actionpack 6.1.4.2 → 6.1.7.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5825f14a026c24d4ddea1860c90e32db978e31f6bec3fe2e986abb3fce8e946a
-  data.tar.gz: 2e02124fc9c555eac945ba0abd0db217281fdb5581adae592d656b43c65c7c48
+  metadata.gz: 205004120a6da1bd9f41fd3214ae124b861c46d02efa302ad5cd6e76ae8a7f54
+  data.tar.gz: fd92a15b1a7beed26910076fcec04a9e28143e96e6016b7f4cfd18654c85aa12
 SHA512:
-  metadata.gz: d0af835716768a29451414527cf754158c113216f76c22de30c30afeedf2efbfe3b2621af1a1ac9b2ddeff94c81682a85ad67e78538beb4ca576be5178791d01
-  data.tar.gz: f8e6917a5fd4dd3962ef44b538c321029094de33333942ba0b5dbca517ce637b31b27cee76c1281af69fd32c4449383834314e9e56e0021d43d51c2cf67524aa
+  metadata.gz: 10e83333b2ee3da5b0210b6cd45e5e4520177e333e61b3e465301ad4e327baaa859b4462415b898ee76f42d5adc4815788d23d7c8d3b2aa5e104c7c74680cc97
+  data.tar.gz: 69dfca4a29df0b5b666cd7f918e672901a668f2a662f83aa38d60d3c11ce44cae4329e22c353958f4ab1bf511a0fdf03631fb20300d4717a5a66945519d2021a

data/CHANGELOG.md

@@ -1,3 +1,154 @@
+## Rails 6.1.7.7 (February 21, 2024) ##
+
+*   No changes.
+
+
+## Rails 6.1.7.6 (August 22, 2023) ##
+
+*   No changes.
+
+
+## Rails 6.1.7.5 (August 22, 2023) ##
+
+*   No changes.
+
+
+## Rails 6.1.7.4 (June 26, 2023) ##
+
+*   Raise an exception if illegal characters are provide to redirect_to
+    [CVE-2023-28362]
+
+    *Zack Deveau*
+
+## Rails 6.1.7.3 (March 13, 2023) ##
+
+*   No changes.
+
+
+## Rails 6.1.7.2 (January 24, 2023) ##
+
+*   Fix `domain: :all` for two letter TLD
+
+    This fixes a compatibility issue introduced in our previous security
+    release when using `domain: :all` with a two letter but single level top
+    level domain domain (like `.ca`, rather than `.co.uk`).
+
+
+## Rails 6.1.7.1 (January 17, 2023) ##
+
+*   Avoid regex backtracking on If-None-Match header
+
+    [CVE-2023-22795]
+
+*   Use string#split instead of regex for domain parts
+
+    [CVE-2023-22792]
+
+
+## Rails 6.1.7 (September 09, 2022) ##
+
+*   No changes.
+
+
+## Rails 6.1.6.1 (July 12, 2022) ##
+
+*   No changes.
+
+
+## Rails 6.1.6 (May 09, 2022) ##
+
+*   No changes.
+
+
+## Rails 6.1.5.1 (April 26, 2022) ##
+
+*   Allow Content Security Policy DSL to generate for API responses.
+
+    *Tim Wade*
+
+## Rails 6.1.5 (March 09, 2022) ##
+
+*   Fix `content_security_policy` returning invalid directives.
+
+    Directives such as `self`, `unsafe-eval` and few others were not
+    single quoted when the directive was the result of calling a lambda
+    returning an array.
+
+    ```ruby
+    content_security_policy do |policy|
+      policy.frame_ancestors lambda { [:self, "https://example.com"] }
+    end
+    ```
+
+    With this fix the policy generated from above will now be valid.
+
+    *Edouard Chin*
+
+*   Update `HostAuthorization` middleware to render debug info only
+    when `config.consider_all_requests_local` is set to true.
+
+    Also, blocked host info is always logged with level `error`.
+
+    Fixes #42813.
+
+    *Nikita Vyrko*
+
+*   Dup arrays that get "converted".
+
+    Fixes #43681.
+
+    *Aaron Patterson*
+
+*   Don't show deprecation warning for equal paths.
+
+    *Anton Rieder*
+
+*   Fix crash in `ActionController::Instrumentation` with invalid HTTP formats.
+
+    Fixes #43094.
+
+    *Alex Ghiculescu*
+
+*   Add fallback host for SystemTestCase driven by RackTest.
+
+    Fixes #42780.
+
+    *Petrik de Heus*
+
+*   Add more detail about what hosts are allowed.
+
+    *Alex Ghiculescu*
+
+
+## Rails 6.1.4.7 (March 08, 2022) ##
+
+*   No changes.
+
+
+## Rails 6.1.4.6 (February 11, 2022) ##
+
+*   No changes.
+
+
+## Rails 6.1.4.5 (February 11, 2022) ##
+
+*   Under certain circumstances, the middleware isn't informed that the
+    response body has been fully closed which result in request state not
+    being fully reset before the next request
+
+    [CVE-2022-23633]
+
+
+## Rails 6.1.4.4 (December 15, 2021) ##
+
+*   Fix issue with host protection not allowing host with port in development.
+
+
+## Rails 6.1.4.3 (December 14, 2021) ##
+
+*    Fix issue with host protection not allowing localhost in development.
+
+
 ## Rails 6.1.4.2 (December 14, 2021) ##
 
