 +484,7 @@ module ActionController
       def raw_params(auth)
         _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
 
-        if !_raw_params.first.start_with?(TOKEN_KEY)
+        if !_raw_params.first&.start_with?(TOKEN_KEY)
           _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
         end
 

data/lib/action_controller/metal/{feature_policy.rb → permissions_policy.rb}

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
 module ActionController #:nodoc:
-  # HTTP Feature Policy is a web standard for defining a mechanism to
-  # allow and deny the use of browser features in its own context, and
+  # HTTP Permissions Policy is a web standard for defining a mechanism to
+  # allow and deny the use of browser permissions in its own context, and
   # in content within any <iframe> elements in the document.
   #
-  # Full details of HTTP Feature Policy specification and guidelines can
+  # Full details of HTTP Permissions Policy specification and guidelines can
   # be found at MDN:
   #
   # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
@@ -13,7 +13,7 @@ module ActionController #:nodoc:
   # Examples of usage:
   #
   #   # Global policy
-  #   Rails.application.config.feature_policy do |f|
+  #   Rails.application.config.permissions_policy do |f|
   #     f.camera      :none
   #     f.gyroscope   :none
   #     f.microphone  :none
@@ -24,20 +24,20 @@ module ActionController #:nodoc:
   #
   #   # Controller level policy
   #   class PagesController < ApplicationController
-  #     feature_policy do |p|
+  #     permissions_policy do |p|
   #       p.geolocation "https://example.com"
   #     end
   #   end
-  module FeaturePolicy
+  module PermissionsPolicy
     extend ActiveSupport::Concern
 
     module ClassMethods
-      def feature_policy(**options, &block)
+      def permissions_policy(**options, &block)
         before_action(options) do
           if block_given?
-            policy = request.feature_policy.clone
+            policy = request.permissions_policy.clone
             yield policy
-            request.feature_policy = policy
+            request.permissions_policy = policy
           end
         end
       end

data/lib/action_dispatch.rb

@@ -46,7 +46,7 @@ module ActionDispatch
   eager_autoload do
     autoload_under "http" do
       autoload :ContentSecurityPolicy
-      autoload :FeaturePolicy
+      autoload :PermissionsPolicy
       autoload :Request
       autoload :Response
     end

data/lib/action_dispatch/http/{feature_policy.rb → permissions_policy.rb}

@@ -3,9 +3,14 @@
 require "active_support/core_ext/object/deep_dup"
 
 module ActionDispatch #:nodoc:
-  class FeaturePolicy
+  class PermissionsPolicy
     class Middleware
       CONTENT_TYPE = "Content-Type"
+      # The Feature-Policy header has been renamed to Permissions-Policy.
+      # The Permissions-Policy requires a different implementation and isn't
+      # yet supported by all browsers. To avoid having to rename this
+      # middleware in the future we use the new name for the middleware but
+      # keep the old header name and implementation for now.
       POLICY       = "Feature-Policy"
 
       def initialize(app)
@@ -19,7 +24,7 @@ module ActionDispatch #:nodoc:
         return response unless html_response?(headers)
         return response if policy_present?(headers)
 
-        if policy = request.feature_policy
+        if policy = request.permissions_policy
           headers[POLICY] = policy.build(request.controller_instance)
         end
 
@@ -47,13 +52,13 @@ module ActionDispatch #:nodoc:
     end
 
     module Request
-      POLICY = "action_dispatch.feature_policy"
+      POLICY = "action_dispatch.permissions_policy"
 
-      def feature_policy
+      def permissions_policy
         get_header(POLICY)
       end
 
-      def feature_policy=(policy)
+      def permissions_policy=(policy)
         set_header(POLICY, policy)
       end
     end
@@ -63,8 +68,8 @@ module ActionDispatch #:nodoc:
       none: "'none'",
     }.freeze
 
-    # List of available features can be found at
-    # https://github.com/WICG/feature-policy/blob/master/features.md#policy-controlled-features
+    # List of available permissions can be found at
+    # https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#policy-controlled-features
     DIRECTIVES = {
       accelerometer:        "accelerometer",
       ambient_light_sensor: "ambient-light-sensor",
@@ -121,14 +126,14 @@ module ActionDispatch #:nodoc:
           when String, Proc
             source
           else
-            raise ArgumentError, "Invalid HTTP feature policy source: #{source.inspect}"
+            raise ArgumentError, "Invalid HTTP permissions policy source: #{source.inspect}"
           end
         end
       end
 
       def apply_mapping(source)
         MAPPINGS.fetch(source) do
-          raise ArgumentError, "Unknown HTTP feature policy source mapping: #{source.inspect}"
+          raise ArgumentError, "Unknown HTTP permissions policy source mapping: #{source.inspect}"
         end
       end
 
