actionpack 6.1.1 → 6.1.3.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +56 -0
- data/README.rdoc +1 -1
- data/lib/abstract_controller/railties/routes_helpers.rb +17 -1
- data/lib/action_controller/log_subscriber.rb +1 -1
- data/lib/action_controller/metal/http_authentication.rb +2 -2
- data/lib/action_controller/renderer.rb +1 -1
- data/lib/action_dispatch/http/mime_type.rb +2 -2
- data/lib/action_dispatch/middleware/host_authorization.rb +16 -7
- data/lib/action_dispatch/middleware/stack.rb +1 -1
- data/lib/action_dispatch/middleware/static.rb +2 -2
- data/lib/action_dispatch/routing/polymorphic_routes.rb +8 -4
- data/lib/action_dispatch/routing/redirection.rb +1 -1
- data/lib/action_dispatch/testing/integration.rb +2 -2
- data/lib/action_dispatch/testing/test_process.rb +1 -1
- data/lib/action_pack/gem_version.rb +2 -2
- metadata +12 -12
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9cfba18fd1e2c6507de318e22c9cab8f878c22b9cbce70065f9c2ff9053f1d96
|
4
|
+
data.tar.gz: 178c4347f79392aaa6d452c3eeb406cbecf66a9b3ece0d244f98d7a4fa15b6ab
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6479340989a0677d3e64e0723a67c0cc64ea4dc9d5fcfe6bfad6538703582f3b95bc2426b68c56c2dda3a1b66842e7ed890b70fefbf136c8a198d23336525447
|
7
|
+
data.tar.gz: 9021e02a953bf859d984e3722561745d0b562292b3fe3566ee1d362a9eb8c06af868f2d17db7dd5558e31871f626a39d8d9a7bb9b34697c5d26b8b58a533db4f
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,59 @@
|
|
1
|
+
## Rails 6.1.3.2 (May 05, 2021) ##
|
2
|
+
|
3
|
+
* Prevent open redirects by correctly escaping the host allow list
|
4
|
+
CVE-2021-22903
|
5
|
+
|
6
|
+
* Prevent catastrophic backtracking during mime parsing
|
7
|
+
CVE-2021-22902
|
8
|
+
|
9
|
+
* Prevent regex DoS in HTTP token authentication
|
10
|
+
CVE-2021-22904
|
11
|
+
|
12
|
+
* Prevent string polymorphic route arguments.
|
13
|
+
|
14
|
+
`url_for` supports building polymorphic URLs via an array
|
15
|
+
of arguments (usually symbols and records). If a developer passes a
|
16
|
+
user input array, strings can result in unwanted route helper calls.
|
17
|
+
|
18
|
+
CVE-2021-22885
|
19
|
+
|
20
|
+
*Gannon McGibbon*
|
21
|
+
|
22
|
+
## Rails 6.1.3.1 (March 26, 2021) ##
|
23
|
+
|
24
|
+
* No changes.
|
25
|
+
|
26
|
+
|
27
|
+
## Rails 6.1.3 (February 17, 2021) ##
|
28
|
+
|
29
|
+
* Re-define routes when not set correctly via inheritance.
|
30
|
+
|
31
|
+
*John Hawthorn*
|
32
|
+
|
33
|
+
|
34
|
+
## Rails 6.1.2.1 (February 10, 2021) ##
|
35
|
+
|
36
|
+
* Prevent open redirect when allowed host starts with a dot
|
37
|
+
|
38
|
+
[CVE-2021-22881]
|
39
|
+
|
40
|
+
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
|
41
|
+
issue and the patch!