 *   Fix X_FORWARDED_HOST protection.  [CVE-2021-44528]

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2020 David Heinemeier Hansson
+Copyright (c) 2004-2022 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the
@@ -18,4 +18,3 @@ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-

data/lib/abstract_controller/collector.rb

@@ -10,6 +10,7 @@ module AbstractController
         def #{sym}(*args, &block)
           custom(Mime[:#{sym}], *args, &block)
         end
+        ruby2_keywords(:#{sym}) if respond_to?(:ruby2_keywords, true)
       RUBY
     end
 
@@ -22,7 +23,7 @@ module AbstractController
     end
 
   private
-    def method_missing(symbol, &block)
+    def method_missing(symbol, *args, &block)
       unless mime_constant = Mime[symbol]
         raise NoMethodError, "To respond to a custom format, register it as a MIME type first: " \
           "https://guides.rubyonrails.org/action_controller_overview.html#restful-downloads. " \
@@ -33,10 +34,11 @@ module AbstractController
 
       if Mime::SET.include?(mime_constant)
         AbstractController::Collector.generate_method_for_mime(mime_constant)
-        send(symbol, &block)
+        public_send(symbol, *args, &block)
       else
         super
       end
     end
+    ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
   end
 end

data/lib/action_controller/metal/http_authentication.rb

@@ -2,6 +2,7 @@
 
 require "base64"
 require "active_support/security_utils"
+require "active_support/core_ext/array/access"
 
 module ActionController
   # Makes it dead easy to do HTTP Basic, Digest and Token authentication.

data/lib/action_controller/metal/redirecting.rb

@@ -7,6 +7,10 @@ module ActionController
     include AbstractController::Logger
     include ActionController::UrlFor
 
+    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
+
+    class UnsafeRedirectError < StandardError; end
+
     # Redirects the browser to the target specified in +options+. This parameter can be any one of:
     #
     # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
@@ -60,7 +64,11 @@ module ActionController
       raise AbstractController::DoubleRenderError if response_body
 
       self.status        = _extract_redirect_to_status(options, response_options)
-      self.location      = _compute_redirect_to_location(request, options)
+
+      redirect_to_location = _compute_redirect_to_location(request, options)
+      _ensure_url_is_http_header_safe(redirect_to_location)
+
+      self.location      = redirect_to_location
       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
     end
 
@@ -129,5 +137,16 @@ module ActionController
       rescue ArgumentError, URI::Error
         false
       end
+
+      def _ensure_url_is_http_header_safe(url)
+        # Attempt to comply with the set of valid token characters
+        # defined for an HTTP header value in
+        # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+        if url.match(ILLEGAL_HEADER_VALUE_REGEX)
+          msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
+            "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
+          raise UnsafeRedirectError, msg
+        end
+      end
   end
 end

data/lib/action_controller/metal/rendering.rb

@@ -78,8 +78,8 @@ module ActionController
       end
 
       def _set_vary_header
-        if self.headers["Vary"].blank? && request.should_apply_vary_header?
-          self.headers["Vary"] = "Accept"
+        if response.headers["Vary"].blank? && request.should_apply_vary_header?
+          response.headers["Vary"] = "Accept"
         end
       end
 

