actionpack 6.1.3.1 → 6.1.3.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6fec2460bf8c4c27a3bdd3984ebbfa8eb14463adfc131a961ee4708034883ae7
4
- data.tar.gz: a242f25080d9c07818a21e7135dad264ad3e01fd353cdf9f5c130fcf588a8efc
3
+ metadata.gz: 9cfba18fd1e2c6507de318e22c9cab8f878c22b9cbce70065f9c2ff9053f1d96
4
+ data.tar.gz: 178c4347f79392aaa6d452c3eeb406cbecf66a9b3ece0d244f98d7a4fa15b6ab
5
5
  SHA512:
6
- metadata.gz: 5b3925db39ef6d34e3d2b3ae5732499892fcaf91deaedf24483f985bb80bb74c92a6d4e8707b5cd966dbf4466e6b177fee2964ef78006ec523d9243bf07eba47
7
- data.tar.gz: a14bbb566f5253a87f1cbbbb394d4f8dd546b136bf963a8ca98011b33ae85191b1cc611c3edbd31a26bfe36a9d098deb22214b7b19a3ffef3713c69b19a3f80d
6
+ metadata.gz: 6479340989a0677d3e64e0723a67c0cc64ea4dc9d5fcfe6bfad6538703582f3b95bc2426b68c56c2dda3a1b66842e7ed890b70fefbf136c8a198d23336525447
7
+ data.tar.gz: 9021e02a953bf859d984e3722561745d0b562292b3fe3566ee1d362a9eb8c06af868f2d17db7dd5558e31871f626a39d8d9a7bb9b34697c5d26b8b58a533db4f
data/CHANGELOG.md CHANGED
@@ -1,3 +1,24 @@
1
+ ## Rails 6.1.3.2 (May 05, 2021) ##
2
+
3
+ * Prevent open redirects by correctly escaping the host allow list
4
+ CVE-2021-22903
5
+
6
+ * Prevent catastrophic backtracking during mime parsing
7
+ CVE-2021-22902
8
+
9
+ * Prevent regex DoS in HTTP token authentication
10
+ CVE-2021-22904
11
+
12
+ * Prevent string polymorphic route arguments.
13
+
14
+ `url_for` supports building polymorphic URLs via an array
15
+ of arguments (usually symbols and records). If a developer passes a
16
+ user input array, strings can result in unwanted route helper calls.
17
+
18
+ CVE-2021-22885
19
+
20
+ *Gannon McGibbon*
21
+
1
22
  ## Rails 6.1.3.1 (March 26, 2021) ##
2
23
 
3
24
  * No changes.
@@ -407,7 +407,7 @@ module ActionController
407
407
  module Token
408
408
  TOKEN_KEY = "token="
409
409
  TOKEN_REGEX = /^(Token|Bearer)\s+/
410
- AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
410
+ AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
411
411
  extend self
412
412
 
413
413
  module ControllerMethods
@@ -229,7 +229,7 @@ module Mime
229
229
  MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
230
230
  MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
231
231
  MIME_PARAMETER = "\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
232
- MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?:\s*#{MIME_PARAMETER}\s*)*)\z/
232
+ MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
233
233
 
234
234
  class InvalidMimeType < StandardError; end
235
235
 
@@ -53,7 +53,7 @@ module ActionDispatch
53
53
  if host.start_with?(".")
54
54
  /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
55
55
  else
56
- /\A#{host}\z/i
56
+ /\A#{Regexp.escape host}\z/i
57
57
  end
58
58
  end
59
59
  end
@@ -287,10 +287,12 @@ module ActionDispatch
287
287
 
288
288
  args = []
289
289
 
290
- route = record_list.map { |parent|
290
+ route = record_list.map do |parent|
291
291
  case parent
292
- when Symbol, String
292
+ when Symbol
293
293
  parent.to_s
294
+ when String
295
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
294
296
  when Class
295
297
  args << parent
296
298
  parent.model_name.singular_route_key
@@ -298,12 +300,14 @@ module ActionDispatch
298
300
  args << parent.to_model
299
301
  parent.to_model.model_name.singular_route_key
300
302
  end
301
- }
303
+ end
302
304
 
303
305
  route <<
304
306
  case record
305
- when Symbol, String
307
+ when Symbol
306
308
  record.to_s
309
+ when String
310
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
307
311
  when Class
308
312
  @key_strategy.call record.model_name
309
313
  else
@@ -10,7 +10,7 @@ module ActionPack
10
10
  MAJOR = 6
11
11
  MINOR = 1
12
12
  TINY = 3
13
- PRE = "1"
13
+ PRE = "2"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.3.1
4
+ version: 6.1.3.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-03-26 00:00:00.000000000 Z
11
+ date: 2021-05-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 6.1.3.1
19
+ version: 6.1.3.2
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 6.1.3.1
26
+ version: 6.1.3.2
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 6.1.3.1
101
+ version: 6.1.3.2
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 6.1.3.1
108
+ version: 6.1.3.2
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 6.1.3.1
115
+ version: 6.1.3.2
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 6.1.3.1
122
+ version: 6.1.3.2
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -309,11 +309,11 @@ licenses:
309
309
  - MIT
310
310
  metadata:
311
311
  bug_tracker_uri: https://github.com/rails/rails/issues
312
- changelog_uri: https://github.com/rails/rails/blob/v6.1.3.1/actionpack/CHANGELOG.md
313
- documentation_uri: https://api.rubyonrails.org/v6.1.3.1/
312
+ changelog_uri: https://github.com/rails/rails/blob/v6.1.3.2/actionpack/CHANGELOG.md
313
+ documentation_uri: https://api.rubyonrails.org/v6.1.3.2/
314
314
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
315
- source_code_uri: https://github.com/rails/rails/tree/v6.1.3.1/actionpack
316
- post_install_message:
315
+ source_code_uri: https://github.com/rails/rails/tree/v6.1.3.2/actionpack
316
+ post_install_message:
317
317
  rdoc_options: []
318
318
  require_paths:
319
319
  - lib
@@ -330,7 +330,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
330
330
  requirements:
331
331
  - none
332
332
  rubygems_version: 3.1.2
333
- signing_key:
333
+ signing_key:
334
334
  specification_version: 4
335
335
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
336
336
  test_files: []