@@ -156,12 +161,12 @@ module ActionDispatch #:nodoc:
           source.to_s
         when Proc
           if context.nil?
-            raise RuntimeError, "Missing context for the dynamic feature policy source: #{source.inspect}"
+            raise RuntimeError, "Missing context for the dynamic permissions policy source: #{source.inspect}"
           else
             context.instance_exec(&source)
           end
         else
-          raise RuntimeError, "Unexpected feature policy source: #{source.inspect}"
+          raise RuntimeError, "Unexpected permissions policy source: #{source.inspect}"
         end
       end
   end

data/lib/action_dispatch/http/request.rb

@@ -23,7 +23,7 @@ module ActionDispatch
     include ActionDispatch::Http::FilterParameters
     include ActionDispatch::Http::URL
     include ActionDispatch::ContentSecurityPolicy::Request
-    include ActionDispatch::FeaturePolicy::Request
+    include ActionDispatch::PermissionsPolicy::Request
     include Rack::Request::Env
 
     autoload :Session, "action_dispatch/request/session"

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -51,9 +51,9 @@ module ActionDispatch
 
         def sanitize_string(host)
           if host.start_with?(".")
-            /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/
+            /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
           else
-            host
+            /\A#{host}\z/i
           end
         end
     end
@@ -103,11 +103,20 @@ module ActionDispatch
 
     private
       def authorized?(request)
-        origin_host = request.get_header("HTTP_HOST").to_s.sub(/:\d+\z/, "")
-        forwarded_host = request.x_forwarded_host.to_s.split(/,\s?/).last.to_s.sub(/:\d+\z/, "")
-
-        @permissions.allows?(origin_host) &&
-          (forwarded_host.blank? || @permissions.allows?(forwarded_host))
+        valid_host = /
+          \A
+          (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])
+          (:\d+)?
+          \z
+        /x
+
+        origin_host = valid_host.match(
+          request.get_header("HTTP_HOST").to_s.downcase)
+        forwarded_host = valid_host.match(
+          request.x_forwarded_host.to_s.split(/,\s?/).last)
+
+        origin_host && @permissions.allows?(origin_host[:host]) && (
+          forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
       end
 
       def excluded?(request)

data/lib/action_dispatch/middleware/show_exceptions.rb

@@ -46,7 +46,9 @@ module ActionDispatch
         status  = wrapper.status_code
         request.set_header "action_dispatch.exception", wrapper.unwrapped_exception
         request.set_header "action_dispatch.original_path", request.path_info
+        request.set_header "action_dispatch.original_request_method", request.raw_request_method
         request.path_info = "/#{status}"
+        request.request_method = "GET"
         response = @exceptions_app.call(request.env)
         response[1]["X-Cascade"] == "pass" ? pass_response(status) : response
       rescue Exception => failsafe_error

data/lib/action_dispatch/middleware/ssl.rb

@@ -52,6 +52,8 @@ module ActionDispatch
     # Default to 2 years as recommended on hstspreload.org.
     HSTS_EXPIRES_IN = 63072000
 
+    PERMANENT_REDIRECT_REQUEST_METHODS = %w[GET HEAD] # :nodoc:
+
     def self.default_hsts_options
       { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
     end
@@ -131,7 +133,7 @@ module ActionDispatch
       end
 
       def redirection_status(request)
-        if request.get? || request.head?
+        if PERMANENT_REDIRECT_REQUEST_METHODS.include?(request.raw_request_method)
           301 # Issue a permanent redirect via a GET request.
         elsif @ssl_default_redirect_status
           @ssl_default_redirect_status

data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb

@@ -1,5 +1,7 @@
 <% if exception.respond_to?(:original_message) && exception.respond_to?(:corrections) %>
-  <h2><%= h exception.original_message %></h2>
+  <div class="exception-message">
+    <%= simple_format h(exception.original_message), { class: "message" }, wrapper_tag: "div" %>
+  </div>
   <%
     # The 'did_you_mean' gem can raise exceptions when calling #corrections on
     # the exception. If it does there are no corrections to show.
@@ -14,5 +16,7 @@
     </ul>
   <% end %>
 <% else %>
-  <h2><%= h exception.message %></h2>
+  <div class="exception-message">
+    <%= simple_format h(exception.message), { class: "message" }, wrapper_tag: "div" %>
+  </div>
 <% end %>

data/lib/action_dispatch/middleware/templates/rescues/layout.erb

@@ -49,6 +49,18 @@
       line-height: 25px;
     }
 
+    .exception-message {
+      padding: 8px 0;
+    }
+
+    .exception-message .message{
+      margin-bottom: 8px;
+      line-height: 25px;
+      font-size: 1.5em;
+      font-weight: bold;
+      color: #C00;
+    }
+
     .details {
       border: 1px solid #D0D0D0;
       border-radius: 4px;

data/lib/action_dispatch/middleware/templates/routes/_table.html.erb

@@ -51,10 +51,19 @@
   }
 
   @media (prefers-color-scheme: dark) {
+    body {
+      background-color: #222;
+      color: #ECECEC;
+    }
+
     #route_table tbody tr:nth-child(odd) {
       background: #333;
     }
 
