actionpack 6.1.0.rc2 → 6.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bc84b6b896fe838781d03a845564d7d0d55c125c08891dac5192dd0b4218e148
-  data.tar.gz: 2d6978599e5d5f2becc3ced8db15918edbeffe6048cffa5f3b11b68e0fe7fb97
+  metadata.gz: 1ea58dade23ab9890d5e08a7a1cb0f8cf4cae0fbd41eea9fe284d3525245aeee
+  data.tar.gz: c84e4268d1477b99849c45bff8a08a31d3bb8d72fcc3c73c621f79a7c8bc813a
 SHA512:
-  metadata.gz: cba23b8e3d5344c09f2b3f41d4544c8486dafe103a1c5fd1c4f050f543a35d17346d747ff1e2cd62e7535258ee38953ab2b12eb62119d086c9e9b35c8344c2c4
-  data.tar.gz: 7e8b5c27070a8bf909e09e8d1bd98565da44321186bdaae0e5ebc474cbaf85dc242191863b8041696cdf995e75110b94ab3af7e304d99180c78000cbec00e9ec
+  metadata.gz: 494e49e2b62a10a42b90c0e36745d67aae27cd1988332070db69725ea0f30834f22e494a9c448dfceed91c3cc63bf6055bfc94de372efeb55a62f126835786ea
+  data.tar.gz: 2d1d9bd8fe5a25cdb1ffb92e5c204f91a71d68be2dfdb0e94730b7b3fd62f931facb99c93f9e1d7c8462d317b0accc640135ca232f9547760a0a525b4ed4a9e5

data/CHANGELOG.md

@@ -1,4 +1,49 @@
-## Rails 6.1.0.rc2 (December 01, 2020) ##
+## Rails 6.1.3 (February 17, 2021) ##
+
+*   Re-define routes when not set correctly via inheritance.
+
+    *John Hawthorn*
+
+
+## Rails 6.1.2.1 (February 10, 2021) ##
+
+*   Prevent open redirect when allowed host starts with a dot
+
+    [CVE-2021-22881]
+
+    Thanks to @tktech (https://hackerone.com/tktech) for reporting this
+    issue and the patch!
+
+    *Aaron Patterson*
+
+
+## Rails 6.1.2 (February 09, 2021) ##
+
+*   Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
+
+    *Janko Marohnić*
+
+*   Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
+
+    *Eugene Kenny*
+
+
+## Rails 6.1.1 (January 07, 2021) ##
+
+*   Fix nil translation key lookup in controllers/
+
+    *Jan Klimo*
+
+*   Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
+
+    *Alex Robbin*
+
+*   Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
+
+    *Alex Robbin*
+
+
+## Rails 6.1.0 (December 09, 2020) ##
 
 *   Support for the HTTP header `Feature-Policy` has been revised to reflect
     its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
@@ -16,8 +61,6 @@
 
     *Julien Grillot*
 
-## Rails 6.1.0.rc1 (November 02, 2020) ##
-
 *   Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
 
     Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.

data/README.rdoc

@@ -33,7 +33,7 @@ The latest version of Action Pack can be installed with RubyGems:
 
 Source code can be downloaded as part of the Rails project on GitHub:
 
-* https://github.com/rails/rails/tree/master/actionpack
+* https://github.com/rails/rails/tree/main/actionpack
 
 
 == License

data/lib/abstract_controller/railties/routes_helpers.rb

@@ -7,11 +7,27 @@ module AbstractController
         Module.new do
           define_method(:inherited) do |klass|
             super(klass)
-            if namespace = klass.module_parents.detect { |m| m.respond_to?(:railtie_routes_url_helpers) }
+
+            namespace = klass.module_parents.detect { |m| m.respond_to?(:railtie_routes_url_helpers) }
+            actual_routes = namespace ? namespace.railtie_routes_url_helpers._routes : routes
+
+            if namespace
               klass.include(namespace.railtie_routes_url_helpers(include_path_helpers))
             else
               klass.include(routes.url_helpers(include_path_helpers))
             end
+
+            # In the case that we have ex.
+            #   class A::Foo < ApplicationController
+            #   class Bar < A::Foo
+            # We will need to redefine _routes because it will not be correct
+            # via inheritance.
+            unless klass._routes.equal?(actual_routes)
+              klass.redefine_singleton_method(:_routes) { actual_routes }
+              klass.include(Module.new do
+                define_method(:_routes) { @_routes || actual_routes }
+              end)
+            end
           end
         end
       end

data/lib/abstract_controller/translation.rb

@@ -15,7 +15,7 @@ module AbstractController
     # to translate many keys within the same controller / action and gives you a
     # simple framework for scoping them consistently.
     def translate(key, **options)
-      if key.start_with?(".")
+      if key&.start_with?(".")
         path = controller_path.tr("/", ".")
         defaults = [:"#{path}#{key}"]
         defaults << options[:default] if options[:default]

data/lib/action_controller/log_subscriber.rb

@@ -23,7 +23,7 @@ module ActionController
         additions = ActionController::Base.log_process_action(payload)
         status = payload[:status]
 
