actionpack 6.1.7.3 → 6.1.7.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c10133037107ff5aaf7409e2f7c9f9fd388e8f29c14c15fc034af5925d4b7c7a
-  data.tar.gz: 877a00d73b375a160fe7c72a3f1826c159ad4927379cb613eb94e99f8740d25c
+  metadata.gz: cf3c37c7c59ec5fc92e7e4df974735908f6d1af7c899884651d4241354721ec1
+  data.tar.gz: 5a9433cb7a24a1a13c4014a0fbde11348d980a0741ca6a1825d0dcbc1a7c8fc0
 SHA512:
-  metadata.gz: 73ca8a456242af4376d413fce13d485683b8cc8900978004dcdebb9b9eb8a529f2cfe23efdcb80d15131c4173e0ac53ac8e0abe57fa7a4c066c147fe96e2e96b
-  data.tar.gz: be6bff2896d9c16a0b6e59375d8f167c1d358c09e863cb98d0a3b242c5f1d57e09549059e8c2f7ee96e0b87ec423c7e4ab547deca4247d5c39f7c97c1b7e68f7
+  metadata.gz: 00405c0603e1224c6067f5c857814790afa1628916de3c4ea2a80bb0f7e40c4065cd15fb20da3036f73081f3fc03120c6a7fe063600dbd37ac2302bdef0297e7
+  data.tar.gz: cc52b9ad0ba74c16bdbe0b3a3d04f28be88b5f786d2d33fc468d9f58ced0918498fcbe28ce3418c8b786363ecd8d5141a1a6d1d6e163e5e5929d90da9e687d1f

data/CHANGELOG.md

@@ -1,3 +1,20 @@
+## Rails 6.1.7.6 (August 22, 2023) ##
+
+*   No changes.
+
+
+## Rails 6.1.7.5 (August 22, 2023) ##
+
+*   No changes.
+
+
+## Rails 6.1.7.4 (June 26, 2023) ##
+
+*   Raise an exception if illegal characters are provide to redirect_to
+    [CVE-2023-28362]
+
+    *Zack Deveau*
+
 ## Rails 6.1.7.3 (March 13, 2023) ##
 
 *   No changes.

data/lib/action_controller/metal/redirecting.rb

@@ -7,6 +7,10 @@ module ActionController
     include AbstractController::Logger
     include ActionController::UrlFor
 
+    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
+
+    class UnsafeRedirectError < StandardError; end
+
     # Redirects the browser to the target specified in +options+. This parameter can be any one of:
     #
     # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
@@ -60,7 +64,11 @@ module ActionController
       raise AbstractController::DoubleRenderError if response_body
 
       self.status        = _extract_redirect_to_status(options, response_options)
-      self.location      = _compute_redirect_to_location(request, options)
+
+      redirect_to_location = _compute_redirect_to_location(request, options)
+      _ensure_url_is_http_header_safe(redirect_to_location)
+
+      self.location      = redirect_to_location
       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
     end
 
@@ -129,5 +137,16 @@ module ActionController
       rescue ArgumentError, URI::Error
         false
       end
+
+      def _ensure_url_is_http_header_safe(url)
+        # Attempt to comply with the set of valid token characters
+        # defined for an HTTP header value in
+        # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+        if url.match(ILLEGAL_HEADER_VALUE_REGEX)
+          msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
+            "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
+          raise UnsafeRedirectError, msg
+        end
+      end
   end
 end

data/lib/action_pack/gem_version.rb

@@ -10,7 +10,7 @@ module ActionPack
     MAJOR = 6
     MINOR = 1
     TINY  = 7
-    PRE   = "3"
+    PRE   = "6"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 6.1.7.3
+  version: 6.1.7.6
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-03-13 00:00:00.000000000 Z
+date: 2023-08-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.3
+        version: 6.1.7.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.3
+        version: 6.1.7.6
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.3
+        version: 6.1.7.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.3
+        version: 6.1.7.6
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.3
+        version: 6.1.7.6
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.3
+        version: 6.1.7.6
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -309,10 +309,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.1.7.3/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.1.7.3/
+  changelog_uri: https://github.com/rails/rails/blob/v6.1.7.6/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.1.7.6/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.1.7.3/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v6.1.7.6/actionpack
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -330,7 +330,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.4.3
+rubygems_version: 3.3.3
 signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).