actionpack 7.0.4 → 7.0.4.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +18 -0
- data/lib/action_controller/metal/redirecting.rb +5 -1
- data/lib/action_dispatch/http/cache.rb +1 -1
- data/lib/action_dispatch/middleware/cookies.rb +28 -20
- data/lib/action_pack/gem_version.rb +1 -1
- metadata +12 -12
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5f31d845cb672a69a48bf5a99d24da4cc0a1911dd90592b7f569954a08040d32
|
4
|
+
data.tar.gz: 4f82a27ee5dba8c642621ab247ef345b7daff0e9e4fe25c3ba81163a2a31b8d5
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7094329330497de30fa9dbae232a2563a3699129681dbba34092db10f3e07d97b9905abe2d4339f50c39b8f45c6e9765a77523c379dbe53f3ff96cb544586483
|
7
|
+
data.tar.gz: db8c045d237562750468b511cd54990c2fe0069fe7942e663f013f6cdfa30e7211b8f9874cdc7187dc0b16f1238cb331dde86bbd38f796688935e541b0fcac25
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,21 @@
|
|
1
|
+
## Rails 7.0.4.1 (January 17, 2023) ##
|
2
|
+
|
3
|
+
* Fix sec issue with _url_host_allowed?
|
4
|
+
|
5
|
+
Disallow certain strings from `_url_host_allowed?` to avoid a redirect
|
6
|
+
to malicious sites.
|
7
|
+
|
8
|
+
[CVE-2023-22797]
|
9
|
+
|
10
|
+
* Avoid regex backtracking on If-None-Match header
|
11
|
+
|
12
|
+
[CVE-2023-22795]
|
13
|
+
|
14
|
+
* Use string#split instead of regex for domain parts
|
15
|
+
|
16
|
+
[CVE-2023-22792]
|
17
|
+
|
18
|
+
|
1
19
|
## Rails 7.0.4 (September 09, 2022) ##
|
2
20
|
|
3
21
|
* Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
|
@@ -196,7 +196,11 @@ module ActionController
|
|
196
196
|
|
197
197
|
def _url_host_allowed?(url)
|
198
198
|
host = URI(url.to_s).host
|
199
|
-
|
199
|
+
|
200
|
+
return true if host == request.host
|
201
|
+
return false unless host.nil?
|
202
|
+
return false unless url.to_s.start_with?("/")
|
203
|
+
return !url.to_s.start_with?("//")
|
200
204
|
rescue ArgumentError, URI::Error
|
201
205
|
false
|
202
206
|
end
|
@@ -290,20 +290,6 @@ module ActionDispatch
|
|
290
290
|
class CookieJar # :nodoc:
|
291
291
|
include Enumerable, ChainedCookieJars
|
292
292
|
|
293
|
-
# This regular expression is used to split the levels of a domain.
|
294
|
-
# The top level domain can be any string without a period or
|
295
|
-
# **.**, ***.** style TLDs like co.uk or com.au
|
296
|
-
#
|
297
|
-
# www.example.co.uk gives:
|
298
|
-
# $& => example.co.uk
|
299
|
-
#
|
300
|
-
# example.com gives:
|
301
|
-
# $& => example.com
|
302
|
-
#
|
303
|
-
# lots.of.subdomains.example.local gives:
|
304
|
-
# $& => example.local
|
305
|
-
DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/
|
306
|
-
|
307
293
|
def self.build(req, cookies)
|
308
294
|
jar = new(req)
|
309
295
|
jar.update(cookies)
|
@@ -456,13 +442,35 @@ module ActionDispatch
|
|
456
442
|
options[:same_site] ||= cookies_same_site_protection.call(request)
|
457
443
|
|
458
444
|
if options[:domain] == :all || options[:domain] == "all"
|
459
|
-
|
460
|
-
|
445
|
+
cookie_domain = ""
|
446
|
+
dot_splitted_host = request.host.split('.', -1)
|
447
|
+
|
448
|
+
# Case where request.host is not an IP address or it's an invalid domain
|
449
|
+
# (ip confirms to the domain structure we expect so we explicitly check for ip)
|
450
|
+
if request.host.match?(/^[\d.]+$/) || dot_splitted_host.include?("") || dot_splitted_host.length == 1
|
451
|
+
options[:domain] = nil
|
452
|
+
return
|
453
|
+
end
|
454
|
+
|
455
|
+
# If there is a provided tld length then we use it otherwise default domain.
|
456
|
+
if options[:tld_length].present?
