actionpack 6.1.0.rc2 → 6.1.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bc84b6b896fe838781d03a845564d7d0d55c125c08891dac5192dd0b4218e148
4
- data.tar.gz: 2d6978599e5d5f2becc3ced8db15918edbeffe6048cffa5f3b11b68e0fe7fb97
3
+ metadata.gz: 1ea58dade23ab9890d5e08a7a1cb0f8cf4cae0fbd41eea9fe284d3525245aeee
4
+ data.tar.gz: c84e4268d1477b99849c45bff8a08a31d3bb8d72fcc3c73c621f79a7c8bc813a
5
5
  SHA512:
6
- metadata.gz: cba23b8e3d5344c09f2b3f41d4544c8486dafe103a1c5fd1c4f050f543a35d17346d747ff1e2cd62e7535258ee38953ab2b12eb62119d086c9e9b35c8344c2c4
7
- data.tar.gz: 7e8b5c27070a8bf909e09e8d1bd98565da44321186bdaae0e5ebc474cbaf85dc242191863b8041696cdf995e75110b94ab3af7e304d99180c78000cbec00e9ec
6
+ metadata.gz: 494e49e2b62a10a42b90c0e36745d67aae27cd1988332070db69725ea0f30834f22e494a9c448dfceed91c3cc63bf6055bfc94de372efeb55a62f126835786ea
7
+ data.tar.gz: 2d1d9bd8fe5a25cdb1ffb92e5c204f91a71d68be2dfdb0e94730b7b3fd62f931facb99c93f9e1d7c8462d317b0accc640135ca232f9547760a0a525b4ed4a9e5
data/CHANGELOG.md CHANGED
@@ -1,4 +1,49 @@
1
- ## Rails 6.1.0.rc2 (December 01, 2020) ##
1
+ ## Rails 6.1.3 (February 17, 2021) ##
2
+
3
+ * Re-define routes when not set correctly via inheritance.
4
+
5
+ *John Hawthorn*
6
+
7
+
8
+ ## Rails 6.1.2.1 (February 10, 2021) ##
9
+
10
+ * Prevent open redirect when allowed host starts with a dot
11
+
12
+ [CVE-2021-22881]
13
+
14
+ Thanks to @tktech (https://hackerone.com/tktech) for reporting this
15
+ issue and the patch!
16
+
17
+ *Aaron Patterson*
18
+
19
+
20
+ ## Rails 6.1.2 (February 09, 2021) ##
21
+
22
+ * Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
23
+
24
+ *Janko Marohnić*
25
+
26
+ * Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
27
+
28
+ *Eugene Kenny*
29
+
30
+
31
+ ## Rails 6.1.1 (January 07, 2021) ##
32
+
33
+ * Fix nil translation key lookup in controllers/
34
+
35
+ *Jan Klimo*
36
+
37
+ * Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
38
+
39
+ *Alex Robbin*
40
+
41
+ * Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
42
+
43
+ *Alex Robbin*
44
+
45
+
46
+ ## Rails 6.1.0 (December 09, 2020) ##
2
47
 
3
48
  * Support for the HTTP header `Feature-Policy` has been revised to reflect
4
49
  its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
@@ -16,8 +61,6 @@
16
61
 
17
62
  *Julien Grillot*
18
63
 
19
- ## Rails 6.1.0.rc1 (November 02, 2020) ##
20
-
21
64
  * Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
22
65
 
23
66
  Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
data/README.rdoc CHANGED
@@ -33,7 +33,7 @@ The latest version of Action Pack can be installed with RubyGems:
33
33
 
34
34
  Source code can be downloaded as part of the Rails project on GitHub:
35
35
 
36
- * https://github.com/rails/rails/tree/master/actionpack
36
+ * https://github.com/rails/rails/tree/main/actionpack
37
37
 
