actionpack 7.0.0.rc1 → 7.0.0.rc2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/lib/action_dispatch/middleware/host_authorization.rb +3 -7
- data/lib/action_pack/gem_version.rb +1 -1
- metadata +15 -15
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 372781a07c265daab499383ce1e623018448f5bec28cc20962e1a17f77fb07e8
|
|
4
|
+
data.tar.gz: a3354d53f62901144799dfae0f3bb4e641801205a1a9b5221614699fb77f6bc8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 51f7f747ecbf598093154bea8274b8b5df37274d2d125b5c32f1e7a4d656e246477dbe6322d8b16c14af55c858482ae928c0c5c811f36ea3ed76067cc4802c99
|
|
7
|
+
data.tar.gz: 4ab94ed159cc5d6742fde69bdeda56f922f93a168cc83a09100fc11bbf073f7ad98f2f3e5814c9d465cb72fd75aa7e71a69a3055e0ab58ce15c6ab185f68111b
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
## Rails 7.0.0.rc2 (December 14, 2021) ##
|
|
2
|
+
|
|
3
|
+
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
|
|
4
|
+
|
|
1
5
|
* `Rails.application.executor` hooks can now be called around every request in a `ActionController::TestCase`
|
|
2
6
|
|
|
3
7
|
This helps to better simulate request or job local state being reset between requests and prevent state
|
|
@@ -52,7 +52,7 @@ module ActionDispatch
|
|
|
52
52
|
|
|
53
53
|
def sanitize_string(host)
|
|
54
54
|
if host.start_with?(".")
|
|
55
|
-
/\A(
|
|
55
|
+
/\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}\z/i
|
|
56
56
|
else
|
|
57
57
|
/\A#{Regexp.escape host}\z/i
|
|
58
58
|
end
|
|
@@ -120,13 +120,9 @@ module ActionDispatch
|
|
|
120
120
|
end
|
|
121
121
|
|
|
122
122
|
private
|
|
123
|
-
HOSTNAME = /[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\]/i
|
|
124
|
-
VALID_ORIGIN_HOST = /\A(#{HOSTNAME})(?::\d+)?\z/
|
|
125
|
-
VALID_FORWARDED_HOST = /(?:\A|,[ ]?)(#{HOSTNAME})(?::\d+)?\z/
|
|
126
|
-
|
|
127
123
|
def authorized?(request)
|
|
128
|
-
origin_host = request.get_header("HTTP_HOST")
|
|
129
|
-
forwarded_host = request.x_forwarded_host&.
|
|
124
|
+
origin_host = request.get_header("HTTP_HOST")
|
|
125
|
+
forwarded_host = request.x_forwarded_host&.split(/,\s?/)&.last
|
|
130
126
|
|
|
131
127
|
@permissions.allows?(origin_host) && (forwarded_host.blank? || @permissions.allows?(forwarded_host))
|
|
132
128
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: actionpack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 7.0.0.
|
|
4
|
+
version: 7.0.0.rc2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-12-
|
|
11
|
+
date: 2021-12-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 7.0.0.
|
|
19
|
+
version: 7.0.0.rc2
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 7.0.0.
|
|
26
|
+
version: 7.0.0.rc2
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: rack
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -98,28 +98,28 @@ dependencies:
|
|
|
98
98
|
requirements:
|
|
99
99
|
- - '='
|
|
100
100
|
- !ruby/object:Gem::Version
|
|
101
|
-
version: 7.0.0.
|
|
101
|
+
version: 7.0.0.rc2
|
|
102
102
|
type: :runtime
|
|
103
103
|
prerelease: false
|
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
|
105
105
|
requirements:
|
|
106
106
|
- - '='
|
|
107
107
|
- !ruby/object:Gem::Version
|
|
108
|
-
version: 7.0.0.
|
|
108
|
+
version: 7.0.0.rc2
|
|
109
109
|
- !ruby/object:Gem::Dependency
|
|
110
110
|
name: activemodel
|
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
|
112
112
|
requirements:
|
|
113
113
|
- - '='
|
|
114
114
|
- !ruby/object:Gem::Version
|
|
115
|
-
version: 7.0.0.
|
|
115
|
+
version: 7.0.0.rc2
|
|
116
116
|
type: :development
|
|
117
117
|
prerelease: false
|
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
|
119
119
|
requirements:
|
|
120
120
|
- - '='
|
|
121
121
|
- !ruby/object:Gem::Version
|
|
122
|
-
version: 7.0.0.
|
|
122
|
+
version: 7.0.0.rc2
|
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
|
125
125
|
email: david@loudthinking.com
|
|
@@ -310,12 +310,12 @@ licenses:
|
|
|
310
310
|
- MIT
|
|
311
311
|
metadata:
|
|
312
312
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
|
313
|
-
changelog_uri: https://github.com/rails/rails/blob/v7.0.0.
|
|
314
|
-
documentation_uri: https://api.rubyonrails.org/v7.0.0.
|
|
313
|
+
changelog_uri: https://github.com/rails/rails/blob/v7.0.0.rc2/actionpack/CHANGELOG.md
|
|
314
|
+
documentation_uri: https://api.rubyonrails.org/v7.0.0.rc2/
|
|
315
315
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
|
316
|
-
source_code_uri: https://github.com/rails/rails/tree/v7.0.0.
|
|
316
|
+
source_code_uri: https://github.com/rails/rails/tree/v7.0.0.rc2/actionpack
|
|
317
317
|
rubygems_mfa_required: 'true'
|
|
318
|
-
post_install_message:
|
|
318
|
+
post_install_message:
|
|
319
319
|
rdoc_options: []
|
|
320
320
|
require_paths:
|
|
321
321
|
- lib
|
|
@@ -331,8 +331,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
331
331
|
version: 1.3.1
|
|
332
332
|
requirements:
|
|
333
333
|
- none
|
|
334
|
-
rubygems_version: 3.2.
|
|
335
|
-
signing_key:
|
|
334
|
+
rubygems_version: 3.2.15
|
|
335
|
+
signing_key:
|
|
336
336
|
specification_version: 4
|
|
337
337
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|
|
338
338
|
test_files: []
|