actionpack 6.1.7.2 → 6.1.7.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4107f5fba7b90edb4afcece0aa0385b389fb23da225efc2aba13a86ead23341c
-  data.tar.gz: 323e775ec5de154afdf6de51a389e638b71915f48fcf7a1208b69d8516e62afc
+  metadata.gz: 15196c583d3a47bf726bedeacc9a0c2cf693d8df54794fb4581ecb8903604da7
+  data.tar.gz: 838d1d5b66f972ddffa01b9273e422cb37fafe100a59f20ecce4440215cc9e6d
 SHA512:
-  metadata.gz: 340f3105ef24c07076a07e88b87fff47eea21e0ab069cfbb5cf7b901a66300a2a5268a107adbf967a7b16b7ef355bb020d104474a3ae11c30b296537c6eb4c96
-  data.tar.gz: feb2ea4345ccc52cc46da724bd10d0390fb3ca87588212f15911bd0f28678600dcb4cd7d9bd4910d604e3457fe0f85add3dc83ef0e13d1326a0da4aa6c0616ef
+  metadata.gz: 147a3a27d71c2476a0d31bb0051502ea9b5801d6d79ef5c797124952b8df638dc2f06596a3cb109c68e02b09964758fc597b0e951d6713dd5fb2cbbd77064e33
+  data.tar.gz: ecbcf82438cbd283d705e95488483f441882f93d4f07a97496434a08bb69bd37e813691741eb1c3a27035da0fe3dc4168312c87c53b2f30fd7c712f6954c7fd6

data/CHANGELOG.md

@@ -1,3 +1,15 @@
+## Rails 6.1.7.4 (June 26, 2023) ##
+
+*   Raise an exception if illegal characters are provide to redirect_to
+    [CVE-2023-28362]
+
+    *Zack Deveau*
+
+## Rails 6.1.7.3 (March 13, 2023) ##
+
+*   No changes.
+
+
 ## Rails 6.1.7.2 (January 24, 2023) ##
 
 *   Fix `domain: :all` for two letter TLD

data/lib/action_controller/metal/redirecting.rb

@@ -7,6 +7,10 @@ module ActionController
     include AbstractController::Logger
     include ActionController::UrlFor
 
+    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
+
+    class UnsafeRedirectError < StandardError; end
+
     # Redirects the browser to the target specified in +options+. This parameter can be any one of:
     #
     # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
@@ -60,7 +64,11 @@ module ActionController
       raise AbstractController::DoubleRenderError if response_body
 
       self.status        = _extract_redirect_to_status(options, response_options)
-      self.location      = _compute_redirect_to_location(request, options)
+
+      redirect_to_location = _compute_redirect_to_location(request, options)
+      _ensure_url_is_http_header_safe(redirect_to_location)
+
+      self.location      = redirect_to_location
       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
     end
 
@@ -129,5 +137,16 @@ module ActionController
       rescue ArgumentError, URI::Error
         false
       end
+
+      def _ensure_url_is_http_header_safe(url)
+        # Attempt to comply with the set of valid token characters
+        # defined for an HTTP header value in
+        # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+        if url.match(ILLEGAL_HEADER_VALUE_REGEX)
+          msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
+            "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
+          raise UnsafeRedirectError, msg
+        end
+      end
   end
 end

data/lib/action_pack/gem_version.rb

@@ -10,7 +10,7 @@ module ActionPack
     MAJOR = 6
     MINOR = 1
     TINY  = 7
-    PRE   = "2"
+    PRE   = "4"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 6.1.7.2
+  version: 6.1.7.4
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-25 00:00:00.000000000 Z
+date: 2023-06-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.2
+        version: 6.1.7.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.2
+        version: 6.1.7.4
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.2
+        version: 6.1.7.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.2
+        version: 6.1.7.4
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.2
+        version: 6.1.7.4
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.2
+        version: 6.1.7.4
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -309,10 +309,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.1.7.2/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.1.7.2/
+  changelog_uri: https://github.com/rails/rails/blob/v6.1.7.4/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.1.7.4/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.1.7.2/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v6.1.7.4/actionpack
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -330,7 +330,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.4.3
+rubygems_version: 3.3.3
 signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).