38
38
 
39
39
  == License
@@ -7,11 +7,27 @@ module AbstractController
7
7
  Module.new do
8
8
  define_method(:inherited) do |klass|
9
9
  super(klass)
10
- if namespace = klass.module_parents.detect { |m| m.respond_to?(:railtie_routes_url_helpers) }
10
+
11
+ namespace = klass.module_parents.detect { |m| m.respond_to?(:railtie_routes_url_helpers) }
12
+ actual_routes = namespace ? namespace.railtie_routes_url_helpers._routes : routes
13
+
14
+ if namespace
11
15
  klass.include(namespace.railtie_routes_url_helpers(include_path_helpers))
12
16
  else
13
17
  klass.include(routes.url_helpers(include_path_helpers))
14
18
  end
19
+
20
+ # In the case that we have ex.
21
+ # class A::Foo < ApplicationController
22
+ # class Bar < A::Foo
23
+ # We will need to redefine _routes because it will not be correct
24
+ # via inheritance.
25
+ unless klass._routes.equal?(actual_routes)
26
+ klass.redefine_singleton_method(:_routes) { actual_routes }
27
+ klass.include(Module.new do
28
+ define_method(:_routes) { @_routes || actual_routes }
29
+ end)
30
+ end
15
31
  end
16
32
  end
17
33
  end
@@ -15,7 +15,7 @@ module AbstractController
15
15
  # to translate many keys within the same controller / action and gives you a
16
16
  # simple framework for scoping them consistently.
17
17
  def translate(key, **options)
18
- if key.start_with?(".")
18
+ if key&.start_with?(".")
19
19
  path = controller_path.tr("/", ".")
20
20
  defaults = [:"#{path}#{key}"]
21
21
  defaults << options[:default] if options[:default]
@@ -23,7 +23,7 @@ module ActionController
23
23
  additions = ActionController::Base.log_process_action(payload)
24
24
  status = payload[:status]
25
25
 
26
- if status.nil? && (exception_class_name = payload[:exception].first)
26
+ if status.nil? && (exception_class_name = payload[:exception]&.first)
27
27
  status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
28
28
  end
29
29
 
@@ -182,7 +182,7 @@ module ActionController
182
182
  #
183
183
  # You can also pass an object that responds to +maximum+, such as a
184
184
  # collection of active records. In this case +last_modified+ will be set by
185
- # calling +maximum(:updated_at)+ on the collection (the timestamp of the
185
+ # calling <tt>maximum(:updated_at)</tt> on the collection (the timestamp of the
186
186
  # most recently updated record) and the +etag+ by passing the object itself.
187
187
  #
188
188
  # def index
@@ -484,7 +484,7 @@ module ActionController
484
484
  def raw_params(auth)
485
485
  _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
486
486
 
487
- if !_raw_params.first.start_with?(TOKEN_KEY)
487
+ if !_raw_params.first&.start_with?(TOKEN_KEY)
488
488
  _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
489
489
  end
490
490
 
@@ -84,7 +84,7 @@ module ActionController
84
84
  #
85
85
  # If no <tt>options</tt> hash is passed or if <tt>:update</tt> is specified, then:
86
86
  #
87
- # If an object responding to `render_in` is passed, `render_in` is called on the object,
87
+ # If an object responding to +render_in+ is passed, +render_in+ is called on the object,
88
88
  # passing in the current view context.
89
89
  #
90
90
  # Otherwise, a partial is rendered using the second parameter as the locals hash.
@@ -330,7 +330,7 @@ module Mime
330
330
  end
331
331
 
332
332
  # ALL isn't a real MIME type, so we don't register it for lookup with the
333
- # other concrete types. It's a wildcard match that we use for `respond_to`
333
+ # other concrete types. It's a wildcard match that we use for +respond_to+
334
334
  # negotiation internals.
335
335
  ALL = AllType.instance
336
336
 
@@ -13,7 +13,7 @@ module ActionDispatch
13
13
  #
14
14
  # When a request comes to an unauthorized host, the +response_app+
15
15
  # application will be executed and rendered. If no +response_app+ is given, a
16
- # default one will run, which responds with +403 Forbidden+.
16
+ # default one will run, which responds with <tt>403 Forbidden</tt>.
17
17
  class HostAuthorization
18
18
  class Permissions # :nodoc:
19
19
  def initialize(hosts)
@@ -103,11 +103,20 @@ module ActionDispatch
103
103
 
104
104
  private
105
105
  def authorized?(request)
106
- origin_host = request.get_header("HTTP_HOST").to_s.sub(/:\d+\z/, "")
107
- forwarded_host = request.x_forwarded_host.to_s.split(/,\s?/).last.to_s.sub(/:\d+\z/, "")
108
-
109
- @permissions.allows?(origin_host) &&
110
- (forwarded_host.blank? || @permissions.allows?(forwarded_host))
106
+ valid_host = /
107
+ \A
108
+ (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])
109
+ (:\d+)?
110
+ \z
111
+ /x
112
+
113
+ origin_host = valid_host.match(
114
+ request.get_header("HTTP_HOST").to_s.downcase)
115
+ forwarded_host = valid_host.match(
116
+ request.x_forwarded_host.to_s.split(/,\s?/).last)
117
+
118
+ origin_host && @permissions.allows?(origin_host[:host]) && (
119
+ forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
111
120
  end
112
121
 