-        if status.nil? && (exception_class_name = payload[:exception].first)
+        if status.nil? && (exception_class_name = payload[:exception]&.first)
           status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
         end
 

data/lib/action_controller/metal/conditional_get.rb

@@ -182,7 +182,7 @@ module ActionController
     #
     # You can also pass an object that responds to +maximum+, such as a
     # collection of active records. In this case +last_modified+ will be set by
-    # calling +maximum(:updated_at)+ on the collection (the timestamp of the
+    # calling <tt>maximum(:updated_at)</tt> on the collection (the timestamp of the
     # most recently updated record) and the +etag+ by passing the object itself.
     #
     #   def index

data/lib/action_controller/metal/http_authentication.rb

@@ -484,7 +484,7 @@ module ActionController
       def raw_params(auth)
         _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
 
-        if !_raw_params.first.start_with?(TOKEN_KEY)
+        if !_raw_params.first&.start_with?(TOKEN_KEY)
           _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
         end
 

data/lib/action_controller/renderer.rb

@@ -84,7 +84,7 @@ module ActionController
     #
     # If no <tt>options</tt> hash is passed or if <tt>:update</tt> is specified, then:
     #
-    # If an object responding to `render_in` is passed, `render_in` is called on the object,
+    # If an object responding to +render_in+ is passed, +render_in+ is called on the object,
     # passing in the current view context.
     #
     # Otherwise, a partial is rendered using the second parameter as the locals hash.

data/lib/action_dispatch/http/mime_type.rb

@@ -330,7 +330,7 @@ module Mime
   end
 
   # ALL isn't a real MIME type, so we don't register it for lookup with the
-  # other concrete types. It's a wildcard match that we use for `respond_to`
+  # other concrete types. It's a wildcard match that we use for +respond_to+
   # negotiation internals.
   ALL = AllType.instance
 

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -13,7 +13,7 @@ module ActionDispatch
   #
   # When a request comes to an unauthorized host, the +response_app+
   # application will be executed and rendered. If no +response_app+ is given, a
-  # default one will run, which responds with +403 Forbidden+.
+  # default one will run, which responds with <tt>403 Forbidden</tt>.
   class HostAuthorization
     class Permissions # :nodoc:
       def initialize(hosts)
@@ -103,11 +103,20 @@ module ActionDispatch
 
     private
       def authorized?(request)
-        origin_host = request.get_header("HTTP_HOST").to_s.sub(/:\d+\z/, "")
-        forwarded_host = request.x_forwarded_host.to_s.split(/,\s?/).last.to_s.sub(/:\d+\z/, "")
-
-        @permissions.allows?(origin_host) &&
-          (forwarded_host.blank? || @permissions.allows?(forwarded_host))
+        valid_host = /
+          \A
+          (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])
+          (:\d+)?
+          \z
+        /x
+
+        origin_host = valid_host.match(
+          request.get_header("HTTP_HOST").to_s.downcase)
+        forwarded_host = valid_host.match(
+          request.x_forwarded_host.to_s.split(/,\s?/).last)
+
+        origin_host && @permissions.allows?(origin_host[:host]) && (
+          forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
       end
 
       def excluded?(request)

data/lib/action_dispatch/middleware/show_exceptions.rb

@@ -46,7 +46,9 @@ module ActionDispatch
         status  = wrapper.status_code
         request.set_header "action_dispatch.exception", wrapper.unwrapped_exception
         request.set_header "action_dispatch.original_path", request.path_info
+        request.set_header "action_dispatch.original_request_method", request.raw_request_method
         request.path_info = "/#{status}"
+        request.request_method = "GET"
         response = @exceptions_app.call(request.env)
         response[1]["X-Cascade"] == "pass" ? pass_response(status) : response
       rescue Exception => failsafe_error

data/lib/action_dispatch/middleware/ssl.rb

@@ -52,6 +52,8 @@ module ActionDispatch
     # Default to 2 years as recommended on hstspreload.org.
     HSTS_EXPIRES_IN = 63072000
 
+    PERMANENT_REDIRECT_REQUEST_METHODS = %w[GET HEAD] # :nodoc:
+
     def self.default_hsts_options
       { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
     end
@@ -131,7 +133,7 @@ module ActionDispatch
       end
 
       def redirection_status(request)
-        if request.get? || request.head?
+        if PERMANENT_REDIRECT_REQUEST_METHODS.include?(request.raw_request_method)
           301 # Issue a permanent redirect via a GET request.
         elsif @ssl_default_redirect_status
           @ssl_default_redirect_status

data/lib/action_dispatch/middleware/stack.rb

@@ -43,7 +43,7 @@ module ActionDispatch
     end
 
     # This class is used to instrument the execution of a single middleware.
-    # It proxies the `call` method transparently and instruments the method
+    # It proxies the +call+ method transparently and instruments the method
     # call.
     class InstrumentationProxy
       EVENT_NAME = "process_middleware.action_dispatch"