|
42
|
+
|
43
|
+
*Aaron Patterson*
|
44
|
+
|
45
|
+
|
46
|
+
## Rails 6.1.2 (February 09, 2021) ##
|
47
|
+
|
48
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
49
|
+
|
50
|
+
*Janko Marohnić*
|
51
|
+
|
52
|
+
* Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
|
53
|
+
|
54
|
+
*Eugene Kenny*
|
55
|
+
|
56
|
+
|
1
57
|
## Rails 6.1.1 (January 07, 2021) ##
|
2
58
|
|
3
59
|
* Fix nil translation key lookup in controllers/
|
data/README.rdoc
CHANGED
@@ -33,7 +33,7 @@ The latest version of Action Pack can be installed with RubyGems:
|
|
33
33
|
|
34
34
|
Source code can be downloaded as part of the Rails project on GitHub:
|
35
35
|
|
36
|
-
* https://github.com/rails/rails/tree/
|
36
|
+
* https://github.com/rails/rails/tree/main/actionpack
|
37
37
|
|
38
38
|
|
39
39
|
== License
|
@@ -7,11 +7,27 @@ module AbstractController
|
|
7
7
|
Module.new do
|
8
8
|
define_method(:inherited) do |klass|
|
9
9
|
super(klass)
|
10
|
-
|
10
|
+
|
11
|
+
namespace = klass.module_parents.detect { |m| m.respond_to?(:railtie_routes_url_helpers) }
|
12
|
+
actual_routes = namespace ? namespace.railtie_routes_url_helpers._routes : routes
|
13
|
+
|
14
|
+
if namespace
|
11
15
|
klass.include(namespace.railtie_routes_url_helpers(include_path_helpers))
|
12
16
|
else
|
13
17
|
klass.include(routes.url_helpers(include_path_helpers))
|
14
18
|
end
|
19
|
+
|
20
|
+
# In the case that we have ex.
|
21
|
+
# class A::Foo < ApplicationController
|
22
|
+
# class Bar < A::Foo
|
23
|
+
# We will need to redefine _routes because it will not be correct
|
24
|
+
# via inheritance.
|
25
|
+
unless klass._routes.equal?(actual_routes)
|
26
|
+
klass.redefine_singleton_method(:_routes) { actual_routes }
|
27
|
+
klass.include(Module.new do
|
28
|
+
define_method(:_routes) { @_routes || actual_routes }
|
29
|
+
end)
|
30
|
+
end
|
15
31
|
end
|
16
32
|
end
|
17
33
|
end
|
@@ -23,7 +23,7 @@ module ActionController
|
|
23
23
|
additions = ActionController::Base.log_process_action(payload)
|
24
24
|
status = payload[:status]
|
25
25
|
|
26
|
-
if status.nil? && (exception_class_name = payload[:exception]
|
26
|
+
if status.nil? && (exception_class_name = payload[:exception]&.first)
|
27
27
|
status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
|
28
28
|
end
|
29
29
|
|
@@ -407,7 +407,7 @@ module ActionController
|
|
407
407
|
module Token
|
408
408
|
TOKEN_KEY = "token="
|
409
409
|
TOKEN_REGEX = /^(Token|Bearer)\s+/
|
410
|
-
AUTHN_PAIR_DELIMITERS = /(?:,|;|\t
|
410
|
+
AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
|
411
411
|
extend self
|
412
412
|
|
413
413
|
module ControllerMethods
|
@@ -484,7 +484,7 @@ module ActionController
|
|
484
484
|
def raw_params(auth)
|
485
485
|
_raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
|
486
486
|
|
487
|
-
if !_raw_params.first
|
487
|
+
if !_raw_params.first&.start_with?(TOKEN_KEY)
|
488
488
|
_raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
|
489
489
|
end
|
490
490
|
|
@@ -84,7 +84,7 @@ module ActionController
|
|
84
84
|
#
|
85
85
|
# If no <tt>options</tt> hash is passed or if <tt>:update</tt> is specified, then:
|
86
86
|
#
|
87
|
-
# If an object responding to
|
87
|
+
# If an object responding to +render_in+ is passed, +render_in+ is called on the object,
|
88
88
|
# passing in the current view context.
|
89
89
|
#
|
90
90
|
# Otherwise, a partial is rendered using the second parameter as the locals hash.
|
@@ -229,7 +229,7 @@ module Mime
|
|
229
229
|
MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
|
230
230
|
MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
|
231
231
|
MIME_PARAMETER = "\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
|
232
|
-
MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(
|
232
|
+
MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
|
233
233
|
|
234
234
|
class InvalidMimeType < StandardError; end
|
235
235
|
|
@@ -330,7 +330,7 @@ module Mime
|
|
330
330
|
end
|
331
331
|
|
332
332
|
# ALL isn't a real MIME type, so we don't register it for lookup with the
|
333
|
-
# other concrete types. It's a wildcard match that we use for
|
333
|
+
# other concrete types. It's a wildcard match that we use for +respond_to+
|
334
334
|
# negotiation internals.
|
335
335
|
ALL = AllType.instance
|
336
336
|
|
@@ -13,7 +13,7 @@ module ActionDispatch
|
|
13
13
|
#
|
14
14
|
# When a request comes to an unauthorized host, the +response_app+
|
15
15
|
# application will be executed and rendered. If no +response_app+ is given, a
|
16
|
-
# default one will run, which responds with
|
16
|
+
# default one will run, which responds with <tt>403 Forbidden</tt>.
|
17
17
|
class HostAuthorization
|
18
18
|
class Permissions # :nodoc:
|
19
19
|
def initialize(hosts)
|
@@ -53,7 +53,7 @@ module ActionDispatch
|
|
53
53
|
if host.start_with?(".")