113
122
  def excluded?(request)
@@ -46,7 +46,9 @@ module ActionDispatch
46
46
  status = wrapper.status_code
47
47
  request.set_header "action_dispatch.exception", wrapper.unwrapped_exception
48
48
  request.set_header "action_dispatch.original_path", request.path_info
49
+ request.set_header "action_dispatch.original_request_method", request.raw_request_method
49
50
  request.path_info = "/#{status}"
51
+ request.request_method = "GET"
50
52
  response = @exceptions_app.call(request.env)
51
53
  response[1]["X-Cascade"] == "pass" ? pass_response(status) : response
52
54
  rescue Exception => failsafe_error
@@ -52,6 +52,8 @@ module ActionDispatch
52
52
  # Default to 2 years as recommended on hstspreload.org.
53
53
  HSTS_EXPIRES_IN = 63072000
54
54
 
55
+ PERMANENT_REDIRECT_REQUEST_METHODS = %w[GET HEAD] # :nodoc:
56
+
55
57
  def self.default_hsts_options
56
58
  { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
57
59
  end
@@ -131,7 +133,7 @@ module ActionDispatch
131
133
  end
132
134
 
133
135
  def redirection_status(request)
134
- if request.get? || request.head?
136
+ if PERMANENT_REDIRECT_REQUEST_METHODS.include?(request.raw_request_method)
135
137
  301 # Issue a permanent redirect via a GET request.
136
138
  elsif @ssl_default_redirect_status
137
139
  @ssl_default_redirect_status
@@ -43,7 +43,7 @@ module ActionDispatch
43
43
  end
44
44
 
45
45
  # This class is used to instrument the execution of a single middleware.
46
- # It proxies the `call` method transparently and instruments the method
46
+ # It proxies the +call+ method transparently and instruments the method
47
47
  # call.
48
48
  class InstrumentationProxy
49
49
  EVENT_NAME = "process_middleware.action_dispatch"
@@ -32,12 +32,12 @@ module ActionDispatch
32
32
  #
33
33
  # Precompressed versions of these files are checked first. Brotli (.br)
34
34
  # and gzip (.gz) files are supported. If +path+.br exists, this
35
- # endpoint returns that file with a +Content-Encoding: br+ header.
35
+ # endpoint returns that file with a <tt>Content-Encoding: br</tt> header.
36
36
  #
37
37
  # If no matching file is found, this endpoint responds 404 Not Found.
38
38
  #
39
39
  # Pass the +root+ directory to search for matching files, an optional
40
- # +index: "index"+ to change the default +path+/index.html, and optional
40
+ # <tt>index: "index"</tt> to change the default +path+/index.html, and optional
41
41
  # additional response headers.
42
42
  class FileHandler
43
43
  # Accept-Encoding value -> file extension
@@ -51,10 +51,19 @@
51
51
  }
52
52
 
53
53
  @media (prefers-color-scheme: dark) {
54
+ body {
55
+ background-color: #222;
56
+ color: #ECECEC;
57
+ }
58
+
54
59
  #route_table tbody tr:nth-child(odd) {
55
60
  background: #333;
56
61
  }
57
62
 
63
+ #route_table tbody tr:nth-child(even) {
64
+ background: #444;
65
+ }
66
+
58
67
  #route_table tbody.exact_matches,
59
68
  #route_table tbody.fuzzy_matches {
60
69
  color: #333;
@@ -164,7 +164,7 @@ module ActionDispatch
164
164
  # "http://#{request.host_with_port}/#{path}"
165
165
  # }
166
166
  #
167
- # Note that the +do end+ syntax for the redirect block wouldn't work, as Ruby would pass
167
+ # Note that the <tt>do end</tt> syntax for the redirect block wouldn't work, as Ruby would pass
168
168
  # the block to +get+ instead of +redirect+. Use <tt>{ ... }</tt> instead.
169
169
  #
170
170
  # The options version of redirect allows you to supply only the parts of the URL which need
@@ -71,14 +71,14 @@ module ActionDispatch
71
71
 
