actionpack 6.1.3.2 → 6.1.4.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9cfba18fd1e2c6507de318e22c9cab8f878c22b9cbce70065f9c2ff9053f1d96
-  data.tar.gz: 178c4347f79392aaa6d452c3eeb406cbecf66a9b3ece0d244f98d7a4fa15b6ab
+  metadata.gz: c4f96dedfeb45e9898fe25e2383c8d0641b5fb7b98e7e895c9a4900fc7c68d57
+  data.tar.gz: 9b80b457cefe5a494ae84ea5dd14c429e3f072014ad8370ab45be040a8e642c3
 SHA512:
-  metadata.gz: 6479340989a0677d3e64e0723a67c0cc64ea4dc9d5fcfe6bfad6538703582f3b95bc2426b68c56c2dda3a1b66842e7ed890b70fefbf136c8a198d23336525447
-  data.tar.gz: 9021e02a953bf859d984e3722561745d0b562292b3fe3566ee1d362a9eb8c06af868f2d17db7dd5558e31871f626a39d8d9a7bb9b34697c5d26b8b58a533db4f
+  metadata.gz: e894d8ff3debdb9c577f3eaea0a93529c4d80c0710d9aa25d79c4ddf0a1c10cdda2130ef8eb06c4cd5a924ea283d36418de9e9f5bfbbb688dae110db4a5835d3
+  data.tar.gz: 5949504ae1fc94cea643ebbe0b52aeac410d92d6685b8abc18cd59a5016b2083927eeba539ae88eae46c088cf66a3d294b860f15cb36dc12928dc44d1bb53603

data/CHANGELOG.md

@@ -1,3 +1,82 @@
+## Rails 6.1.4.7 (March 08, 2022) ##
+
+*   No changes.
+
+
+## Rails 6.1.4.6 (February 11, 2022) ##
+
+*   No changes.
+
+
+## Rails 6.1.4.5 (February 11, 2022) ##
+
+*   Under certain circumstances, the middleware isn't informed that the
+    response body has been fully closed which result in request state not
+    being fully reset before the next request
+
+    [CVE-2022-23633]
+
+
+## Rails 6.1.4.4 (December 15, 2021) ##
+
+*   Fix issue with host protection not allowing host with port in development.
+
+
+## Rails 6.1.4.3 (December 14, 2021) ##
+
+*    Fix issue with host protection not allowing localhost in development.
+
+
+## Rails 6.1.4.2 (December 14, 2021) ##
+
+*   Fix X_FORWARDED_HOST protection.  [CVE-2021-44528]
+
+## Rails 6.1.4.1 (August 19, 2021) ##
+
+*   [CVE-2021-22942] Fix possible open redirect in Host Authorization middleware.
+
+    Specially crafted "X-Forwarded-Host" headers in combination with certain
+    "allowed host" formats can cause the Host Authorization middleware in Action
+    Pack to redirect users to a malicious website.
+
+## Rails 6.1.4 (June 24, 2021) ##
+
+*   Ignore file fixtures on `db:fixtures:load`
+
+    *Kevin Sjöberg*
+
+*   Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
+
+    *Dylan Thacker-Smith*
+
+*   Correctly place optional path parameter booleans.
+
+    Previously, if you specify a url parameter that is part of the path as false it would include that part
+    of the path as parameter for example:
+
+    ```
+    get "(/optional/:optional_id)/things" => "foo#foo", as: :things
+    things_path(optional_id: false) # => /things?optional_id=false
+    ```
+
+    After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
+
+    ```
+    get '(this/:my_bool)/that' as: :that
+
+    that_path(my_bool: true) # => `/this/true/that`
+    that_path(my_bool: false) # => `/this/false/that`
+    ```
+
+    *Adam Hess*
+
+*   Add support for 'private, no-store' Cache-Control headers.
+
+    Previously, 'no-store' was exclusive; no other directives could be specified.
+
+    *Alex Smith*
+
+
 ## Rails 6.1.3.2 (May 05, 2021) ##
 
 *   Prevent open redirects by correctly escaping the host allow list

data/lib/action_controller/metal/etag_with_template_digest.rb

@@ -44,7 +44,7 @@ module ActionController
       # template digest from the ETag.
       def pick_template_for_etag(options)
         unless options[:template] == false
-          options[:template] || "#{controller_path}/#{action_name}"
+          options[:template] || lookup_context.find_all(action_name, _prefixes).first&.virtual_path
         end
       end
 

data/lib/action_controller/metal/live.rb

@@ -127,6 +127,11 @@ module ActionController
     class Buffer < ActionDispatch::Response::Buffer #:nodoc:
       include MonitorMixin
 