data/lib/action_controller/metal/strong_parameters.rb

@@ -940,7 +940,7 @@ module ActionController
         when Array
           return value if converted_arrays.member?(value)
           converted = value.map { |_| convert_value_to_parameters(_) }
-          converted_arrays << converted
+          converted_arrays << converted.dup
           converted
         when Hash
           self.class.new(value)

data/lib/action_dispatch/http/cache.rb

@@ -18,7 +18,7 @@ module ActionDispatch
         end
 
         def if_none_match_etags
-          if_none_match ? if_none_match.split(/\s*,\s*/) : []
+          if_none_match ? if_none_match.split(",").each(&:strip!) : []
         end
 
         def not_modified?(modified_at)

data/lib/action_dispatch/http/content_security_policy.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "active_support/core_ext/object/deep_dup"
+require "active_support/core_ext/array/wrap"
 
 module ActionDispatch #:nodoc:
   class ContentSecurityPolicy
@@ -17,7 +18,6 @@ module ActionDispatch #:nodoc:
         request = ActionDispatch::Request.new env
         _, headers, _ = response = @app.call(env)
 
-        return response unless html_response?(headers)
         return response if policy_present?(headers)
 
         if policy = request.content_security_policy
@@ -31,12 +31,6 @@ module ActionDispatch #:nodoc:
       end
 
       private
-        def html_response?(headers)
-          if content_type = headers[CONTENT_TYPE]
-            /html/.match?(content_type)
-          end
-        end
-
         def header_name(request)
           if request.content_security_policy_report_only
             POLICY_REPORT_ONLY
@@ -272,7 +266,7 @@ module ActionDispatch #:nodoc:
             raise RuntimeError, "Missing context for the dynamic content security policy source: #{source.inspect}"
           else
             resolved = context.instance_exec(&source)
-            resolved.is_a?(Symbol) ? apply_mapping(resolved) : resolved
+            apply_mappings(Array.wrap(resolved))
           end
         else
           raise RuntimeError, "Unexpected content security policy source: #{source.inspect}"

data/lib/action_dispatch/http/response.rb

@@ -88,13 +88,13 @@ module ActionDispatch # :nodoc:
 
     def self.return_only_media_type_on_content_type=(*)
       ActiveSupport::Deprecation.warn(
-        ".return_only_media_type_on_content_type= is dreprecated with no replacement and will be removed in 6.2."
+        ".return_only_media_type_on_content_type= is dreprecated with no replacement and will be removed in 7.0."
       )
     end
 
     def self.return_only_media_type_on_content_type
       ActiveSupport::Deprecation.warn(
-        ".return_only_media_type_on_content_type is dreprecated with no replacement and will be removed in 6.2."
+        ".return_only_media_type_on_content_type is dreprecated with no replacement and will be removed in 7.0."
       )
     end
 

data/lib/action_dispatch/middleware/cookies.rb

@@ -283,20 +283,6 @@ module ActionDispatch
     class CookieJar #:nodoc:
       include Enumerable, ChainedCookieJars
 
-      # This regular expression is used to split the levels of a domain.
-      # The top level domain can be any string without a period or
-      # **.**, ***.** style TLDs like co.uk or com.au
-      #
-      # www.example.co.uk gives:
-      # $& => example.co.uk
-      #
-      # example.com gives:
-      # $& => example.com
-      #
-      # lots.of.subdomains.example.local gives:
-      # $& => example.local
-      DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/
-
       def self.build(req, cookies)
         jar = new(req)
         jar.update(cookies)
@@ -449,13 +435,35 @@ module ActionDispatch
           options[:same_site] ||= cookies_same_site_protection.call(request)
 
