actionpack 7.0.4 → 7.0.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1f920e0c8edecebb6708efc39f5bc4de2d9dd1beb20b11fac4c2408406ef4812
-  data.tar.gz: e87d2d36beb62a55feb9677d7009725531c2187692099d41682014822e478204
+  metadata.gz: 5f31d845cb672a69a48bf5a99d24da4cc0a1911dd90592b7f569954a08040d32
+  data.tar.gz: 4f82a27ee5dba8c642621ab247ef345b7daff0e9e4fe25c3ba81163a2a31b8d5
 SHA512:
-  metadata.gz: 4ed2fb214470bb89c3a6c6101428806f6ebb2eb01044cc8426dddecdb189a541511aa7355b07f13e898a076a2a7f9b3eabefdfdfb7130918c216993da503e173
-  data.tar.gz: 0c4a9b5b27a03faec9e2d971cce098cb943fbdc7bf0cb25ba243755bfa72760c2a0eefc18e80134877f2a382d7d154deee64faaccacbe557768a978771873ee4
+  metadata.gz: 7094329330497de30fa9dbae232a2563a3699129681dbba34092db10f3e07d97b9905abe2d4339f50c39b8f45c6e9765a77523c379dbe53f3ff96cb544586483
+  data.tar.gz: db8c045d237562750468b511cd54990c2fe0069fe7942e663f013f6cdfa30e7211b8f9874cdc7187dc0b16f1238cb331dde86bbd38f796688935e541b0fcac25

data/CHANGELOG.md

@@ -1,3 +1,21 @@
+## Rails 7.0.4.1 (January 17, 2023) ##
+
+*   Fix sec issue with _url_host_allowed?
+
+    Disallow certain strings from `_url_host_allowed?` to avoid a redirect
+    to malicious sites.
+
+    [CVE-2023-22797]
+
+*   Avoid regex backtracking on If-None-Match header
+
+    [CVE-2023-22795]
+
+*   Use string#split instead of regex for domain parts
+
+    [CVE-2023-22792]
+
+
 ## Rails 7.0.4 (September 09, 2022) ##
 
 *   Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.

data/lib/action_controller/metal/redirecting.rb

@@ -196,7 +196,11 @@ module ActionController
 
       def _url_host_allowed?(url)
         host = URI(url.to_s).host
-        host == request.host || host.nil? && url.to_s.start_with?("/")
+
+        return true if host == request.host
+        return false unless host.nil?
+        return false unless url.to_s.start_with?("/")
+        return !url.to_s.start_with?("//")
       rescue ArgumentError, URI::Error
         false
       end

data/lib/action_dispatch/http/cache.rb

@@ -18,7 +18,7 @@ module ActionDispatch
         end
 
         def if_none_match_etags
-          if_none_match ? if_none_match.split(/\s*,\s*/) : []
+          if_none_match ? if_none_match.split(",").each(&:strip!) : []
         end
 
         def not_modified?(modified_at)

data/lib/action_dispatch/middleware/cookies.rb

@@ -290,20 +290,6 @@ module ActionDispatch
     class CookieJar # :nodoc:
       include Enumerable, ChainedCookieJars
 
-      # This regular expression is used to split the levels of a domain.
-      # The top level domain can be any string without a period or
-      # **.**, ***.** style TLDs like co.uk or com.au
-      #
-      # www.example.co.uk gives:
-      # $& => example.co.uk
-      #
-      # example.com gives:
-      # $& => example.com
-      #
-      # lots.of.subdomains.example.local gives:
-      # $& => example.local
-      DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/
-
       def self.build(req, cookies)
         jar = new(req)
         jar.update(cookies)
@@ -456,13 +442,35 @@ module ActionDispatch
           options[:same_site] ||= cookies_same_site_protection.call(request)
 
           if options[:domain] == :all || options[:domain] == "all"
-            # If there is a provided tld length then we use it otherwise default domain regexp.
-            domain_regexp = options[:tld_length] ? /([^.]+\.?){#{options[:tld_length]}}$/ : DOMAIN_REGEXP
+            cookie_domain = ""
+            dot_splitted_host = request.host.split('.', -1)
+
+            # Case where request.host is not an IP address or it's an invalid domain
+            # (ip confirms to the domain structure we expect so we explicitly check for ip)
+            if request.host.match?(/^[\d.]+$/) || dot_splitted_host.include?("") || dot_splitted_host.length == 1
+              options[:domain] = nil
+              return
+            end
+
+            # If there is a provided tld length then we use it otherwise default domain.
+            if options[:tld_length].present? 
+              # Case where the tld_length provided is valid
+              if dot_splitted_host.length >= options[:tld_length]
+                cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.')
+              end
+            # Case where tld_length is not provided
+            else
+              # Regular TLDs
+              if !(/([^.]{2,3}\.[^.]{2})$/.match?(request.host))
+                cookie_domain = dot_splitted_host.last(2).join('.')
+              # **.**, ***.** style TLDs like co.uk and com.au
+              else
+                cookie_domain = dot_splitted_host.last(3).join('.')
+              end
+            end
 
-            # If host is not ip and matches domain regexp.
-            # (ip confirms to domain regexp so we explicitly check for ip)
-            options[:domain] = if !request.host.match?(/^[\d.]+$/) && (request.host =~ domain_regexp)
-              ".#{$&}"
+            options[:domain] = if cookie_domain.present?
+              ".#{cookie_domain}"
             end
           elsif options[:domain].is_a? Array
             # If host matches one of the supplied domains.

data/lib/action_pack/gem_version.rb

@@ -10,7 +10,7 @@ module ActionPack
     MAJOR = 7
     MINOR = 0
     TINY  = 4
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 7.0.4
+  version: 7.0.4.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-09-09 00:00:00.000000000 Z
+date: 2023-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.4
+        version: 7.0.4.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.4
+        version: 7.0.4.1
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.4
+        version: 7.0.4.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.4
+        version: 7.0.4.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.4
+        version: 7.0.4.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.4
+        version: 7.0.4.1
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -310,10 +310,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.0.4/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.0.4/
+  changelog_uri: https://github.com/rails/rails/blob/v7.0.4.1/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.0.4.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.0.4/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v7.0.4.1/actionpack
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -331,7 +331,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.3.3
+rubygems_version: 3.4.3
 signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).