actionpack 6.1.3 → 6.1.4.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1ea58dade23ab9890d5e08a7a1cb0f8cf4cae0fbd41eea9fe284d3525245aeee
4
- data.tar.gz: c84e4268d1477b99849c45bff8a08a31d3bb8d72fcc3c73c621f79a7c8bc813a
3
+ metadata.gz: 65eaf0a7cdcac42378d27ebca8973bfb4cdf41b0dd79425c2b276c83460bd39b
4
+ data.tar.gz: d76e6cfc52492a8e7a1c0fc21e59e1cd60ec3c464feb2f304dbbb037418a9739
5
5
  SHA512:
6
- metadata.gz: 494e49e2b62a10a42b90c0e36745d67aae27cd1988332070db69725ea0f30834f22e494a9c448dfceed91c3cc63bf6055bfc94de372efeb55a62f126835786ea
7
- data.tar.gz: 2d1d9bd8fe5a25cdb1ffb92e5c204f91a71d68be2dfdb0e94730b7b3fd62f931facb99c93f9e1d7c8462d317b0accc640135ca232f9547760a0a525b4ed4a9e5
6
+ metadata.gz: a6033213d92c1734124bf7e3b75c61c3f304cf507052f52f85ac96a6ae7079c3c7e526a76ddfdb3024afb0de8fe8e5f6a6fda1d68a8f4ba69c8f048b0902d782
7
+ data.tar.gz: 4de05a81d6de0efb723dbeb96cb28e403fbe8bfb96963ee64f69dbb22d67ce320393f71b5afaab5dbc65b493e238e176642cc898671019b592c9fa43b9082234
data/CHANGELOG.md CHANGED
@@ -1,3 +1,75 @@
1
+ ## Rails 6.1.4.1 (August 19, 2021) ##
2
+
3
+ * [CVE-2021-22942] Fix possible open redirect in Host Authorization middleware.
4
+
5
+ Specially crafted "X-Forwarded-Host" headers in combination with certain
6
+ "allowed host" formats can cause the Host Authorization middleware in Action
7
+ Pack to redirect users to a malicious website.
8
+
9
+ ## Rails 6.1.4 (June 24, 2021) ##
10
+
11
+ * Ignore file fixtures on `db:fixtures:load`
12
+
13
+ *Kevin Sjöberg*
14
+
15
+ * Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
16
+
17
+ *Dylan Thacker-Smith*
18
+
19
+ * Correctly place optional path parameter booleans.
20
+
21
+ Previously, if you specify a url parameter that is part of the path as false it would include that part
22
+ of the path as parameter for example:
23
+
24
+ ```
25
+ get "(/optional/:optional_id)/things" => "foo#foo", as: :things
26
+ things_path(optional_id: false) # => /things?optional_id=false
27
+ ```
28
+
29
+ After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
30
+
31
+ ```
32
+ get '(this/:my_bool)/that' as: :that
33
+
34
+ that_path(my_bool: true) # => `/this/true/that`
35
+ that_path(my_bool: false) # => `/this/false/that`
36
+ ```
37
+
38
+ *Adam Hess*
39
+
40
+ * Add support for 'private, no-store' Cache-Control headers.
41
+
42
+ Previously, 'no-store' was exclusive; no other directives could be specified.
43
+
44
+ *Alex Smith*
45
+
46
+
47
+ ## Rails 6.1.3.2 (May 05, 2021) ##
48
+
49
+ * Prevent open redirects by correctly escaping the host allow list
50
+ CVE-2021-22903
51
+
52
+ * Prevent catastrophic backtracking during mime parsing
53
+ CVE-2021-22902
54
+
55
+ * Prevent regex DoS in HTTP token authentication
56
+ CVE-2021-22904
57
+
58
+ * Prevent string polymorphic route arguments.
59
+
60
+ `url_for` supports building polymorphic URLs via an array
61
+ of arguments (usually symbols and records). If a developer passes a
62
+ user input array, strings can result in unwanted route helper calls.
63
+
64
+ CVE-2021-22885
65
+
66
+ *Gannon McGibbon*
67
+
68
+ ## Rails 6.1.3.1 (March 26, 2021) ##
69
+
70
+ * No changes.
71
+
72
+
1
73
  ## Rails 6.1.3 (February 17, 2021) ##
2
74
 
3
75
  * Re-define routes when not set correctly via inheritance.
@@ -44,7 +44,7 @@ module ActionController
44
44
  # template digest from the ETag.
45
45
  def pick_template_for_etag(options)
46
46
  unless options[:template] == false
47
- options[:template] || "#{controller_path}/#{action_name}"
47
+ options[:template] || lookup_context.find_all(action_name, _prefixes).first&.virtual_path
48
48
  end
49
49
  end
50
50
 
@@ -407,7 +407,7 @@ module ActionController
407
407
  module Token
408
408
  TOKEN_KEY = "token="
409
409
  TOKEN_REGEX = /^(Token|Bearer)\s+/
410
- AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
410
+ AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
411
411
  extend self
412
412
 
