actionpack 6.1.7.8 → 6.1.7.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 17584c20c784e0606e3937eddab9fabb4a5f55fd9d84ab642eae24bbc177c4e3
-  data.tar.gz: 8a113cee87d7d51be4a47ae65e723a73f5ba7cdfc73b98971b347f6661214ee4
+  metadata.gz: 461cf7a6378132710f52c315547afbb00faac1f6fb46b118844c1f626fd3e2b9
+  data.tar.gz: 4200715c83ffc68c6d84411f9a1b2d87419790f5335efcd24bec8c768cbe539a
 SHA512:
-  metadata.gz: 25325ea54a87cdbe34ed8b666108fd41041009e85f442add0b3e661f71a58b2eab5bce5e804a23f35c3e7378940eaf37475d2d1f5f71496b44df10a66b9f565d
-  data.tar.gz: 39564370b55e81c747a96a6a9f212b301d5ca3ed04f8d1aad662455fecd4d5fb85a71869b0d99769d81d240cca4c3ee06846d4a17422c8c9d32eb5037fce89ae
+  metadata.gz: 7eb7add5c50bfaaa3f9ccd7961764931d34cd90de7ac31739cf202510eaa68304d32d4f998b0f07c3b55ca6f7c27d98ef3c620e526da8d200ec3f4f4a8694fcd
+  data.tar.gz: c97725476e0af940885c9e5d406118ecbc35e889a0274002e1770634fd774ab16d3fc68e94c276407adc1bb9a59bd95baea8c2dd514c789bb6228e90ffc073a0

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+## Rails 6.1.7.10 (October 23, 2024) ##
+
+*   No changes.
+
+
+## Rails 6.1.7.9 (October 15, 2024) ##
+
+*   Avoid regex backtracking in HTTP Token authentication
+
+    [CVE-2024-47887]
+
+*   Avoid regex backtracking in query parameter filtering
+
+    [CVE-2024-41128]
+
+
 ## Rails 6.1.7.8 (June 04, 2024) ##
 
 *   Include the HTTP Permissions-Policy on non-HTML Content-Types

data/lib/action_controller/metal/http_authentication.rb

@@ -483,7 +483,8 @@ module ActionController
       # pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
       # delimiters defined in +AUTHN_PAIR_DELIMITERS+.
       def raw_params(auth)
-        _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
+        _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
+        _raw_params.reject!(&:empty?)
 
         if !_raw_params.first&.start_with?(TOKEN_KEY)
           _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"

data/lib/action_dispatch/http/filter_parameters.rb

@@ -73,12 +73,17 @@ module ActionDispatch
         ActiveSupport::ParameterFilter.new(filters)
       end
 
-      KV_RE   = "[^&;=]+"
-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter($1 => $2).first.join("=")
+        parts = query_string.split(/([&;])/)
+        filtered_parts = parts.map do |part|
+          if part.include?("=")
+            key, value = part.split("=", 2)
+            parameter_filter.filter(key => value).first.join("=")
+          else
+            part
+          end
         end
+        filtered_parts.join("")
       end
     end
   end

data/lib/action_pack/gem_version.rb

@@ -10,7 +10,7 @@ module ActionPack
     MAJOR = 6
     MINOR = 1
     TINY  = 7
-    PRE   = "8"
+    PRE   = "10"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 6.1.7.8
+  version: 6.1.7.10
 platform: ruby
 authors:
 - David Heinemeier Hansson
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-06-04 00:00:00.000000000 Z
+date: 2024-10-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.8
+        version: 6.1.7.10
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.8
+        version: 6.1.7.10
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.8
+        version: 6.1.7.10
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.8
+        version: 6.1.7.10
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.8
+        version: 6.1.7.10
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.8
+        version: 6.1.7.10
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -309,12 +309,12 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.1.7.8/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.1.7.8/
+  changelog_uri: https://github.com/rails/rails/blob/v6.1.7.10/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.1.7.10/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.1.7.8/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v6.1.7.10/actionpack
   rubygems_mfa_required: 'true'
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -330,8 +330,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.3.27
-signing_key:
+rubygems_version: 3.5.16
+signing_key: 
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
 test_files: []