           if options[:domain] == :all || options[:domain] == "all"
-            # If there is a provided tld length then we use it otherwise default domain regexp.
-            domain_regexp = options[:tld_length] ? /([^.]+\.?){#{options[:tld_length]}}$/ : DOMAIN_REGEXP
+            cookie_domain = ""
+            dot_splitted_host = request.host.split('.', -1)
+
+            # Case where request.host is not an IP address or it's an invalid domain
+            # (ip confirms to the domain structure we expect so we explicitly check for ip)
+            if request.host.match?(/^[\d.]+$/) || dot_splitted_host.include?("") || dot_splitted_host.length == 1
+              options[:domain] = nil
+              return
+            end
+
+            # If there is a provided tld length then we use it otherwise default domain.
+            if options[:tld_length].present? 
+              # Case where the tld_length provided is valid
+              if dot_splitted_host.length >= options[:tld_length]
+                cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.')
+              end
+            # Case where tld_length is not provided
+            else
+              # Regular TLDs
+              if !(/\.[^.]{2,3}\.[^.]{2}\z/.match?(request.host))
+                cookie_domain = dot_splitted_host.last(2).join(".")
+              # **.**, ***.** style TLDs like co.uk and com.au
+              else
+                cookie_domain = dot_splitted_host.last(3).join('.')
+              end
+            end
 
-            # If host is not ip and matches domain regexp.
-            # (ip confirms to domain regexp so we explicitly check for ip)
-            options[:domain] = if !request.host.match?(/^[\d.]+$/) && (request.host =~ domain_regexp)
-              ".#{$&}"
+            options[:domain] = if cookie_domain.present?
+              ".#{cookie_domain}"
             end
           elsif options[:domain].is_a? Array
             # If host matches one of the supplied domains.

data/lib/action_dispatch/middleware/executor.rb

@@ -9,7 +9,7 @@ module ActionDispatch
     end
 
     def call(env)
-      state = @executor.run!
+      state = @executor.run!(reset: true)
       begin
         response = @app.call(env)
         returned = response << ::Rack::BodyProxy.new(response.pop) { state.complete! }

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -13,8 +13,22 @@ module ActionDispatch
   #
   # When a request comes to an unauthorized host, the +response_app+
   # application will be executed and rendered. If no +response_app+ is given, a
-  # default one will run, which responds with <tt>403 Forbidden</tt>.
+  # default one will run.
+  # The default response app logs blocked host info with level 'error' and
+  # responds with <tt>403 Forbidden</tt>. The body of the response contains debug info
+  # if +config.consider_all_requests_local+ is set to true, otherwise the body is empty.
   class HostAuthorization
+    ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
+    PORT_REGEX = /(?::\d+)/ # :nodoc:
+    IPV4_HOSTNAME = /(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/ # :nodoc:
+    IPV6_HOSTNAME = /(?<host>[a-f0-9]*:[a-f0-9.:]+)/i # :nodoc:
+    IPV6_HOSTNAME_WITH_PORT = /\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i # :nodoc:
+    VALID_IP_HOSTNAME = Regexp.union( # :nodoc:
+      /\A#{IPV4_HOSTNAME}\z/,
+      /\A#{IPV6_HOSTNAME}\z/,
+      /\A#{IPV6_HOSTNAME_WITH_PORT}\z/,
+    )
+
     class Permissions # :nodoc:
       def initialize(hosts)
         @hosts = sanitize_hosts(hosts)
@@ -26,11 +40,17 @@ module ActionDispatch
 
       def allows?(host)
         @hosts.any? do |allowed|
-          allowed === host
-        rescue
-          # IPAddr#=== raises an error if you give it a hostname instead of
-          # IP. Treat similar errors as blocked access.
-          false
+          if allowed.is_a?(IPAddr)
+            begin
+              allowed === extract_hostname(host)
+            rescue
+              # IPAddr#=== raises an error if you give it a hostname instead of
+              # IP. Treat similar errors as blocked access.
+              false
+            end
+          else
+            allowed === host
+          end
         end
       end
 
@@ -46,29 +66,59 @@ module ActionDispatch
         end
 
         def sanitize_regexp(host)
-          /\A#{host}\z/
+          /\A#{host}#{PORT_REGEX}?\z/
         end
 
         def sanitize_string(host)
           if host.start_with?(".")
-            /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}\z/i
+            /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
           else
-            /\A#{Regexp.escape host}\z/i
+            /\A#{Regexp.escape host}#{PORT_REGEX}?\z/i
           end
         end
+
+        def extract_hostname(host)
+          host.slice(VALID_IP_HOSTNAME, "host") || host
+        end
     end
 