413
413
  module ControllerMethods
@@ -127,6 +127,11 @@ module ActionController
127
127
  class Buffer < ActionDispatch::Response::Buffer #:nodoc:
128
128
  include MonitorMixin
129
129
 
130
+ class << self
131
+ attr_accessor :queue_size
132
+ end
133
+ @queue_size = 10
134
+
130
135
  # Ignore that the client has disconnected.
131
136
  #
132
137
  # If this value is `true`, calling `write` after the client
@@ -136,7 +141,7 @@ module ActionController
136
141
  attr_accessor :ignore_disconnect
137
142
 
138
143
  def initialize(response)
139
- super(response, SizedQueue.new(10))
144
+ super(response, build_queue(self.class.queue_size))
140
145
  @error_callback = lambda { true }
141
146
  @cv = new_cond
142
147
  @aborted = false
@@ -214,6 +219,10 @@ module ActionController
214
219
  yield str
215
220
  end
216
221
  end
222
+
223
+ def build_queue(queue_size)
224
+ queue_size ? SizedQueue.new(queue_size) : Queue.new
225
+ end
217
226
  end
218
227
 
219
228
  class Response < ActionDispatch::Response #:nodoc: all
@@ -281,7 +281,10 @@ module ActionController
281
281
  return false unless request.has_content_type?
282
282
 
283
283
  ref = request.content_mime_type.ref
284
+
284
285
  _wrapper_formats.include?(ref) && _wrapper_key && !request.parameters.key?(_wrapper_key)
286
+ rescue ActionDispatch::Http::Parameters::ParseError
287
+ false
285
288
  end
286
289
 
287
290
  def _perform_parameter_wrapping
@@ -295,8 +298,6 @@ module ActionController
295
298
 
296
299
  # This will display the wrapped hash in the log file.
297
300
  request.filtered_parameters.merge! wrapped_filtered_hash
298
- rescue ActionDispatch::Http::Parameters::ParseError
299
- # swallow parse error exception
300
301
  end
301
302
  end
302
303
  end
@@ -24,6 +24,9 @@ module ActionController
24
24
  def new_controller_thread # :nodoc:
25
25
  yield
26
26
  end
27
+
28
+ # Avoid a deadlock from the queue filling up
29
+ Buffer.queue_size = nil
27
30
  end
28
31
 
29
32
  # ActionController::TestCase will be deprecated and moved to a gem in the future.
@@ -195,31 +195,30 @@ module ActionDispatch
195
195
 
196
196
  control.merge! cache_control
197
197
 
198
+ options = []
199
+
198
200
  if control[:no_store]
199
- self._cache_control = NO_STORE
201
+ options << PRIVATE if control[:private]
202
+ options << NO_STORE
200
203
  elsif control[:no_cache]
201
- options = []
202
204
  options << PUBLIC if control[:public]
203
205
  options << NO_CACHE
204
206
  options.concat(control[:extras]) if control[:extras]
205
-
206
- self._cache_control = options.join(", ")
207
207
  else
208
208
  extras = control[:extras]
209
209
  max_age = control[:max_age]
210
210
  stale_while_revalidate = control[:stale_while_revalidate]
211
211
  stale_if_error = control[:stale_if_error]
212
212
 
213
- options = []
214
213
  options << "max-age=#{max_age.to_i}" if max_age
215
214
  options << (control[:public] ? PUBLIC : PRIVATE)
216
215
  options << MUST_REVALIDATE if control[:must_revalidate]
217
216
  options << "stale-while-revalidate=#{stale_while_revalidate.to_i}" if stale_while_revalidate
218
217
  options << "stale-if-error=#{stale_if_error.to_i}" if stale_if_error
219
218
  options.concat(extras) if extras
220
-
221
- self._cache_control = options.join(", ")
222
219
  end
220
+
221
+ self._cache_control = options.join(", ")
223
222
  end
224
223
  end
225
224
  end
@@ -229,7 +229,7 @@ module Mime
229
229
  MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
230
230
  MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
231
231
  MIME_PARAMETER = "\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
232
- MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?:\s*#{MIME_PARAMETER}\s*)*)\z/
232
+ MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
233
233
 
234
234
  class InvalidMimeType < StandardError; end
235
235
 
@@ -103,7 +103,7 @@ module ActionDispatch
103
103
  parameterized_parts = recall.merge(options)
104
104
 
105
105
  keys_to_keep = route.parts.reverse_each.drop_while { |part|
106
- !(options.key?(part) || route.scope_options.key?(part)) || (options[part] || recall[part]).nil?
106
+ !(options.key?(part) || route.scope_options.key?(part)) || (options[part].nil? && recall[part].nil?)
107
107
  } | route.required_parts
108
108
 
109
109
  parameterized_parts.delete_if do |bad_key, _|
@@ -118,7 +118,7 @@ module ActionDispatch
118
118
  end
119
119
  end
120
120
 
121
- parameterized_parts.keep_if { |_, v| v }
121
+ parameterized_parts.compact!
122
122
  parameterized_parts
123
123
  end
124
124
 