|
54
54
|
/\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
|
55
55
|
else
|
56
|
-
/\A#{host}\z/i
|
56
|
+
/\A#{Regexp.escape host}\z/i
|
57
57
|
end
|
58
58
|
end
|
59
59
|
end
|
@@ -103,11 +103,20 @@ module ActionDispatch
|
|
103
103
|
|
104
104
|
private
|
105
105
|
def authorized?(request)
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
106
|
+
valid_host = /
|
107
|
+
\A
|
108
|
+
(?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])
|
109
|
+
(:\d+)?
|
110
|
+
\z
|
111
|
+
/x
|
112
|
+
|
113
|
+
origin_host = valid_host.match(
|
114
|
+
request.get_header("HTTP_HOST").to_s.downcase)
|
115
|
+
forwarded_host = valid_host.match(
|
116
|
+
request.x_forwarded_host.to_s.split(/,\s?/).last)
|
117
|
+
|
118
|
+
origin_host && @permissions.allows?(origin_host[:host]) && (
|
119
|
+
forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
|
111
120
|
end
|
112
121
|
|
113
122
|
def excluded?(request)
|
@@ -43,7 +43,7 @@ module ActionDispatch
|
|
43
43
|
end
|
44
44
|
|
45
45
|
# This class is used to instrument the execution of a single middleware.
|
46
|
-
# It proxies the
|
46
|
+
# It proxies the +call+ method transparently and instruments the method
|
47
47
|
# call.
|
48
48
|
class InstrumentationProxy
|
49
49
|
EVENT_NAME = "process_middleware.action_dispatch"
|
@@ -32,12 +32,12 @@ module ActionDispatch
|
|
32
32
|
#
|
33
33
|
# Precompressed versions of these files are checked first. Brotli (.br)
|
34
34
|
# and gzip (.gz) files are supported. If +path+.br exists, this
|
35
|
-
# endpoint returns that file with a
|
35
|
+
# endpoint returns that file with a <tt>Content-Encoding: br</tt> header.
|
36
36
|
#
|
37
37
|
# If no matching file is found, this endpoint responds 404 Not Found.
|
38
38
|
#
|
39
39
|
# Pass the +root+ directory to search for matching files, an optional
|
40
|
-
#
|
40
|
+
# <tt>index: "index"</tt> to change the default +path+/index.html, and optional
|
41
41
|
# additional response headers.
|
42
42
|
class FileHandler
|
43
43
|
# Accept-Encoding value -> file extension
|
@@ -287,10 +287,12 @@ module ActionDispatch
|
|
287
287
|
|
288
288
|
args = []