-    DEFAULT_RESPONSE_APP = -> env do
-      request = Request.new(env)
+    class DefaultResponseApp # :nodoc:
+      RESPONSE_STATUS = 403
+
+      def call(env)
+        request = Request.new(env)
+        format = request.xhr? ? "text/plain" : "text/html"
+
+        log_error(request)
+        response(format, response_body(request))
+      end
 
-      format = request.xhr? ? "text/plain" : "text/html"
-      template = DebugView.new(host: request.host)
-      body = template.render(template: "rescues/blocked_host", layout: "rescues/layout")
+      private
+        def response_body(request)
+          return "" unless request.get_header("action_dispatch.show_detailed_exceptions")
+
+          template = DebugView.new(host: request.host)
+          template.render(template: "rescues/blocked_host", layout: "rescues/layout")
+        end
+
+        def response(format, body)
+          [RESPONSE_STATUS,
+           { "Content-Type" => "#{format}; charset=#{Response.default_charset}",
+             "Content-Length" => body.bytesize.to_s },
+           [body]]
+        end
 
-      [403, {
-        "Content-Type" => "#{format}; charset=#{Response.default_charset}",
-        "Content-Length" => body.bytesize.to_s,
-      }, [body]]
+        def log_error(request)
+          logger = available_logger(request)
+
+          return unless logger
+
+          logger.error("[#{self.class.name}] Blocked host: #{request.host}")
+        end
+
+        def available_logger(request)
+          request.logger || ActionView::Base.logger
+        end
     end
 
     def initialize(app, hosts, deprecated_response_app = nil, exclude: nil, response_app: nil)
@@ -78,14 +128,14 @@ module ActionDispatch
 
       unless deprecated_response_app.nil?
         ActiveSupport::Deprecation.warn(<<-MSG.squish)
-          `action_dispatch.hosts_response_app` is deprecated and will be ignored in Rails 6.2.
+          `action_dispatch.hosts_response_app` is deprecated and will be ignored in Rails 7.0.
           Use the Host Authorization `response_app` setting instead.
         MSG
 
         response_app ||= deprecated_response_app
       end
 
-      @response_app = response_app || DEFAULT_RESPONSE_APP
+      @response_app = response_app || DefaultResponseApp.new
     end
 
     def call(env)

data/lib/action_dispatch/middleware/show_exceptions.rb

@@ -47,6 +47,7 @@ module ActionDispatch
         request.set_header "action_dispatch.exception", wrapper.unwrapped_exception
         request.set_header "action_dispatch.original_path", request.path_info
         request.set_header "action_dispatch.original_request_method", request.raw_request_method
+        fallback_to_html_format_if_invalid_mime_type(request)
         request.path_info = "/#{status}"
         request.request_method = "GET"
         response = @exceptions_app.call(request.env)
@@ -56,6 +57,15 @@ module ActionDispatch
         FAILSAFE_RESPONSE
       end
 
+      def fallback_to_html_format_if_invalid_mime_type(request)
+        # If the MIME type for the request is invalid then the
+        # @exceptions_app may not be able to handle it. To make it
+        # easier to handle, we switch to HTML.
+        request.formats
+      rescue ActionDispatch::Http::MimeNegotiation::InvalidType
+        request.set_header "HTTP_ACCEPT", "text/html"
+      end
+
       def pass_response(status)
         [status, { "Content-Type" => "text/html; charset=#{Response.default_charset}", "Content-Length" => "0" }, []]
       end

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb

@@ -2,6 +2,6 @@
   <h1>Blocked host: <%= @host %></h1>
 </header>
 <div id="container">
-  <h2>To allow requests to <%= @host %>, add the following to your environment configuration:</h2>
+  <h2>To allow requests to <%= @host %> make sure it is a valid hostname (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:</h2>
   <pre>config.hosts &lt;&lt; "<%= @host %>"</pre>
 </div>

