actionpack 6.1.2 → 6.1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -0
- data/lib/action_dispatch/middleware/host_authorization.rb +14 -5
- data/lib/action_pack/gem_version.rb +1 -1
- metadata +15 -15
    
        checksums.yaml
    CHANGED
    
    | @@ -1,7 +1,7 @@ | |
| 1 1 | 
             
            ---
         | 
| 2 2 | 
             
            SHA256:
         | 
| 3 | 
            -
              metadata.gz:  | 
| 4 | 
            -
              data.tar.gz:  | 
| 3 | 
            +
              metadata.gz: 9ddc348fb8652218b5bd5b37bdb59d84478978eef60efa1e6e0ec970975e51fe
         | 
| 4 | 
            +
              data.tar.gz: 3cb8f6771faff1498a49741146ee58df760bfaf71736ab90329b44141b600448
         | 
| 5 5 | 
             
            SHA512:
         | 
| 6 | 
            -
              metadata.gz:  | 
| 7 | 
            -
              data.tar.gz:  | 
| 6 | 
            +
              metadata.gz: ca1a39f35896900dad228fdb4174207fcf571407aa3e033a82718bf2411b2d45665bd03db6df7e21d25cc8df4aaa33d83190502be910a528b51fc4ce4871d2f3
         | 
| 7 | 
            +
              data.tar.gz: 66aec3e70249c3661662c5357ba2cc53b3845449bca439c3b07e34068fbb99be354e9dfa536d1964d9446d66519c6c515125827e1cc7f3b01c046b3a9a0741b3
         | 
    
        data/CHANGELOG.md
    CHANGED
    
    | @@ -1,3 +1,15 @@ | |
| 1 | 
            +
            ## Rails 6.1.2.1 (February 10, 2021) ##
         | 
| 2 | 
            +
             | 
| 3 | 
            +
            *   Prevent open redirect when allowed host starts with a dot
         | 
| 4 | 
            +
             | 
| 5 | 
            +
                [CVE-2021-22881]
         | 
| 6 | 
            +
             | 
| 7 | 
            +
                Thanks to @tktech (https://hackerone.com/tktech) for reporting this
         | 
| 8 | 
            +
                issue and the patch!
         | 
| 9 | 
            +
             | 
| 10 | 
            +
                *Aaron Patterson*
         | 
| 11 | 
            +
             | 
| 12 | 
            +
             | 
| 1 13 | 
             
            ## Rails 6.1.2 (February 09, 2021) ##
         | 
| 2 14 |  | 
| 3 15 | 
             
            *   Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
         | 
| @@ -103,11 +103,20 @@ module ActionDispatch | |
| 103 103 |  | 
| 104 104 | 
             
                private
         | 
| 105 105 | 
             
                  def authorized?(request)
         | 
| 106 | 
            -
                     | 
| 107 | 
            -
             | 
| 108 | 
            -
             | 
| 109 | 
            -
             | 
| 110 | 
            -
                       | 
| 106 | 
            +
                    valid_host = /
         | 
| 107 | 
            +
                      \A
         | 
| 108 | 
            +
                      (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])
         | 
| 109 | 
            +
                      (:\d+)?
         | 
| 110 | 
            +
                      \z
         | 
| 111 | 
            +
                    /x
         | 
| 112 | 
            +
             | 
| 113 | 
            +
                    origin_host = valid_host.match(
         | 
| 114 | 
            +
                      request.get_header("HTTP_HOST").to_s.downcase)
         | 
| 115 | 
            +
                    forwarded_host = valid_host.match(
         | 
| 116 | 
            +
                      request.x_forwarded_host.to_s.split(/,\s?/).last)
         | 
| 117 | 
            +
             | 
| 118 | 
            +
                    origin_host && @permissions.allows?(origin_host[:host]) && (
         | 
| 119 | 
            +
                      forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
         | 
| 111 120 | 
             
                  end
         | 
| 112 121 |  | 
| 113 122 | 
             
                  def excluded?(request)
         | 
    
        metadata
    CHANGED
    
    | @@ -1,14 +1,14 @@ | |
| 1 1 | 
             
            --- !ruby/object:Gem::Specification
         | 
| 2 2 | 
             
            name: actionpack
         | 
| 3 3 | 
             
            version: !ruby/object:Gem::Version
         | 
| 4 | 
            -
              version: 6.1.2
         | 
| 4 | 
            +
              version: 6.1.2.1
         | 
| 5 5 | 
             
            platform: ruby
         | 
| 6 6 | 
             
            authors:
         | 
| 7 7 | 
             
            - David Heinemeier Hansson
         | 
| 8 | 
            -
            autorequire:
         | 
| 8 | 
            +
            autorequire: 
         | 
| 9 9 | 
             
            bindir: bin
         | 
| 10 10 | 
             
            cert_chain: []
         | 
| 11 | 
            -
            date: 2021-02- | 
| 11 | 
            +
            date: 2021-02-10 00:00:00.000000000 Z
         | 
| 12 12 | 
             
            dependencies:
         | 
| 13 13 | 
             
            - !ruby/object:Gem::Dependency
         | 
| 14 14 | 
             
              name: activesupport
         | 
| @@ -16,14 +16,14 @@ dependencies: | |
| 16 16 | 
             
