actionpack 7.0.4 → 7.0.4.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +27 -0
- data/lib/action_controller/metal/redirecting.rb +5 -1
- data/lib/action_dispatch/http/cache.rb +1 -1
- data/lib/action_dispatch/middleware/cookies.rb +28 -20
- data/lib/action_pack/gem_version.rb +1 -1
- metadata +12 -12
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2c22bab78116ba16eb5b0040050758d1cdfdecb10e9f7d174116e8174c9f988f
|
4
|
+
data.tar.gz: 826c0844d869f71fd1e04b0295898ebe011a43085131224f1d12991fb8b3cbd0
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 109a5ec54e9e254d8db491ce49027ced3eb8ab8f35ee41823cef7ce661067eceedc795f371871765c687ce96c1f452513319ad7363d349b3bedcf8837f71c692
|
7
|
+
data.tar.gz: 334ce823a8637370f5b6cf6baec372eebd97b6e573294f0d7229bf032a81a55079e63fb11cbd3c536b96c74801d2c291ef2e16ca8a13bef6d43585bfe55dc7bf
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,30 @@
|
|
1
|
+
## Rails 7.0.4.2 (January 24, 2023) ##
|
2
|
+
|
3
|
+
* Fix `domain: :all` for two letter TLD
|
4
|
+
|
5
|
+
This fixes a compatibility issue introduced in our previous security
|
6
|
+
release when using `domain: :all` with a two letter but single level top
|
7
|
+
level domain domain (like `.ca`, rather than `.co.uk`).
|
8
|
+
|
9
|
+
|
10
|
+
## Rails 7.0.4.1 (January 17, 2023) ##
|
11
|
+
|
12
|
+
* Fix sec issue with _url_host_allowed?
|
13
|
+
|
14
|
+
Disallow certain strings from `_url_host_allowed?` to avoid a redirect
|
15
|
+
to malicious sites.
|
16
|
+
|
17
|
+
[CVE-2023-22797]
|
18
|
+
|
19
|
+
* Avoid regex backtracking on If-None-Match header
|
20
|
+
|
21
|
+
[CVE-2023-22795]
|
22
|
+
|
23
|
+
* Use string#split instead of regex for domain parts
|
24
|
+
|
25
|
+
[CVE-2023-22792]
|
26
|
+
|
27
|
+
|
1
28
|
## Rails 7.0.4 (September 09, 2022) ##
|
2
29
|
|
3
30
|
* Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
|
@@ -196,7 +196,11 @@ module ActionController
|
|
196
196
|
|
197
197
|
def _url_host_allowed?(url)
|
198
198
|
host = URI(url.to_s).host
|
199
|
-
|
199
|
+
|
200
|
+
return true if host == request.host
|
201
|
+
return false unless host.nil?
|
202
|
+
return false unless url.to_s.start_with?("/")
|
203
|
+
return !url.to_s.start_with?("//")
|
200
204
|
rescue ArgumentError, URI::Error
|
201
205
|
false
|
202
206
|
end
|
@@ -290,20 +290,6 @@ module ActionDispatch
|
|
290
290
|
class CookieJar # :nodoc:
|
291
291
|
include Enumerable, ChainedCookieJars
|
292
292
|
|
293
|
-
# This regular expression is used to split the levels of a domain.
|
294
|
-
# The top level domain can be any string without a period or
|
295
|
-
# **.**, ***.** style TLDs like co.uk or com.au
|
296
|
-
#
|
297
|
-
# www.example.co.uk gives:
|
298
|
-
# $& => example.co.uk
|
299
|
-
#
|
300
|
-
# example.com gives:
|
301
|
-
# $& => example.com
|
302
|
-
#
|
303
|
-
# lots.of.subdomains.example.local gives:
|
304
|
-
# $& => example.local
|
305
|
-
DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/
|
306
|
-
|
307
293
|
def self.build(req, cookies)
|
308
294
|
jar = new(req)
|
309
295
|
jar.update(cookies)
|
@@ -456,13 +442,35 @@ module ActionDispatch
|
|
456
442
|
options[:same_site] ||= cookies_same_site_protection.call(request)
|
457
443
|
|
458
444
|
if options[:domain] == :all || options[:domain] == "all"
|
459
|
-
|
460
|
-
|
445
|
+
cookie_domain = ""
|
446
|
+
dot_splitted_host = request.host.split('.', -1)
|
447
|
+
|
448
|
+
# Case where request.host is not an IP address or it's an invalid domain
|
449
|
+
# (ip confirms to the domain structure we expect so we explicitly check for ip)
|
450
|
+
if request.host.match?(/^[\d.]+$/) || dot_splitted_host.include?("") || dot_splitted_host.length == 1
|
451
|
+
options[:domain] = nil
|
452
|
+
return
|
453
|
+
end
|
454
|
+
|
455
|
+
# If there is a provided tld length then we use it otherwise default domain.
|
456
|
+
if options[:tld_length].present?
