actionpack 6.1.7.8 → 6.1.7.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 17584c20c784e0606e3937eddab9fabb4a5f55fd9d84ab642eae24bbc177c4e3
-  data.tar.gz: 8a113cee87d7d51be4a47ae65e723a73f5ba7cdfc73b98971b347f6661214ee4
+  metadata.gz: 5e2feb7a890007f4dd081cedd5db0d2b6be3b92d433ac7f97a5b9f8d3153aad8
+  data.tar.gz: 74873796961ddf36eece387da1bb9cd0b045cc3e7b8feca5c6aaede5bee92a7f
 SHA512:
-  metadata.gz: 25325ea54a87cdbe34ed8b666108fd41041009e85f442add0b3e661f71a58b2eab5bce5e804a23f35c3e7378940eaf37475d2d1f5f71496b44df10a66b9f565d
-  data.tar.gz: 39564370b55e81c747a96a6a9f212b301d5ca3ed04f8d1aad662455fecd4d5fb85a71869b0d99769d81d240cca4c3ee06846d4a17422c8c9d32eb5037fce89ae
+  metadata.gz: 886da6125cef3d5a3db559d008744b26428e578e093e2529856dbcfee86cb4e19c908327e10af2e7204aa16b44920943d2df56d8d2126e94cf09591c32a12d81
+  data.tar.gz: a13c24553e675cce1b6756428050ca6de7fb50b4f978d6b6abb771be3bb067391f1acd2a68f32ca6b88502c095ca10653f82e981020b861f88ee1b75311a3bc0

data/CHANGELOG.md

@@ -1,3 +1,14 @@
+## Rails 6.1.7.9 (October 15, 2024) ##
+
+*   Avoid regex backtracking in HTTP Token authentication
+
+    [CVE-2024-47887]
+
+*   Avoid regex backtracking in query parameter filtering
+
+    [CVE-2024-41128]
+
+
 ## Rails 6.1.7.8 (June 04, 2024) ##
 
 *   Include the HTTP Permissions-Policy on non-HTML Content-Types

data/lib/action_controller/metal/http_authentication.rb

@@ -483,7 +483,8 @@ module ActionController
       # pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
       # delimiters defined in +AUTHN_PAIR_DELIMITERS+.
       def raw_params(auth)
-        _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
+        _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
+        _raw_params.reject!(&:empty?)
 
         if !_raw_params.first&.start_with?(TOKEN_KEY)
           _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"

data/lib/action_dispatch/http/filter_parameters.rb

@@ -73,12 +73,17 @@ module ActionDispatch
         ActiveSupport::ParameterFilter.new(filters)
       end
 
-      KV_RE   = "[^&;=]+"
-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter($1 => $2).first.join("=")
+        parts = query_string.split(/([&;])/)
+        filtered_parts = parts.map do |part|
+          if part.include?("=")
+            key, value = part.split("=", 2)
+            parameter_filter.filter(key => value).first.join("=")
+          else
+            part
+          end
         end
+        filtered_parts.join("")
       end
     end
   end

data/lib/action_pack/gem_version.rb

@@ -10,7 +10,7 @@ module ActionPack
     MAJOR = 6
     MINOR = 1
     TINY  = 7
-    PRE   = "8"
+    PRE   = "9"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 6.1.7.8
+  version: 6.1.7.9
 platform: ruby
 authors:
 - David Heinemeier Hansson
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-06-04 00:00:00.000000000 Z
+date: 2024-10-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.8
+        version: 6.1.7.9
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.8
+        version: 6.1.7.9
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.8
+        version: 6.1.7.9
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.8
+        version: 6.1.7.9
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.8
+        version: 6.1.7.9
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.7.8
+        version: 6.1.7.9
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -309,12 +309,12 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.1.7.8/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.1.7.8/
+  changelog_uri: https://github.com/rails/rails/blob/v6.1.7.9/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.1.7.9/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.1.7.8/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v6.1.7.9/actionpack
   rubygems_mfa_required: 'true'
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -330,8 +330,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.3.27
-signing_key:
+rubygems_version: 3.5.16
+signing_key: 
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
 test_files: []