+      class << self
+        attr_accessor :queue_size
+      end
+      @queue_size = 10
+
       # Ignore that the client has disconnected.
       #
       # If this value is `true`, calling `write` after the client
@@ -136,7 +141,7 @@ module ActionController
       attr_accessor :ignore_disconnect
 
       def initialize(response)
-        super(response, SizedQueue.new(10))
+        super(response, build_queue(self.class.queue_size))
         @error_callback = lambda { true }
         @cv = new_cond
         @aborted = false
@@ -214,6 +219,10 @@ module ActionController
             yield str
           end
         end
+
+        def build_queue(queue_size)
+          queue_size ? SizedQueue.new(queue_size) : Queue.new
+        end
     end
 
     class Response < ActionDispatch::Response #:nodoc: all

data/lib/action_controller/metal/params_wrapper.rb

@@ -281,7 +281,10 @@ module ActionController
         return false unless request.has_content_type?
 
         ref = request.content_mime_type.ref
+
         _wrapper_formats.include?(ref) && _wrapper_key && !request.parameters.key?(_wrapper_key)
+      rescue ActionDispatch::Http::Parameters::ParseError
+        false
       end
 
       def _perform_parameter_wrapping
@@ -295,8 +298,6 @@ module ActionController
 
         # This will display the wrapped hash in the log file.
         request.filtered_parameters.merge! wrapped_filtered_hash
-      rescue ActionDispatch::Http::Parameters::ParseError
-        # swallow parse error exception
       end
   end
 end

data/lib/action_controller/test_case.rb

@@ -24,6 +24,9 @@ module ActionController
     def new_controller_thread # :nodoc:
       yield
     end
+
+    # Avoid a deadlock from the queue filling up
+    Buffer.queue_size = nil
   end
 
   # ActionController::TestCase will be deprecated and moved to a gem in the future.

data/lib/action_dispatch/http/cache.rb

@@ -195,31 +195,30 @@ module ActionDispatch
 
           control.merge! cache_control
 
+          options = []
+
           if control[:no_store]
-            self._cache_control = NO_STORE
+            options << PRIVATE if control[:private]
+            options << NO_STORE
           elsif control[:no_cache]
-            options = []
             options << PUBLIC if control[:public]
             options << NO_CACHE
             options.concat(control[:extras]) if control[:extras]
-
-            self._cache_control = options.join(", ")
           else
             extras = control[:extras]
             max_age = control[:max_age]
             stale_while_revalidate = control[:stale_while_revalidate]
             stale_if_error = control[:stale_if_error]
 
-            options = []
             options << "max-age=#{max_age.to_i}" if max_age
             options << (control[:public] ? PUBLIC : PRIVATE)
             options << MUST_REVALIDATE if control[:must_revalidate]
             options << "stale-while-revalidate=#{stale_while_revalidate.to_i}" if stale_while_revalidate
             options << "stale-if-error=#{stale_if_error.to_i}" if stale_if_error
             options.concat(extras) if extras
-
-            self._cache_control = options.join(", ")
           end
+
+          self._cache_control = options.join(", ")
         end
       end
     end

data/lib/action_dispatch/journey/formatter.rb

@@ -103,7 +103,7 @@ module ActionDispatch
           parameterized_parts = recall.merge(options)
 
           keys_to_keep = route.parts.reverse_each.drop_while { |part|
-            !(options.key?(part) || route.scope_options.key?(part)) || (options[part] || recall[part]).nil?
+            !(options.key?(part) || route.scope_options.key?(part)) || (options[part].nil? && recall[part].nil?)
           } | route.required_parts
 
           parameterized_parts.delete_if do |bad_key, _|
@@ -118,7 +118,7 @@ module ActionDispatch
             end
           end
 
-          parameterized_parts.keep_if { |_, v| v }
+          parameterized_parts.compact!
           parameterized_parts
         end
 

data/lib/action_dispatch/journey/visitors.rb

@@ -40,7 +40,7 @@ module ActionDispatch
         @parameters.each do |index|
           param = parts[index]
           value = hash[param.name]
-          return "" unless value
+          return "" if value.nil?
           parts[index] = param.escape value
         end
 

data/lib/action_dispatch/middleware/executor.rb

@@ -9,7 +9,7 @@ module ActionDispatch
     end
 
     def call(env)
-      state = @executor.run!
+      state = @executor.run!(reset: true)
       begin
         response = @app.call(env)
         returned = response << ::Rack::BodyProxy.new(response.pop) { state.complete! }