|
457
|
+
# Case where the tld_length provided is valid
|
458
|
+
if dot_splitted_host.length >= options[:tld_length]
|
459
|
+
cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.')
|
460
|
+
end
|
461
|
+
# Case where tld_length is not provided
|
462
|
+
else
|
463
|
+
# Regular TLDs
|
464
|
+
if !(/([^.]{2,3}\.[^.]{2})$/.match?(request.host))
|
465
|
+
cookie_domain = dot_splitted_host.last(2).join('.')
|
466
|
+
# **.**, ***.** style TLDs like co.uk and com.au
|
467
|
+
else
|
468
|
+
cookie_domain = dot_splitted_host.last(3).join('.')
|
469
|
+
end
|
470
|
+
end
|
461
471
|
|
462
|
-
|
463
|
-
|
464
|
-
options[:domain] = if !request.host.match?(/^[\d.]+$/) && (request.host =~ domain_regexp)
|
465
|
-
".#{$&}"
|
472
|
+
options[:domain] = if cookie_domain.present?
|
473
|
+
".#{cookie_domain}"
|
466
474
|
end
|
467
475
|
elsif options[:domain].is_a? Array
|
468
476
|
# If host matches one of the supplied domains.
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 7.0.4
|
4
|
+
version: 7.0.4.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-01-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 7.0.4
|
19
|
+
version: 7.0.4.1
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 7.0.4
|
26
|
+
version: 7.0.4.1
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rack
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -98,28 +98,28 @@ dependencies:
|
|
98
98
|
requirements:
|
99
99
|
- - '='
|
100
100
|
- !ruby/object:Gem::Version
|
101
|
-
version: 7.0.4
|
101
|
+
version: 7.0.4.1
|
102
102
|
type: :runtime
|
103
103
|
prerelease: false
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
105
105
|
requirements:
|
106
106
|
- - '='
|
107
107
|
- !ruby/object:Gem::Version
|
108
|
-
version: 7.0.4
|
108
|
+
version: 7.0.4.1
|
109
109
|
- !ruby/object:Gem::Dependency
|
110
110
|
name: activemodel
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
112
112
|
requirements:
|
113
113
|
- - '='
|
114
114
|
- !ruby/object:Gem::Version
|
115
|
-
version: 7.0.4
|
115
|
+
version: 7.0.4.1
|
116
116
|
type: :development
|
117
117
|
prerelease: false
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
119
119
|
requirements:
|
120
120
|
- - '='
|
121
121
|
- !ruby/object:Gem::Version
|
122
|
-
version: 7.0.4
|
122
|
+
version: 7.0.4.1
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
125
125
|
email: david@loudthinking.com
|
@@ -310,10 +310,10 @@ licenses:
|
|
310
310
|
- MIT
|
311
311
|
metadata:
|
312
312
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
313
|
-
changelog_uri: https://github.com/rails/rails/blob/v7.0.4/actionpack/CHANGELOG.md
|
314
|
-
documentation_uri: https://api.rubyonrails.org/v7.0.4/
|
313
|
+
changelog_uri: https://github.com/rails/rails/blob/v7.0.4.1/actionpack/CHANGELOG.md
|
314
|
+
documentation_uri: https://api.rubyonrails.org/v7.0.4.1/
|
315
315
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
316
|
-
source_code_uri: https://github.com/rails/rails/tree/v7.0.4/actionpack
|
316
|
+
source_code_uri: https://github.com/rails/rails/tree/v7.0.4.1/actionpack
|
317
317
|
rubygems_mfa_required: 'true'
|
318
318
|
post_install_message:
|
319
319
|
rdoc_options: []
|
@@ -331,7 +331,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
331
331
|
version: '0'
|
332
332
|
requirements:
|
333
333
|
- none
|
334
|
-
rubygems_version: 3.
|
334
|
+
rubygems_version: 3.4.3
|
335
335
|
signing_key:
|
336
336
|
specification_version: 4
|
337
337
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|