actionpack 6.1.3.1 → 6.1.3.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6fec2460bf8c4c27a3bdd3984ebbfa8eb14463adfc131a961ee4708034883ae7
4
- data.tar.gz: a242f25080d9c07818a21e7135dad264ad3e01fd353cdf9f5c130fcf588a8efc
3
+ metadata.gz: 9cfba18fd1e2c6507de318e22c9cab8f878c22b9cbce70065f9c2ff9053f1d96
4
+ data.tar.gz: 178c4347f79392aaa6d452c3eeb406cbecf66a9b3ece0d244f98d7a4fa15b6ab
5
5
  SHA512:
6
- metadata.gz: 5b3925db39ef6d34e3d2b3ae5732499892fcaf91deaedf24483f985bb80bb74c92a6d4e8707b5cd966dbf4466e6b177fee2964ef78006ec523d9243bf07eba47
7
- data.tar.gz: a14bbb566f5253a87f1cbbbb394d4f8dd546b136bf963a8ca98011b33ae85191b1cc611c3edbd31a26bfe36a9d098deb22214b7b19a3ffef3713c69b19a3f80d
6
+ metadata.gz: 6479340989a0677d3e64e0723a67c0cc64ea4dc9d5fcfe6bfad6538703582f3b95bc2426b68c56c2dda3a1b66842e7ed890b70fefbf136c8a198d23336525447
7
+ data.tar.gz: 9021e02a953bf859d984e3722561745d0b562292b3fe3566ee1d362a9eb8c06af868f2d17db7dd5558e31871f626a39d8d9a7bb9b34697c5d26b8b58a533db4f
data/CHANGELOG.md CHANGED
@@ -1,3 +1,24 @@
1
+ ## Rails 6.1.3.2 (May 05, 2021) ##
2
+
3
+ * Prevent open redirects by correctly escaping the host allow list
4
+ CVE-2021-22903
5
+
6
+ * Prevent catastrophic backtracking during mime parsing
7
+ CVE-2021-22902
8
+
9
+ * Prevent regex DoS in HTTP token authentication
10
+ CVE-2021-22904
11
+
12
+ * Prevent string polymorphic route arguments.
13
+
14
+ `url_for` supports building polymorphic URLs via an array
15
+ of arguments (usually symbols and records). If a developer passes a
16
+ user input array, strings can result in unwanted route helper calls.
17
+
18
+ CVE-2021-22885
19
+
20
+ *Gannon McGibbon*
21
+
1
22
  ## Rails 6.1.3.1 (March 26, 2021) ##
2
23
 
3
24
  * No changes.
@@ -407,7 +407,7 @@ module ActionController
407
407
  module Token
408
408
  TOKEN_KEY = "token="
409
409
  TOKEN_REGEX = /^(Token|Bearer)\s+/
410
- AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
410
+ AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
411
411
  extend self
412
412
 
413
413
  module ControllerMethods
@@ -229,7 +229,7 @@ module Mime
229
229
  MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
230
230
  MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
231
231
  MIME_PARAMETER = "\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
232
- MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?:\s*#{MIME_PARAMETER}\s*)*)\z/
232
+ MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
233
233
 
234
234
  class InvalidMimeType < StandardError; end
235
235
 
@@ -53,7 +53,7 @@ module ActionDispatch
53
53
  if host.start_with?(".")
54
54
  /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
55
55
  else
56
- /\A#{host}\z/i
56
+ /\A#{Regexp.escape host}\z/i
57
57
  end
58
58
  end
59
59
  end
@@ -287,10 +287,12 @@ module ActionDispatch
287
287
 
288
288
  args = []
289
289
 
290
- route = record_list.map { |parent|
290
+ route = record_list.map do |parent|
291
291
  case parent
292
- when Symbol, String
292
+ when Symbol
293
293
  parent.to_s
294
+ when String
295
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
294
296
  when Class
295
297
  args << parent
296
298
  parent.model_name.singular_route_key
@@ -298,12 +300,14 @@ module ActionDispatch
298
300
  args << parent.to_model
299
301
  parent.to_model.model_name.singular_route_key
300
302
  end
301
- }
303
+ end
302
304
 
303
305
  route <<
304
306
  case record
305
- when Symbol, String
307
+ when Symbol
306
308
  record.to_s
309
+ when String
310
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
307
311
  when Class
308
312
  @key_strategy.call record.model_name
309
313
  else
@@ -10,7 +10,7 @@ module ActionPack
10
10
  MAJOR = 6
11
11
  MINOR = 1
12
12
  TINY = 3
13
- PRE = "1"
13
+ PRE = "2"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.3.1
4
+ version: 6.1.3.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-03-26 00:00:00.000000000 Z
11
+ date: 2021-05-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 6.1.3.1
19
+ version: 6.1.3.2
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 6.1.3.1
26
+ version: 6.1.3.2
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 6.1.3.1
101
+ version: 6.1.3.2
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 6.1.3.1
108
+ version: 6.1.3.2
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 6.1.3.1
115
+ version: 6.1.3.2
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 6.1.3.1
122
+ version: 6.1.3.2
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -309,11 +309,11 @@ licenses:
309
309
  - MIT
310
310
  metadata:
311
311
  bug_tracker_uri: https://github.com/rails/rails/issues
312
- changelog_uri: https://github.com/rails/rails/blob/v6.1.3.1/actionpack/CHANGELOG.md
313
- documentation_uri: https://api.rubyonrails.org/v6.1.3.1/
312
+ changelog_uri: https://github.com/rails/rails/blob/v6.1.3.2/actionpack/CHANGELOG.md
313
+ documentation_uri: https://api.rubyonrails.org/v6.1.3.2/
314
314
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
315
- source_code_uri: https://github.com/rails/rails/tree/v6.1.3.1/actionpack
316
- post_install_message:
315
+ source_code_uri: https://github.com/rails/rails/tree/v6.1.3.2/actionpack
316
+ post_install_message:
317
317
  rdoc_options: []
318
318
  require_paths:
319
319
  - lib
@@ -330,7 +330,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
330
330
  requirements:
331
331
  - none
332
332
  rubygems_version: 3.1.2
333
- signing_key:
333
+ signing_key:
334
334
  specification_version: 4
335
335
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
336
336
  test_files: []