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -15,6 +15,17 @@ module ActionDispatch
   # application will be executed and rendered. If no +response_app+ is given, a
   # default one will run, which responds with <tt>403 Forbidden</tt>.
   class HostAuthorization
+    ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
+    PORT_REGEX = /(?::\d+)/ # :nodoc:
+    IPV4_HOSTNAME = /(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/ # :nodoc:
+    IPV6_HOSTNAME = /(?<host>[a-f0-9]*:[a-f0-9.:]+)/i # :nodoc:
+    IPV6_HOSTNAME_WITH_PORT = /\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i # :nodoc:
+    VALID_IP_HOSTNAME = Regexp.union( # :nodoc:
+      /\A#{IPV4_HOSTNAME}\z/,
+      /\A#{IPV6_HOSTNAME}\z/,
+      /\A#{IPV6_HOSTNAME_WITH_PORT}\z/,
+    )
+
     class Permissions # :nodoc:
       def initialize(hosts)
         @hosts = sanitize_hosts(hosts)
@@ -26,11 +37,17 @@ module ActionDispatch
 
       def allows?(host)
         @hosts.any? do |allowed|
-          allowed === host
-        rescue
-          # IPAddr#=== raises an error if you give it a hostname instead of
-          # IP. Treat similar errors as blocked access.
-          false
+          if allowed.is_a?(IPAddr)
+            begin
+              allowed === extract_hostname(host)
+            rescue
+              # IPAddr#=== raises an error if you give it a hostname instead of
+              # IP. Treat similar errors as blocked access.
+              false
+            end
+          else
+            allowed === host
+          end
         end
       end
 
@@ -46,16 +63,20 @@ module ActionDispatch
         end
 
         def sanitize_regexp(host)
-          /\A#{host}\z/
+          /\A#{host}#{PORT_REGEX}?\z/
         end
 
         def sanitize_string(host)
           if host.start_with?(".")
-            /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
+            /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
           else
-            /\A#{Regexp.escape host}\z/i
+            /\A#{Regexp.escape host}#{PORT_REGEX}?\z/i
           end
         end
+
+        def extract_hostname(host)
+          host.slice(VALID_IP_HOSTNAME, "host") || host
+        end
     end
 
     DEFAULT_RESPONSE_APP = -> env do
@@ -103,20 +124,10 @@ module ActionDispatch
 
     private
       def authorized?(request)
-        valid_host = /
-          \A
-          (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])
-          (:\d+)?
-          \z
-        /x
-
-        origin_host = valid_host.match(
-          request.get_header("HTTP_HOST").to_s.downcase)
-        forwarded_host = valid_host.match(
-          request.x_forwarded_host.to_s.split(/,\s?/).last)
-
-        origin_host && @permissions.allows?(origin_host[:host]) && (
-          forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
+        origin_host = request.get_header("HTTP_HOST")
+        forwarded_host = request.x_forwarded_host&.split(/,\s?/)&.last
+
+        @permissions.allows?(origin_host) && (forwarded_host.blank? || @permissions.allows?(forwarded_host))
       end
 
       def excluded?(request)

data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb

@@ -6,6 +6,7 @@
 <%= @exception.message %>
 <% if defined?(ActiveStorage) && @exception.message.match?(%r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}}) %>
 To resolve this issue run: bin/rails active_storage:install
+<% end %>
 <% if defined?(ActionMailbox) && @exception.message.match?(%r{#{ActionMailbox::InboundEmail.table_name}}) %>
 To resolve this issue run: bin/rails action_mailbox:install
 <% end %>

data/lib/action_pack/gem_version.rb

@@ -9,8 +9,8 @@ module ActionPack
   module VERSION
     MAJOR = 6
     MINOR = 1
-    TINY  = 3
-    PRE   = "2"
+    TINY  = 4
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 6.1.3.2
+  version: 6.1.4.7
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-05-05 00:00:00.000000000 Z
+date: 2022-03-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.3.2
+        version: 6.1.4.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.3.2
+        version: 6.1.4.7
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.3.2
+        version: 6.1.4.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.3.2
+        version: 6.1.4.7
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.3.2
+        version: 6.1.4.7
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.3.2
+        version: 6.1.4.7
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -309,10 +309,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.1.3.2/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.1.3.2/
+  changelog_uri: https://github.com/rails/rails/blob/v6.1.4.7/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.1.4.7/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.1.3.2/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v6.1.4.7/actionpack
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -329,7 +329,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.1.2
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).