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb

@@ -1,5 +1,5 @@
 Blocked host: <%= @host %>
 
-To allow requests to <%= @host %>, add the following to your environment configuration:
+To allow requests to <%= @host %> make sure it is a valid hostname (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:
 
   config.hosts << "<%= @host %>"

data/lib/action_dispatch/routing/route_set.rb

@@ -597,14 +597,14 @@ module ActionDispatch
         if route.segment_keys.include?(:controller)
           ActiveSupport::Deprecation.warn(<<-MSG.squish)
             Using a dynamic :controller segment in a route is deprecated and
-            will be removed in Rails 6.2.
+            will be removed in Rails 7.0.
           MSG
         end
 
         if route.segment_keys.include?(:action)
           ActiveSupport::Deprecation.warn(<<-MSG.squish)
             Using a dynamic :action segment in a route is deprecated and
-            will be removed in Rails 6.2.
+            will be removed in Rails 7.0.
           MSG
         end
 

data/lib/action_dispatch/system_test_case.rb

@@ -115,6 +115,8 @@ module ActionDispatch
     include SystemTesting::TestHelpers::SetupAndTeardown
     include SystemTesting::TestHelpers::ScreenshotHelper
 
+    DEFAULT_HOST = "http://127.0.0.1"
+
     def initialize(*) # :nodoc:
       super
       self.class.driven_by(:selenium) unless self.class.driver?
@@ -166,7 +168,11 @@ module ActionDispatch
               include ActionDispatch.test_app.routes.mounted_helpers
 
               def url_options
-                default_url_options.reverse_merge(host: Capybara.app_host || Capybara.current_session.server_url)
+                default_url_options.reverse_merge(host: app_host)
+              end
+
+              def app_host
+                Capybara.app_host || Capybara.current_session.server_url || DEFAULT_HOST
               end
             end.new
           end

data/lib/action_dispatch/testing/test_process.rb

@@ -25,18 +25,21 @@ module ActionDispatch
           if !self.class.file_fixture_path
             ActiveSupport::Deprecation.warn(<<~EOM)
               Passing a path to `fixture_file_upload` relative to `fixture_path` is deprecated.
-              In Rails 6.2, the path needs to be relative to `file_fixture_path` which you
+              In Rails 7.0, the path needs to be relative to `file_fixture_path` which you
               haven't set yet. Set `file_fixture_path` to discard this warning.
             EOM
           elsif path.exist?
             non_deprecated_path = Pathname(File.absolute_path(path)).relative_path_from(Pathname(File.absolute_path(self.class.file_fixture_path)))
-            ActiveSupport::Deprecation.warn(<<~EOM)
-              Passing a path to `fixture_file_upload` relative to `fixture_path` is deprecated.
-              In Rails 6.2, the path needs to be relative to `file_fixture_path`.
 
-              Please modify the call from
-              `fixture_file_upload("#{original_path}")` to `fixture_file_upload("#{non_deprecated_path}")`.
-            EOM
+            if Pathname(original_path) != non_deprecated_path
+              ActiveSupport::Deprecation.warn(<<~EOM)
+                Passing a path to `fixture_file_upload` relative to `fixture_path` is deprecated.
+                In Rails 7.0, the path needs to be relative to `file_fixture_path`.
+
+                Please modify the call from
+                `fixture_file_upload("#{original_path}")` to `fixture_file_upload("#{non_deprecated_path}")`.
+              EOM
+            end
           else
             path = file_fixture(original_path)
           end

data/lib/action_dispatch.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 #--
-# Copyright (c) 2004-2020 David Heinemeier Hansson
+# Copyright (c) 2004-2022 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the

data/lib/action_pack/gem_version.rb

@@ -9,8 +9,8 @@ module ActionPack
   module VERSION
     MAJOR = 6
     MINOR = 1
-    TINY  = 4
-    PRE   = "2"
+    TINY  = 7
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/action_pack.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 #--
-# Copyright (c) 2004-2020 David Heinemeier Hansson
+# Copyright (c) 2004-2022 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 6.1.4.2
+  version: 6.1.7.7
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-12-14 00:00:00.000000000 Z
+date: 2024-02-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.2
+        version: 6.1.7.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.2
+        version: 6.1.7.7
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.2
+        version: 6.1.7.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.2
+        version: 6.1.7.7
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.2
+        version: 6.1.7.7
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.2
+        version: 6.1.7.7
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -309,10 +309,11 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.1.4.2/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.1.4.2/
+  changelog_uri: https://github.com/rails/rails/blob/v6.1.7.7/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.1.7.7/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.1.4.2/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v6.1.7.7/actionpack
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -329,7 +330,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.2.15
+rubygems_version: 3.2.22
 signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).