actionpack 6.1.7 → 6.1.7.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +42 -0
- data/lib/action_controller/metal/redirecting.rb +20 -1
- data/lib/action_dispatch/http/cache.rb +1 -1
- data/lib/action_dispatch/middleware/cookies.rb +28 -20
- data/lib/action_pack/gem_version.rb +1 -1
- metadata +11 -11
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: cf3c37c7c59ec5fc92e7e4df974735908f6d1af7c899884651d4241354721ec1
|
4
|
+
data.tar.gz: 5a9433cb7a24a1a13c4014a0fbde11348d980a0741ca6a1825d0dcbc1a7c8fc0
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 00405c0603e1224c6067f5c857814790afa1628916de3c4ea2a80bb0f7e40c4065cd15fb20da3036f73081f3fc03120c6a7fe063600dbd37ac2302bdef0297e7
|
7
|
+
data.tar.gz: cc52b9ad0ba74c16bdbe0b3a3d04f28be88b5f786d2d33fc468d9f58ced0918498fcbe28ce3418c8b786363ecd8d5141a1a6d1d6e163e5e5929d90da9e687d1f
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,45 @@
|
|
1
|
+
## Rails 6.1.7.6 (August 22, 2023) ##
|
2
|
+
|
3
|
+
* No changes.
|
4
|
+
|
5
|
+
|
6
|
+
## Rails 6.1.7.5 (August 22, 2023) ##
|
7
|
+
|
8
|
+
* No changes.
|
9
|
+
|
10
|
+
|
11
|
+
## Rails 6.1.7.4 (June 26, 2023) ##
|
12
|
+
|
13
|
+
* Raise an exception if illegal characters are provide to redirect_to
|
14
|
+
[CVE-2023-28362]
|
15
|
+
|
16
|
+
*Zack Deveau*
|
17
|
+
|
18
|
+
## Rails 6.1.7.3 (March 13, 2023) ##
|
19
|
+
|
20
|
+
* No changes.
|
21
|
+
|
22
|
+
|
23
|
+
## Rails 6.1.7.2 (January 24, 2023) ##
|
24
|
+
|
25
|
+
* Fix `domain: :all` for two letter TLD
|
26
|
+
|
27
|
+
This fixes a compatibility issue introduced in our previous security
|
28
|
+
release when using `domain: :all` with a two letter but single level top
|
29
|
+
level domain domain (like `.ca`, rather than `.co.uk`).
|
30
|
+
|
31
|
+
|
32
|
+
## Rails 6.1.7.1 (January 17, 2023) ##
|
33
|
+
|
34
|
+
* Avoid regex backtracking on If-None-Match header
|
35
|
+
|
36
|
+
[CVE-2023-22795]
|
37
|
+
|
38
|
+
* Use string#split instead of regex for domain parts
|
39
|
+
|
40
|
+
[CVE-2023-22792]
|
41
|
+
|
42
|
+
|
1
43
|
## Rails 6.1.7 (September 09, 2022) ##
|
2
44
|
|
3
45
|
* No changes.
|
@@ -7,6 +7,10 @@ module ActionController
|
|
7
7
|
include AbstractController::Logger
|
8
8
|
include ActionController::UrlFor
|
9
9
|
|
10
|
+
ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
|
11
|
+
|
12
|
+
class UnsafeRedirectError < StandardError; end
|
13
|
+
|
10
14
|
# Redirects the browser to the target specified in +options+. This parameter can be any one of:
|
11
15
|
#
|
12
16
|
# * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
|
@@ -60,7 +64,11 @@ module ActionController
|
|
60
64
|
raise AbstractController::DoubleRenderError if response_body
|
61
65
|
|
62
66
|
self.status = _extract_redirect_to_status(options, response_options)
|
63
|
-
|
67
|
+
|
68
|
+
redirect_to_location = _compute_redirect_to_location(request, options)
|
69
|
+
_ensure_url_is_http_header_safe(redirect_to_location)
|
70
|
+
|
71
|
+
self.location = redirect_to_location
|
64
72
|
self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
|
65
73
|
end
|
66
74
|
|
@@ -129,5 +137,16 @@ module ActionController
|
|
129
137
|
rescue ArgumentError, URI::Error
|
130
138
|
false
|
131
139
|
end
|
140
|
+
|
141
|
+
def _ensure_url_is_http_header_safe(url)
|
142
|
+
# Attempt to comply with the set of valid token characters
|
143
|
+
# defined for an HTTP header value in
|
144
|
+
# https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
|
145
|
+
if url.match(ILLEGAL_HEADER_VALUE_REGEX)
|
146
|
+
msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
|
147
|
+
"Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
|
148
|
+
raise UnsafeRedirectError, msg
|
149
|
+
end
|
150
|
+
end
|
132
151
|
end
|
133
152
|
end
|
@@ -283,20 +283,6 @@ module ActionDispatch
|
|
283
283
|
class CookieJar #:nodoc:
|
284
284
|
include Enumerable, ChainedCookieJars
|
285
285
|
|
286
|
-
# This regular expression is used to split the levels of a domain.
|
287
|
-
# The top level domain can be any string without a period or
|
288
|
-
# **.**, ***.** style TLDs like co.uk or com.au
|
289
|
-
#
|
290
|
-
# www.example.co.uk gives:
|
291
|
-
# $& => example.co.uk
|
292
|
-
#
|
293
|
-
# example.com gives:
|
294
|
-
# $& => example.com
|
295
|
-
#
|
296
|
-
# lots.of.subdomains.example.local gives:
|
297
|
-
# $& => example.local
|
298
|
-
DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/
|
299
|
-
|
300
286
|
def self.build(req, cookies)
|
301
287
|
jar = new(req)
|
302
288
|
jar.update(cookies)
|
@@ -449,13 +435,35 @@ module ActionDispatch
|
|
449
435
|
options[:same_site] ||= cookies_same_site_protection.call(request)
|
450
436
|
|
451
437
|
if options[:domain] == :all || options[:domain] == "all"
|
452
|
-
|
453
|
-
|
438
|
+
cookie_domain = ""
|
439
|
+
dot_splitted_host = request.host.split('.', -1)
|
440
|
+
|
441
|
+
# Case where request.host is not an IP address or it's an invalid domain
|
442
|
+
# (ip confirms to the domain structure we expect so we explicitly check for ip)
|
443
|
+
if request.host.match?(/^[\d.]+$/) || dot_splitted_host.include?("") || dot_splitted_host.length == 1
|
444
|
+
options[:domain] = nil
|
445
|
+
return
|
446
|
+
end
|
447
|
+
|
448
|
+
# If there is a provided tld length then we use it otherwise default domain.
|
449
|
+
if options[:tld_length].present?
|
450
|
+
# Case where the tld_length provided is valid
|
451
|
+
if dot_splitted_host.length >= options[:tld_length]
|
452
|
+
cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.')
|
453
|
+
end
|
454
|
+
# Case where tld_length is not provided
|
455
|
+
else
|
456
|
+
# Regular TLDs
|
457
|
+
if !(/\.[^.]{2,3}\.[^.]{2}\z/.match?(request.host))
|
458
|
+
cookie_domain = dot_splitted_host.last(2).join(".")
|
459
|
+
# **.**, ***.** style TLDs like co.uk and com.au
|
460
|
+
else
|
461
|
+
cookie_domain = dot_splitted_host.last(3).join('.')
|
462
|
+
end
|
463
|
+
end
|
454
464
|
|
455
|
-
|
456
|
-
|
457
|
-
options[:domain] = if !request.host.match?(/^[\d.]+$/) && (request.host =~ domain_regexp)
|
458
|
-
".#{$&}"
|
465
|
+
options[:domain] = if cookie_domain.present?
|
466
|
+
".#{cookie_domain}"
|
459
467
|
end
|
460
468
|
elsif options[:domain].is_a? Array
|
461
469
|
# If host matches one of the supplied domains.
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.1.7
|
4
|
+
version: 6.1.7.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-08-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 6.1.7
|
19
|
+
version: 6.1.7.6
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 6.1.7
|
26
|
+
version: 6.1.7.6
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rack
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -98,28 +98,28 @@ dependencies:
|
|
98
98
|
requirements:
|
99
99
|
- - '='
|
100
100
|
- !ruby/object:Gem::Version
|
101
|
-
version: 6.1.7
|
101
|
+
version: 6.1.7.6
|
102
102
|
type: :runtime
|
103
103
|
prerelease: false
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
105
105
|
requirements:
|
106
106
|
- - '='
|
107
107
|
- !ruby/object:Gem::Version
|
108
|
-
version: 6.1.7
|
108
|
+
version: 6.1.7.6
|
109
109
|
- !ruby/object:Gem::Dependency
|
110
110
|
name: activemodel
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
112
112
|
requirements:
|
113
113
|
- - '='
|
114
114
|
- !ruby/object:Gem::Version
|
115
|
-
version: 6.1.7
|
115
|
+
version: 6.1.7.6
|
116
116
|
type: :development
|
117
117
|
prerelease: false
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
119
119
|
requirements:
|
120
120
|
- - '='
|
121
121
|
- !ruby/object:Gem::Version
|
122
|
-
version: 6.1.7
|
122
|
+
version: 6.1.7.6
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
125
125
|
email: david@loudthinking.com
|
@@ -309,10 +309,10 @@ licenses:
|
|
309
309
|
- MIT
|
310
310
|
metadata:
|
311
311
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
312
|
-
changelog_uri: https://github.com/rails/rails/blob/v6.1.7/actionpack/CHANGELOG.md
|
313
|
-
documentation_uri: https://api.rubyonrails.org/v6.1.7/
|
312
|
+
changelog_uri: https://github.com/rails/rails/blob/v6.1.7.6/actionpack/CHANGELOG.md
|
313
|
+
documentation_uri: https://api.rubyonrails.org/v6.1.7.6/
|
314
314
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
315
|
-
source_code_uri: https://github.com/rails/rails/tree/v6.1.7/actionpack
|
315
|
+
source_code_uri: https://github.com/rails/rails/tree/v6.1.7.6/actionpack
|
316
316
|
rubygems_mfa_required: 'true'
|
317
317
|
post_install_message:
|
318
318
|
rdoc_options: []
|