                requirements:
         | 
| 17 17 | 
             
                - - '='
         | 
| 18 18 | 
             
                  - !ruby/object:Gem::Version
         | 
| 19 | 
            -
                    version: 6.1.2
         | 
| 19 | 
            +
                    version: 6.1.2.1
         | 
| 20 20 | 
             
              type: :runtime
         | 
| 21 21 | 
             
              prerelease: false
         | 
| 22 22 | 
             
              version_requirements: !ruby/object:Gem::Requirement
         | 
| 23 23 | 
             
                requirements:
         | 
| 24 24 | 
             
                - - '='
         | 
| 25 25 | 
             
                  - !ruby/object:Gem::Version
         | 
| 26 | 
            -
                    version: 6.1.2
         | 
| 26 | 
            +
                    version: 6.1.2.1
         | 
| 27 27 | 
             
            - !ruby/object:Gem::Dependency
         | 
| 28 28 | 
             
              name: rack
         | 
| 29 29 | 
             
              requirement: !ruby/object:Gem::Requirement
         | 
| @@ -98,28 +98,28 @@ dependencies: | |
| 98 98 | 
             
                requirements:
         | 
| 99 99 | 
             
                - - '='
         | 
| 100 100 | 
             
                  - !ruby/object:Gem::Version
         | 
| 101 | 
            -
                    version: 6.1.2
         | 
| 101 | 
            +
                    version: 6.1.2.1
         | 
| 102 102 | 
             
              type: :runtime
         | 
| 103 103 | 
             
              prerelease: false
         | 
| 104 104 | 
             
              version_requirements: !ruby/object:Gem::Requirement
         | 
| 105 105 | 
             
                requirements:
         | 
| 106 106 | 
             
                - - '='
         | 
| 107 107 | 
             
                  - !ruby/object:Gem::Version
         | 
| 108 | 
            -
                    version: 6.1.2
         | 
| 108 | 
            +
                    version: 6.1.2.1
         | 
| 109 109 | 
             
            - !ruby/object:Gem::Dependency
         | 
| 110 110 | 
             
              name: activemodel
         | 
| 111 111 | 
             
              requirement: !ruby/object:Gem::Requirement
         | 
| 112 112 | 
             
                requirements:
         | 
| 113 113 | 
             
                - - '='
         | 
| 114 114 | 
             
                  - !ruby/object:Gem::Version
         | 
| 115 | 
            -
                    version: 6.1.2
         | 
| 115 | 
            +
                    version: 6.1.2.1
         | 
| 116 116 | 
             
              type: :development
         | 
| 117 117 | 
             
              prerelease: false
         | 
| 118 118 | 
             
              version_requirements: !ruby/object:Gem::Requirement
         | 
| 119 119 | 
             
                requirements:
         | 
| 120 120 | 
             
                - - '='
         | 
| 121 121 | 
             
                  - !ruby/object:Gem::Version
         | 
| 122 | 
            -
                    version: 6.1.2
         | 
| 122 | 
            +
                    version: 6.1.2.1
         | 
| 123 123 | 
             
            description: Web apps on Rails. Simple, battle-tested conventions for building and
         | 
| 124 124 | 
             
              testing MVC web applications. Works with any Rack-compatible server.
         | 
| 125 125 | 
             
            email: david@loudthinking.com
         | 
| @@ -309,11 +309,11 @@ licenses: | |
| 309 309 | 
             
            - MIT
         | 
| 310 310 | 
             
            metadata:
         | 
| 311 311 | 
             
              bug_tracker_uri: https://github.com/rails/rails/issues
         | 
| 312 | 
            -
              changelog_uri: https://github.com/rails/rails/blob/v6.1.2/actionpack/CHANGELOG.md
         | 
| 313 | 
            -
              documentation_uri: https://api.rubyonrails.org/v6.1.2/
         | 
| 312 | 
            +
              changelog_uri: https://github.com/rails/rails/blob/v6.1.2.1/actionpack/CHANGELOG.md
         | 
| 313 | 
            +
              documentation_uri: https://api.rubyonrails.org/v6.1.2.1/
         | 
| 314 314 | 
             
              mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
         | 
| 315 | 
            -
              source_code_uri: https://github.com/rails/rails/tree/v6.1.2/actionpack
         | 
| 316 | 
            -
            post_install_message:
         | 
| 315 | 
            +
              source_code_uri: https://github.com/rails/rails/tree/v6.1.2.1/actionpack
         | 
| 316 | 
            +
            post_install_message: 
         | 
| 317 317 | 
             
            rdoc_options: []
         | 
| 318 318 | 
             
            require_paths:
         | 
| 319 319 | 
             
            - lib
         | 
| @@ -329,8 +329,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement | |
| 329 329 | 
             
                  version: '0'
         | 
| 330 330 | 
             
            requirements:
         | 
| 331 331 | 
             
            - none
         | 
| 332 | 
            -
            rubygems_version: 3. | 
| 333 | 
            -
            signing_key:
         | 
| 332 | 
            +
            rubygems_version: 3.0.3
         | 
| 333 | 
            +
            signing_key: 
         | 
| 334 334 | 
             
            specification_version: 4
         | 
| 335 335 | 
             
            summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
         | 
| 336 336 | 
             
            test_files: []
         |