actionpack 7.0.4.3 → 7.0.8.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a6767fc53a6245fa8cf50e270d45f161b736ecac2617775983506517053fc85c
-  data.tar.gz: 46c3f7e78ff2cac14ca4eefbf1eb3d72fc41e514571356eec3fc9693ce04d7d7
+  metadata.gz: 76f2e4ab652796862473bcf69baca0be66d20e972be7b6604b7477f4bfb9e773
+  data.tar.gz: cb4eb95dccda5350e577c88faeba18644013acf30496a026866266b0a44efe99
 SHA512:
-  metadata.gz: 74c5700fdeecb9ca7ab1b60c88dcc30f55cf04c62ba7ac4204aad1b787ef7686ab0354a3ae462738f01333867dbcf2df676250797cb6022f8241b1eb3bdc1f86
-  data.tar.gz: 715809e75921eaef199ff1f775a6756c21be3954942189ed817a763ed5197c5aaac85b8620b684324d7e117e9b804572911de4e3d442eb3169f59229f233691a
+  metadata.gz: f895845c05ca602877bece43b5d30fb2a16ecce365e7ab41682c8adf021a2cfe8317fedf12c863a153219a583e95847a782c577a96f95cc97c40b1b2014fa2c1
+  data.tar.gz: 0e9767733ed255b38198c26dee3c5247fc9ae923b2a22720fbd0cd00842aab15b5e9f3be5357810d387638953811afc21db0c6e70d27a65b6e6315c13af91bf5

data/CHANGELOG.md

@@ -1,3 +1,120 @@
+## Rails 7.0.8.6 (October 23, 2024) ##
+
+*   No changes.
+
+
+## Rails 7.0.8.5 (October 15, 2024) ##
+
+*   Avoid regex backtracking in HTTP Token authentication
+
+    [CVE-2024-47887]
+
+*   Avoid regex backtracking in query parameter filtering
+
+    [CVE-2024-41128]
+
+
+## Rails 7.0.8.4 (June 04, 2024) ##
+
+*   Include the HTTP Permissions-Policy on non-HTML Content-Types
+    [CVE-2024-28103]
+
+
+## Rails 7.0.8.3 (May 17, 2024) ##
+
+*   No changes.
+
+
+## Rails 7.0.8.2 (May 16, 2024) ##
+
+*   No changes.
+
+
+## Rails 7.0.8.1 (February 21, 2024) ##
+
+*   Fix possible XSS vulnerability with the `translate` method in controllers
+
+    CVE-2024-26143
+
+## Rails 7.0.8 (September 09, 2023) ##
+
+*   Fix `HostAuthorization` potentially displaying the value of the
+    X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
+
+    *Hartley McGuire*, *Daniel Schlosser*
+
+
+## Rails 7.0.7.2 (August 22, 2023) ##
+
+*   No changes.
+
+
+## Rails 7.0.7.1 (August 22, 2023) ##
+
+*   No changes.
+
+
+## Rails 7.0.7 (August 09, 2023) ##
+
+*   No changes.
+
+
+## Rails 7.0.6 (June 29, 2023) ##
+
+*   No changes.
+
+
+## Rails 7.0.5.1 (June 26, 2023) ##
+
+*   Raise an exception if illegal characters are provide to redirect_to
+    [CVE-2023-28362]
+
+    *Zack Deveau*
+
+## Rails 7.0.5 (May 24, 2023) ##
+
+*   Do not return CSP headers for 304 Not Modified responses.
+
+    *Tobias Kraze*
+
+*   Fix `EtagWithFlash` when there is no `Flash` middleware available.
+
+    *fatkodima*
+
+*   Fix content-type header with `send_stream`.
+
+    *Elliot Crosby-McCullough*
+
+*   Address Selenium `:capabilities` deprecation warning.
+
+    *Ron Shinall*
+
+*   Fix cookie domain for domain: all on two letter single level TLD.
+
+    *John Hawthorn*
+
+*   Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
+
+    Previously if you set `config.active_record.query_log_tags` to an array that included
+    `:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
+    This bug has been fixed.
+
+    *Alex Ghiculescu*
+
+*   Rescue `EOFError` exception from `rack` on a multipart request.
+
+    *Nikita Vasilevsky*
+
+*   Rescue `JSON::ParserError` in Cookies json deserializer to discards marshal dumps:
+
+    Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
+    the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
+    clear the cookie and force app users to manually clear it in their browser.
+
+    (See #45127 for original bug discussion)
+
+    *Nathan Bardoux*
+
 ## Rails 7.0.4.3 (March 13, 2023) ##
 
 *   No changes.
@@ -29,7 +146,6 @@
 
     [CVE-2023-22792]
 
-
 ## Rails 7.0.4 (September 09, 2022) ##
 
 *   Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.

data/README.rdoc

@@ -30,7 +30,7 @@ The latest version of Action Pack can be installed with RubyGems:
 
   $ gem install actionpack
 
-Source code can be downloaded as part of the Rails project on GitHub:
+Source code can be downloaded as part of the \Rails project on GitHub:
 
 * https://github.com/rails/rails/tree/main/actionpack
 
@@ -48,7 +48,7 @@ API documentation is at:
 
 * https://api.rubyonrails.org
 
-Bug reports for the Ruby on Rails project can be filed here:
+Bug reports for the Ruby on \Rails project can be filed here:
 