72
72
  def set_headless_chrome_browser_options
73
73
  configure do |capabilities|
74
- capabilities.args << "--headless"
75
- capabilities.args << "--disable-gpu" if Gem.win_platform?
74
+ capabilities.add_argument("--headless")
75
+ capabilities.add_argument("--disable-gpu") if Gem.win_platform?
76
76
  end
77
77
  end
78
78
 
79
79
  def set_headless_firefox_browser_options
80
80
  configure do |capabilities|
81
- capabilities.args << "-headless"
81
+ capabilities.add_argument("-headless")
82
82
  end
83
83
  end
84
84
  end
@@ -199,11 +199,11 @@ module ActionDispatch
199
199
  # merged into the Rack env hash.
200
200
  # - +env+: Additional env to pass, as a Hash. The headers will be
201
201
  # merged into the Rack env hash.
202
- # - +xhr+: Set to `true` if you want to make and Ajax request.
202
+ # - +xhr+: Set to +true+ if you want to make and Ajax request.
203
203
  # Adds request headers characteristic of XMLHttpRequest e.g. HTTP_X_REQUESTED_WITH.
204
204
  # The headers will be merged into the Rack env hash.
205
205
  # - +as+: Used for encoding the request with different content type.
206
- # Supports `:json` by default and will set the appropriate request headers.
206
+ # Supports +:json+ by default and will set the appropriate request headers.
207
207
  # The headers will be merged into the Rack env hash.
208
208
  #
209
209
  # This method is rarely used directly. Use +#get+, +#post+, or other standard
@@ -29,7 +29,7 @@ module ActionDispatch
29
29
  haven't set yet. Set `file_fixture_path` to discard this warning.
30
30
  EOM
31
31
  elsif path.exist?
32
- non_deprecated_path = path.relative_path_from(Pathname(self.class.file_fixture_path))
32
+ non_deprecated_path = Pathname(File.absolute_path(path)).relative_path_from(Pathname(File.absolute_path(self.class.file_fixture_path)))
33
33
  ActiveSupport::Deprecation.warn(<<~EOM)
34
34
  Passing a path to `fixture_file_upload` relative to `fixture_path` is deprecated.
35
35
  In Rails 6.2, the path needs to be relative to `file_fixture_path`.
@@ -9,8 +9,8 @@ module ActionPack
9
9
  module VERSION
10
10
  MAJOR = 6
11
11
  MINOR = 1
12
- TINY = 0
13
- PRE = "rc2"
12
+ TINY = 3
13
+ PRE = nil
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.0.rc2
4
+ version: 6.1.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-12-01 00:00:00.000000000 Z
11
+ date: 2021-02-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 6.1.0.rc2
19
+ version: 6.1.3
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 6.1.0.rc2
26
+ version: 6.1.3
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 6.1.0.rc2
101
+ version: 6.1.3
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 6.1.0.rc2
108
+ version: 6.1.3
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 6.1.0.rc2
115
+ version: 6.1.3
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 6.1.0.rc2
122
+ version: 6.1.3
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -309,11 +309,11 @@ licenses:
309
309
  - MIT
310
310
  metadata:
311
311
  bug_tracker_uri: https://github.com/rails/rails/issues
312
- changelog_uri: https://github.com/rails/rails/blob/v6.1.0.rc2/actionpack/CHANGELOG.md
313
- documentation_uri: https://api.rubyonrails.org/v6.1.0.rc2/
312
+ changelog_uri: https://github.com/rails/rails/blob/v6.1.3/actionpack/CHANGELOG.md
313
+ documentation_uri: https://api.rubyonrails.org/v6.1.3/
314
314
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
315
- source_code_uri: https://github.com/rails/rails/tree/v6.1.0.rc2/actionpack
316
- post_install_message:
315
+ source_code_uri: https://github.com/rails/rails/tree/v6.1.3/actionpack
316
+ post_install_message:
317
317
  rdoc_options: []
318
318
  require_paths:
319
319
  - lib
@@ -324,13 +324,13 @@ required_ruby_version: !ruby/object:Gem::Requirement
324
324
  version: 2.5.0
325
325
  required_rubygems_version: !ruby/object:Gem::Requirement
326
326
  requirements:
327
- - - ">"
327
+ - - ">="
328
328
  - !ruby/object:Gem::Version
329
- version: 1.3.1
329
+ version: '0'
330
330
  requirements:
331
331
  - none
332
- rubygems_version: 3.1.4
333
- signing_key:
332
+ rubygems_version: 3.2.3
333
+ signing_key:
334
334
  specification_version: 4
335
335
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
336
336
  test_files: []