data/lib/action_dispatch/middleware/static.rb

@@ -32,12 +32,12 @@ module ActionDispatch
   #
   # Precompressed versions of these files are checked first. Brotli (.br)
   # and gzip (.gz) files are supported. If +path+.br exists, this
-  # endpoint returns that file with a +Content-Encoding: br+ header.
+  # endpoint returns that file with a <tt>Content-Encoding: br</tt> header.
   #
   # If no matching file is found, this endpoint responds 404 Not Found.
   #
   # Pass the +root+ directory to search for matching files, an optional
-  # +index: "index"+ to change the default +path+/index.html, and optional
+  # <tt>index: "index"</tt> to change the default +path+/index.html, and optional
   # additional response headers.
   class FileHandler
     # Accept-Encoding value -> file extension

data/lib/action_dispatch/middleware/templates/routes/_table.html.erb

@@ -51,10 +51,19 @@
   }
 
   @media (prefers-color-scheme: dark) {
+    body {
+      background-color: #222;
+      color: #ECECEC;
+    }
+
     #route_table tbody tr:nth-child(odd) {
       background: #333;
     }
 
+    #route_table tbody tr:nth-child(even) {
+      background: #444;
+    }
+
     #route_table tbody.exact_matches,
     #route_table tbody.fuzzy_matches {
       color: #333;

data/lib/action_dispatch/routing/redirection.rb

@@ -164,7 +164,7 @@ module ActionDispatch
       #     "http://#{request.host_with_port}/#{path}"
       #   }
       #
-      # Note that the +do end+ syntax for the redirect block wouldn't work, as Ruby would pass
+      # Note that the <tt>do end</tt> syntax for the redirect block wouldn't work, as Ruby would pass
       # the block to +get+ instead of +redirect+. Use <tt>{ ... }</tt> instead.
       #
       # The options version of redirect allows you to supply only the parts of the URL which need

data/lib/action_dispatch/system_testing/browser.rb

@@ -71,14 +71,14 @@ module ActionDispatch
 
         def set_headless_chrome_browser_options
           configure do |capabilities|
-            capabilities.args << "--headless"
-            capabilities.args << "--disable-gpu" if Gem.win_platform?
+            capabilities.add_argument("--headless")
+            capabilities.add_argument("--disable-gpu") if Gem.win_platform?
           end
         end
 
         def set_headless_firefox_browser_options
           configure do |capabilities|
-            capabilities.args << "-headless"
+            capabilities.add_argument("-headless")
           end
         end
     end

data/lib/action_dispatch/testing/integration.rb

@@ -199,11 +199,11 @@ module ActionDispatch
       #   merged into the Rack env hash.
       # - +env+: Additional env to pass, as a Hash. The headers will be
       #   merged into the Rack env hash.
-      # - +xhr+: Set to `true` if you want to make and Ajax request.
+      # - +xhr+: Set to +true+ if you want to make and Ajax request.
       #   Adds request headers characteristic of XMLHttpRequest e.g. HTTP_X_REQUESTED_WITH.
       #   The headers will be merged into the Rack env hash.
       # - +as+: Used for encoding the request with different content type.
-      #   Supports `:json` by default and will set the appropriate request headers.
+      #   Supports +:json+ by default and will set the appropriate request headers.
       #   The headers will be merged into the Rack env hash.
       #
       # This method is rarely used directly. Use +#get+, +#post+, or other standard

data/lib/action_dispatch/testing/test_process.rb

@@ -29,7 +29,7 @@ module ActionDispatch
               haven't set yet. Set `file_fixture_path` to discard this warning.
             EOM
           elsif path.exist?
-            non_deprecated_path = path.relative_path_from(Pathname(self.class.file_fixture_path))
+            non_deprecated_path = Pathname(File.absolute_path(path)).relative_path_from(Pathname(File.absolute_path(self.class.file_fixture_path)))
             ActiveSupport::Deprecation.warn(<<~EOM)
               Passing a path to `fixture_file_upload` relative to `fixture_path` is deprecated.
               In Rails 6.2, the path needs to be relative to `file_fixture_path`.

data/lib/action_pack/gem_version.rb

@@ -9,8 +9,8 @@ module ActionPack
   module VERSION
     MAJOR = 6
     MINOR = 1
-    TINY  = 0
-    PRE   = "rc2"
+    TINY  = 3
+    PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 6.1.0.rc2
+  version: 6.1.3
 platform: ruby
 authors:
 - David Heinemeier Hansson
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-12-01 00:00:00.000000000 Z
+date: 2021-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc2
+        version: 6.1.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc2
+        version: 6.1.3
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc2
+        version: 6.1.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc2
+        version: 6.1.3
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc2
+        version: 6.1.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.0.rc2
+        version: 6.1.3
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -309,11 +309,11 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.1.0.rc2/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.1.0.rc2/
+  changelog_uri: https://github.com/rails/rails/blob/v6.1.3/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.1.3/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.1.0.rc2/actionpack
-post_install_message: 
+  source_code_uri: https://github.com/rails/rails/tree/v6.1.3/actionpack
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -324,13 +324,13 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements:
 - none
-rubygems_version: 3.1.4
-signing_key: 
+rubygems_version: 3.2.3
+signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
 test_files: []