|
457
|
+
# Case where the tld_length provided is valid
|
458
|
+
if dot_splitted_host.length >= options[:tld_length]
|
459
|
+
cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.')
|
460
|
+
end
|
461
|
+
# Case where tld_length is not provided
|
462
|
+
else
|
463
|
+
# Regular TLDs
|
464
|
+
if !(/\.[^.]{2,3}\.[^.]{2}\z/.match?(request.host))
|
465
|
+
cookie_domain = dot_splitted_host.last(2).join(".")
|
466
|
+
# **.**, ***.** style TLDs like co.uk and com.au
|
467
|
+
else
|
468
|
+
cookie_domain = dot_splitted_host.last(3).join('.')
|
469
|
+
end
|
470
|
+
end
|
461
471
|
|
462
|
-
|
463
|
-
|
464
|
-
options[:domain] = if !request.host.match?(/^[\d.]+$/) && (request.host =~ domain_regexp)
|
465
|
-
".#{$&}"
|
472
|
+
options[:domain] = if cookie_domain.present?
|
473
|
+
".#{cookie_domain}"
|
466
474
|
end
|
467
475
|
elsif options[:domain].is_a? Array
|
468
476
|
# If host matches one of the supplied domains.
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 7.0.4
|
4
|
+
version: 7.0.4.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-01-25 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 7.0.4
|
19
|
+
version: 7.0.4.2
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 7.0.4
|
26
|
+
version: 7.0.4.2
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rack
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -98,28 +98,28 @@ dependencies:
|
|
98
98
|
requirements:
|
99
99
|
- - '='
|
100
100
|
- !ruby/object:Gem::Version
|
101
|
-
version: 7.0.4
|
101
|
+
version: 7.0.4.2
|
102
102
|
type: :runtime
|
103
103
|
prerelease: false
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
105
105
|
requirements:
|
106
106
|
- - '='
|
107
107
|
- !ruby/object:Gem::Version
|
108
|
-
version: 7.0.4
|
108
|
+
version: 7.0.4.2
|
109
109
|
- !ruby/object:Gem::Dependency
|
110
110
|
name: activemodel
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
112
112
|
requirements:
|
113
113
|
- - '='
|
114
114
|
- !ruby/object:Gem::Version
|
115
|
-
version: 7.0.4
|
115
|
+
version: 7.0.4.2
|
116
116
|
type: :development
|
117
117
|
prerelease: false
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
119
119
|
requirements:
|
120
120
|
- - '='
|
121
121
|
- !ruby/object:Gem::Version
|
122
|
-
version: 7.0.4
|
122
|
+
version: 7.0.4.2
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
125
125
|
email: david@loudthinking.com
|
@@ -310,10 +310,10 @@ licenses:
|
|
310
310
|
- MIT
|
311
311
|
metadata:
|
312
312
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
313
|
-
changelog_uri: https://github.com/rails/rails/blob/v7.0.4/actionpack/CHANGELOG.md
|
314
|
-
documentation_uri: https://api.rubyonrails.org/v7.0.4/
|
313
|
+
changelog_uri: https://github.com/rails/rails/blob/v7.0.4.2/actionpack/CHANGELOG.md
|
314
|
+
documentation_uri: https://api.rubyonrails.org/v7.0.4.2/
|
315
315
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
316
|
-
source_code_uri: https://github.com/rails/rails/tree/v7.0.4/actionpack
|
316
|
+
source_code_uri: https://github.com/rails/rails/tree/v7.0.4.2/actionpack
|
317
317
|
rubygems_mfa_required: 'true'
|
318
318
|
post_install_message:
|
319
319
|
rdoc_options: []
|
@@ -331,7 +331,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
331
331
|
version: '0'
|
332
332
|
requirements:
|
333
333
|
- none
|
334
|
-
rubygems_version: 3.
|
334
|
+
rubygems_version: 3.4.3
|
335
335
|
signing_key:
|
336
336
|
specification_version: 4
|
337
337
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|