 * https://github.com/rails/rails/issues
 

data/lib/abstract_controller/helpers.rb

@@ -61,13 +61,14 @@ module AbstractController
       #   class ApplicationController < ActionController::Base
       #     helper_method :current_user, :logged_in?
       #
-      #     def current_user
-      #       @current_user ||= User.find_by(id: session[:user])
-      #     end
-      #
-      #     def logged_in?
-      #       current_user != nil
-      #     end
+      #     private
+      #       def current_user
+      #         @current_user ||= User.find_by(id: session[:user])
+      #       end
+      #
+      #       def logged_in?
+      #         current_user != nil
+      #       end
       #   end
       #
       # In a view:
@@ -84,10 +85,13 @@ module AbstractController
         file, line = location.path, location.lineno
 
         methods.each do |method|
-          _helpers_for_modification.class_eval <<~ruby_eval, file, line
-            def #{method}(*args, &block)                    # def current_user(*args, &block)
-              controller.send(:'#{method}', *args, &block)  #   controller.send(:'current_user', *args, &block)
-            end                                             # end
+          # def current_user(*args, &block)
+          #   controller.send(:'current_user', *args, &block)
+          # end
+          _helpers_for_modification.class_eval <<~ruby_eval.lines.map(&:strip).join(";"), file, line
+            def #{method}(*args, &block)
+              controller.send(:'#{method}', *args, &block)
+            end
             ruby2_keywords(:'#{method}')
           ruby_eval
         end

data/lib/abstract_controller/rendering.rb

@@ -18,8 +18,10 @@ module AbstractController
     extend ActiveSupport::Concern
     include ActionView::ViewPaths
 
-    # Normalizes arguments, options and then delegates render_to_body and
+    # Normalizes arguments and options, and then delegates to render_to_body and
     # sticks the result in <tt>self.response_body</tt>.
+    #
+    # Supported options depend on the underlying +render_to_body+ implementation.
     def render(*args, &block)
       options = _normalize_render(*args, &block)
       rendered_body = render_to_body(options)
@@ -32,16 +34,12 @@ module AbstractController
       self.response_body = rendered_body
     end
 
-    # Raw rendering of a template to a string.
-    #
-    # It is similar to render, except that it does not
-    # set the +response_body+ and it should be guaranteed
-    # to always return a string.
+    # Similar to #render, but only returns the rendered template as a string,
+    # instead of setting +self.response_body+.
     #
-    # If a component extends the semantics of +response_body+
-    # (as ActionController extends it to be anything that
-    # responds to the method each), this method needs to be
-    # overridden in order to still return a string.
+    # If a component extends the semantics of +response_body+ (as ActionController
+    # extends it to be anything that responds to the method each), this method
+    # needs to be overridden in order to still return a string.
     def render_to_string(*args, &block)
       options = _normalize_render(*args, &block)
       render_to_body(options)
@@ -51,7 +49,7 @@ module AbstractController
     def render_to_body(options = {})
     end
 
-    # Returns Content-Type of rendered content.
+    # Returns +Content-Type+ of rendered content.
     def rendered_format
       Mime[:text]
     end

data/lib/abstract_controller/translation.rb

@@ -6,7 +6,7 @@ module AbstractController
   module Translation
     mattr_accessor :raise_on_missing_translations, default: false
 
-    # Delegates to <tt>I18n.translate</tt>. Also aliased as <tt>t</tt>.
+    # Delegates to <tt>I18n.translate</tt>.
     #
     # When the given key starts with a period, it will be scoped by the current
     # controller and action. So if you call <tt>translate(".foo")</tt> from
@@ -25,14 +25,36 @@ module AbstractController
 
       i18n_raise = options.fetch(:raise, self.raise_on_missing_translations)
 
-      ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
+      if options[:default]
+        options[:default] = [options[:default]] unless options[:default].is_a?(Array)
+        options[:default] = options[:default].map do |value|
+          value.is_a?(String) ? ERB::Util.html_escape(value) : value
+        end
+      end
+
+      unless i18n_raise
+        options[:default] = [] unless options[:default]
+        options[:default] << MISSING_TRANSLATION
+      end
+
+      result = ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
+
+      if result == MISSING_TRANSLATION
+        +"translation missing: #{key}"
+      else
+        result
+      end
     end
     alias :t :translate
 
-    # Delegates to <tt>I18n.localize</tt>. Also aliased as <tt>l</tt>.
+    # Delegates to <tt>I18n.localize</tt>.
     def localize(object, **options)
       I18n.localize(object, **options)
     end
     alias :l :localize
+
+    private
+      MISSING_TRANSLATION = -(2**60)
+      private_constant :MISSING_TRANSLATION
   end
 end

data/lib/action_controller/api.rb

@@ -40,7 +40,7 @@ module ActionController
   # can use <tt>render :json</tt> and siblings freely in your controllers. Keep
   # in mind that templates are not going to be rendered, so you need to ensure
   # your controller is calling either <tt>render</tt> or <tt>redirect_to</tt> in
-  # all actions, otherwise it will return 204 No Content.
+  # all actions, otherwise it will return <tt>204 No Content</tt>.
   #
   #   def show
   #     post = Post.find(params[:id])

data/lib/action_controller/metal/basic_implicit_render.rb

@@ -3,7 +3,9 @@
 module ActionController
   module BasicImplicitRender # :nodoc:
     def send_action(method, *args)
-      super.tap { default_render unless performed? }
+      ret = super
+      default_render unless performed?
+      ret
     end
 
     def default_render