@@ -40,7 +40,7 @@ module ActionDispatch
40
40
  @parameters.each do |index|
41
41
  param = parts[index]
42
42
  value = hash[param.name]
43
- return "" unless value
43
+ return "" if value.nil?
44
44
  parts[index] = param.escape value
45
45
  end
46
46
 
@@ -53,7 +53,7 @@ module ActionDispatch
53
53
  if host.start_with?(".")
54
54
  /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
55
55
  else
56
- /\A#{host}\z/i
56
+ /\A#{Regexp.escape host}\z/i
57
57
  end
58
58
  end
59
59
  end
@@ -102,21 +102,15 @@ module ActionDispatch
102
102
  end
103
103
 
104
104
  private
105
+ HOSTNAME = /[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\]/i
106
+ VALID_ORIGIN_HOST = /\A(#{HOSTNAME})(?::\d+)?\z/
107
+ VALID_FORWARDED_HOST = /(?:\A|,[ ]?)(#{HOSTNAME})(?::\d+)?\z/
108
+
105
109
  def authorized?(request)
106
- valid_host = /
107
- \A
108
- (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])
109
- (:\d+)?
110
- \z
111
- /x
112
-
113
- origin_host = valid_host.match(
114
- request.get_header("HTTP_HOST").to_s.downcase)
115
- forwarded_host = valid_host.match(
116
- request.x_forwarded_host.to_s.split(/,\s?/).last)
117
-
118
- origin_host && @permissions.allows?(origin_host[:host]) && (
119
- forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
110
+ origin_host = request.get_header("HTTP_HOST")&.slice(VALID_ORIGIN_HOST, 1) || ""
111
+ forwarded_host = request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || ""
112
+
113
+ @permissions.allows?(origin_host) && (forwarded_host.blank? || @permissions.allows?(forwarded_host))
120
114
  end
121
115
 
122
116
  def excluded?(request)
@@ -6,6 +6,7 @@
6
6
  <%= @exception.message %>
7
7
  <% if defined?(ActiveStorage) && @exception.message.match?(%r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}}) %>
8
8
  To resolve this issue run: bin/rails active_storage:install
9
+ <% end %>
9
10
  <% if defined?(ActionMailbox) && @exception.message.match?(%r{#{ActionMailbox::InboundEmail.table_name}}) %>
10
11
  To resolve this issue run: bin/rails action_mailbox:install
11
12
  <% end %>
@@ -287,10 +287,12 @@ module ActionDispatch
287
287
 
288
288
  args = []
289
289
 
290
- route = record_list.map { |parent|
290
+ route = record_list.map do |parent|
291
291
  case parent
292
- when Symbol, String
292
+ when Symbol
293
293
  parent.to_s
294
+ when String
295
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
294
296
  when Class
295
297
  args << parent
296
298
  parent.model_name.singular_route_key
@@ -298,12 +300,14 @@ module ActionDispatch
298
300
  args << parent.to_model
299
301
  parent.to_model.model_name.singular_route_key
300
302
  end
301
- }
303
+ end
302
304
 
303
305
  route <<
304
306
  case record
305
- when Symbol, String
307
+ when Symbol
306
308
  record.to_s
309
+ when String
310
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
307
311
  when Class
308
312
  @key_strategy.call record.model_name
309
313
  else
@@ -9,8 +9,8 @@ module ActionPack
9
9
  module VERSION
10
10
  MAJOR = 6
11
11
  MINOR = 1
12
- TINY = 3
13
- PRE = nil
12
+ TINY = 4
13
+ PRE = "1"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.3
4
+ version: 6.1.4.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-02-17 00:00:00.000000000 Z
11
+ date: 2021-08-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 6.1.3
19
+ version: 6.1.4.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 6.1.3
26
+ version: 6.1.4.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 6.1.3
101
+ version: 6.1.4.1
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 6.1.3
108
+ version: 6.1.4.1
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 6.1.3
115
+ version: 6.1.4.1
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 6.1.3
122
+ version: 6.1.4.1
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -309,10 +309,10 @@ licenses:
309
309
  - MIT
310
310
  metadata:
311
311
  bug_tracker_uri: https://github.com/rails/rails/issues
312
- changelog_uri: https://github.com/rails/rails/blob/v6.1.3/actionpack/CHANGELOG.md
313
- documentation_uri: https://api.rubyonrails.org/v6.1.3/
312
+ changelog_uri: https://github.com/rails/rails/blob/v6.1.4.1/actionpack/CHANGELOG.md
313
+ documentation_uri: https://api.rubyonrails.org/v6.1.4.1/
314
314
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
315
- source_code_uri: https://github.com/rails/rails/tree/v6.1.3/actionpack
315
+ source_code_uri: https://github.com/rails/rails/tree/v6.1.4.1/actionpack
316
316
  post_install_message:
317
317
  rdoc_options: []
318
318
  require_paths:
@@ -329,7 +329,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
329
329
  version: '0'
330
330
  requirements:
331
331
  - none
332
- rubygems_version: 3.2.3
332
+ rubygems_version: 3.2.15
333
333
  signing_key:
334
334
  specification_version: 4
335
335
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).