+    #route_table tbody tr:nth-child(even) {
+      background: #444;
+    }
+
     #route_table tbody.exact_matches,
     #route_table tbody.fuzzy_matches {
       color: #333;

data/lib/action_dispatch/system_testing/browser.rb

@@ -71,14 +71,14 @@ module ActionDispatch
 
         def set_headless_chrome_browser_options
           configure do |capabilities|
-            capabilities.args << "--headless"
-            capabilities.args << "--disable-gpu" if Gem.win_platform?
+            capabilities.add_argument("--headless")
+            capabilities.add_argument("--disable-gpu") if Gem.win_platform?
           end
         end
 
         def set_headless_firefox_browser_options
           configure do |capabilities|
-            capabilities.args << "-headless"
+            capabilities.add_argument("-headless")
           end
         end
     end

data/lib/action_dispatch/testing/test_process.rb

@@ -29,7 +29,7 @@ module ActionDispatch
               haven't set yet. Set `file_fixture_path` to discard this warning.
             EOM
           elsif path.exist?
-            non_deprecated_path = path.relative_path_from(Pathname(self.class.file_fixture_path))
+            non_deprecated_path = Pathname(File.absolute_path(path)).relative_path_from(Pathname(File.absolute_path(self.class.file_fixture_path)))
             ActiveSupport::Deprecation.warn(<<~EOM)
               Passing a path to `fixture_file_upload` relative to `fixture_path` is deprecated.
               In Rails 6.2, the path needs to be relative to `file_fixture_path`.

data/lib/action_pack/gem_version.rb

@@ -9,8 +9,8 @@ module ActionPack
   module VERSION
     MAJOR = 6
     MINOR = 1
-    TINY  = 0
-    PRE   = "rc1"
+    TINY  = 2
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 6.1.0.rc1
+  version: 6.1.2.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-11-02 00:00:00.000000000 Z
+date: 2021-02-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc1
+        version: 6.1.2.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc1
+        version: 6.1.2.1
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc1
+        version: 6.1.2.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc1
+        version: 6.1.2.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc1
+        version: 6.1.2.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc1
+        version: 6.1.2.1
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -161,7 +161,6 @@ files:
 - lib/action_controller/metal/etag_with_flash.rb
 - lib/action_controller/metal/etag_with_template_digest.rb
 - lib/action_controller/metal/exceptions.rb
-- lib/action_controller/metal/feature_policy.rb
 - lib/action_controller/metal/flash.rb
 - lib/action_controller/metal/head.rb
 - lib/action_controller/metal/helpers.rb
@@ -173,6 +172,7 @@ files:
 - lib/action_controller/metal/mime_responds.rb
 - lib/action_controller/metal/parameter_encoding.rb
 - lib/action_controller/metal/params_wrapper.rb
+- lib/action_controller/metal/permissions_policy.rb
 - lib/action_controller/metal/redirecting.rb
 - lib/action_controller/metal/renderers.rb
 - lib/action_controller/metal/rendering.rb
@@ -191,7 +191,6 @@ files:
 - lib/action_dispatch/http/cache.rb
 - lib/action_dispatch/http/content_disposition.rb
 - lib/action_dispatch/http/content_security_policy.rb
-- lib/action_dispatch/http/feature_policy.rb
 - lib/action_dispatch/http/filter_parameters.rb
 - lib/action_dispatch/http/filter_redirect.rb
 - lib/action_dispatch/http/headers.rb
@@ -199,6 +198,7 @@ files:
 - lib/action_dispatch/http/mime_type.rb
 - lib/action_dispatch/http/mime_types.rb
 - lib/action_dispatch/http/parameters.rb
+- lib/action_dispatch/http/permissions_policy.rb
 - lib/action_dispatch/http/rack_cache.rb
 - lib/action_dispatch/http/request.rb
 - lib/action_dispatch/http/response.rb
@@ -309,10 +309,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.1.0.rc1/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.1.0.rc1/
+  changelog_uri: https://github.com/rails/rails/blob/v6.1.2.1/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.1.2.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.1.0.rc1/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v6.1.2.1/actionpack
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -324,12 +324,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements:
 - none
-rubygems_version: 3.1.4
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).