|
289
289
|
|
290
|
-
route = record_list.map
|
290
|
+
route = record_list.map do |parent|
|
291
291
|
case parent
|
292
|
-
when Symbol
|
292
|
+
when Symbol
|
293
293
|
parent.to_s
|
294
|
+
when String
|
295
|
+
raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
|
294
296
|
when Class
|
295
297
|
args << parent
|
296
298
|
parent.model_name.singular_route_key
|
@@ -298,12 +300,14 @@ module ActionDispatch
|
|
298
300
|
args << parent.to_model
|
299
301
|
parent.to_model.model_name.singular_route_key
|
300
302
|
end
|
301
|
-
|
303
|
+
end
|
302
304
|
|
303
305
|
route <<
|
304
306
|
case record
|
305
|
-
when Symbol
|
307
|
+
when Symbol
|
306
308
|
record.to_s
|
309
|
+
when String
|
310
|
+
raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
|
307
311
|
when Class
|
308
312
|
@key_strategy.call record.model_name
|
309
313
|
else
|
@@ -164,7 +164,7 @@ module ActionDispatch
|
|
164
164
|
# "http://#{request.host_with_port}/#{path}"
|
165
165
|
# }
|
166
166
|
#
|
167
|
-
# Note that the
|
167
|
+
# Note that the <tt>do end</tt> syntax for the redirect block wouldn't work, as Ruby would pass
|
168
168
|
# the block to +get+ instead of +redirect+. Use <tt>{ ... }</tt> instead.
|
169
169
|
#
|
170
170
|
# The options version of redirect allows you to supply only the parts of the URL which need
|
@@ -199,11 +199,11 @@ module ActionDispatch
|
|
199
199
|
# merged into the Rack env hash.
|
200
200
|
# - +env+: Additional env to pass, as a Hash. The headers will be
|
201
201
|
# merged into the Rack env hash.
|
202
|
-
# - +xhr+: Set to
|
202
|
+
# - +xhr+: Set to +true+ if you want to make and Ajax request.
|
203
203
|
# Adds request headers characteristic of XMLHttpRequest e.g. HTTP_X_REQUESTED_WITH.
|
204
204
|
# The headers will be merged into the Rack env hash.
|
205
205
|
# - +as+: Used for encoding the request with different content type.
|
206
|
-
# Supports
|
206
|
+
# Supports +:json+ by default and will set the appropriate request headers.
|
207
207
|
# The headers will be merged into the Rack env hash.
|
208
208
|
#
|
209
209
|
# This method is rarely used directly. Use +#get+, +#post+, or other standard
|
@@ -29,7 +29,7 @@ module ActionDispatch
|
|
29
29
|
haven't set yet. Set `file_fixture_path` to discard this warning.
|
30
30
|
EOM
|
31
31
|
elsif path.exist?
|
32
|
-
non_deprecated_path = path.relative_path_from(Pathname(self.class.file_fixture_path))
|
32
|
+
non_deprecated_path = Pathname(File.absolute_path(path)).relative_path_from(Pathname(File.absolute_path(self.class.file_fixture_path)))
|
33
33
|
ActiveSupport::Deprecation.warn(<<~EOM)
|
34
34
|
Passing a path to `fixture_file_upload` relative to `fixture_path` is deprecated.
|
35
35
|
In Rails 6.2, the path needs to be relative to `file_fixture_path`.
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.1.
|
4
|
+
version: 6.1.3.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-05-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 6.1.
|
19
|
+
version: 6.1.3.2
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 6.1.
|
26
|
+
version: 6.1.3.2
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rack
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -98,28 +98,28 @@ dependencies:
|
|
98
98
|
requirements:
|
99
99
|
- - '='
|
100
100
|
- !ruby/object:Gem::Version
|
101
|
-
version: 6.1.
|
101
|
+
version: 6.1.3.2
|
102
102
|
type: :runtime
|
103
103
|
prerelease: false
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
105
105
|
requirements:
|
106
106
|
- - '='
|
107
107
|
- !ruby/object:Gem::Version
|
108
|
-
version: 6.1.
|
108
|
+
version: 6.1.3.2
|
109
109
|
- !ruby/object:Gem::Dependency
|
110
110
|
name: activemodel
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
112
112
|
requirements:
|
113
113
|
- - '='
|
114
114
|
- !ruby/object:Gem::Version
|
115
|
-
version: 6.1.
|
115
|
+
version: 6.1.3.2
|
116
116
|
type: :development
|
117
117
|
prerelease: false
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
119
119
|
requirements:
|
120
120
|
- - '='
|
121
121
|
- !ruby/object:Gem::Version
|
122
|
-
version: 6.1.
|
122
|
+
version: 6.1.3.2
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
125
125
|
email: david@loudthinking.com
|
@@ -309,10 +309,10 @@ licenses:
|
|
309
309
|
- MIT
|
310
310
|
metadata:
|
311
311
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
312
|
-
changelog_uri: https://github.com/rails/rails/blob/v6.1.
|
313
|
-
documentation_uri: https://api.rubyonrails.org/v6.1.
|
312
|
+
changelog_uri: https://github.com/rails/rails/blob/v6.1.3.2/actionpack/CHANGELOG.md
|
313
|
+
documentation_uri: https://api.rubyonrails.org/v6.1.3.2/
|
314
314
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
315
|
-
source_code_uri: https://github.com/rails/rails/tree/v6.1.
|
315
|
+
source_code_uri: https://github.com/rails/rails/tree/v6.1.3.2/actionpack
|
316
316
|
post_install_message:
|
317
317
|
rdoc_options: []
|
318
318
|
require_paths:
|
@@ -329,7 +329,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
329
329
|
version: '0'
|
330
330
|
requirements:
|
331
331
|
- none
|
332
|
-
rubygems_version: 3.2
|
332
|
+
rubygems_version: 3.1.2
|
333
333
|
signing_key:
|
334
334
|
specification_version: 4
|
335
335
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|