actionpack 7.0.4 → 7.0.4.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1f920e0c8edecebb6708efc39f5bc4de2d9dd1beb20b11fac4c2408406ef4812
4
- data.tar.gz: e87d2d36beb62a55feb9677d7009725531c2187692099d41682014822e478204
3
+ metadata.gz: 2c22bab78116ba16eb5b0040050758d1cdfdecb10e9f7d174116e8174c9f988f
4
+ data.tar.gz: 826c0844d869f71fd1e04b0295898ebe011a43085131224f1d12991fb8b3cbd0
5
5
  SHA512:
6
- metadata.gz: 4ed2fb214470bb89c3a6c6101428806f6ebb2eb01044cc8426dddecdb189a541511aa7355b07f13e898a076a2a7f9b3eabefdfdfb7130918c216993da503e173
7
- data.tar.gz: 0c4a9b5b27a03faec9e2d971cce098cb943fbdc7bf0cb25ba243755bfa72760c2a0eefc18e80134877f2a382d7d154deee64faaccacbe557768a978771873ee4
6
+ metadata.gz: 109a5ec54e9e254d8db491ce49027ced3eb8ab8f35ee41823cef7ce661067eceedc795f371871765c687ce96c1f452513319ad7363d349b3bedcf8837f71c692
7
+ data.tar.gz: 334ce823a8637370f5b6cf6baec372eebd97b6e573294f0d7229bf032a81a55079e63fb11cbd3c536b96c74801d2c291ef2e16ca8a13bef6d43585bfe55dc7bf
data/CHANGELOG.md CHANGED
@@ -1,3 +1,30 @@
1
+ ## Rails 7.0.4.2 (January 24, 2023) ##
2
+
3
+ * Fix `domain: :all` for two letter TLD
4
+
5
+ This fixes a compatibility issue introduced in our previous security
6
+ release when using `domain: :all` with a two letter but single level top
7
+ level domain domain (like `.ca`, rather than `.co.uk`).
8
+
9
+
10
+ ## Rails 7.0.4.1 (January 17, 2023) ##
11
+
12
+ * Fix sec issue with _url_host_allowed?
13
+
14
+ Disallow certain strings from `_url_host_allowed?` to avoid a redirect
15
+ to malicious sites.
16
+
17
+ [CVE-2023-22797]
18
+
19
+ * Avoid regex backtracking on If-None-Match header
20
+
21
+ [CVE-2023-22795]
22
+
23
+ * Use string#split instead of regex for domain parts
24
+
25
+ [CVE-2023-22792]
26
+
27
+
1
28
  ## Rails 7.0.4 (September 09, 2022) ##
2
29
 
3
30
  * Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
@@ -196,7 +196,11 @@ module ActionController
196
196
 
197
197
  def _url_host_allowed?(url)
198
198
  host = URI(url.to_s).host
199
- host == request.host || host.nil? && url.to_s.start_with?("/")
199
+
200
+ return true if host == request.host
201
+ return false unless host.nil?
202
+ return false unless url.to_s.start_with?("/")
203
+ return !url.to_s.start_with?("//")
200
204
  rescue ArgumentError, URI::Error
201
205
  false
202
206
  end
@@ -18,7 +18,7 @@ module ActionDispatch
18
18
  end
19
19
 
20
20
  def if_none_match_etags
21
- if_none_match ? if_none_match.split(/\s*,\s*/) : []
21
+ if_none_match ? if_none_match.split(",").each(&:strip!) : []
22
22
  end
23
23
 
24
24
  def not_modified?(modified_at)
@@ -290,20 +290,6 @@ module ActionDispatch
290
290
  class CookieJar # :nodoc:
291
291
  include Enumerable, ChainedCookieJars
292
292
 
293
- # This regular expression is used to split the levels of a domain.
294
- # The top level domain can be any string without a period or
295
- # **.**, ***.** style TLDs like co.uk or com.au
296
- #
297
- # www.example.co.uk gives:
298
- # $& => example.co.uk
299
- #
300
- # example.com gives:
301
- # $& => example.com
302
- #
303
- # lots.of.subdomains.example.local gives:
304
- # $& => example.local
305
- DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/
306
-
307
293
  def self.build(req, cookies)
308
294
  jar = new(req)
309
295
  jar.update(cookies)
@@ -456,13 +442,35 @@ module ActionDispatch
456
442
  options[:same_site] ||= cookies_same_site_protection.call(request)
457
443
 
458
444
  if options[:domain] == :all || options[:domain] == "all"
459
- # If there is a provided tld length then we use it otherwise default domain regexp.
460
- domain_regexp = options[:tld_length] ? /([^.]+\.?){#{options[:tld_length]}}$/ : DOMAIN_REGEXP
445
+ cookie_domain = ""
446
+ dot_splitted_host = request.host.split('.', -1)
447
+
448
+ # Case where request.host is not an IP address or it's an invalid domain
449
+ # (ip confirms to the domain structure we expect so we explicitly check for ip)
450
+ if request.host.match?(/^[\d.]+$/) || dot_splitted_host.include?("") || dot_splitted_host.length == 1
451
+ options[:domain] = nil
452
+ return
453
+ end
454
+
455
+ # If there is a provided tld length then we use it otherwise default domain.
456
+ if options[:tld_length].present?
457
+ # Case where the tld_length provided is valid
458
+ if dot_splitted_host.length >= options[:tld_length]
459
+ cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.')
460
+ end
461
+ # Case where tld_length is not provided
462
+ else
463
+ # Regular TLDs
464
+ if !(/\.[^.]{2,3}\.[^.]{2}\z/.match?(request.host))
465
+ cookie_domain = dot_splitted_host.last(2).join(".")
466
+ # **.**, ***.** style TLDs like co.uk and com.au
467
+ else
468
+ cookie_domain = dot_splitted_host.last(3).join('.')
469
+ end
470
+ end
461
471
 
462
- # If host is not ip and matches domain regexp.
463
- # (ip confirms to domain regexp so we explicitly check for ip)
464
- options[:domain] = if !request.host.match?(/^[\d.]+$/) && (request.host =~ domain_regexp)
465
- ".#{$&}"
472
+ options[:domain] = if cookie_domain.present?
473
+ ".#{cookie_domain}"
466
474
  end
467
475
  elsif options[:domain].is_a? Array
468
476
  # If host matches one of the supplied domains.
@@ -10,7 +10,7 @@ module ActionPack
10
10
  MAJOR = 7
11
11
  MINOR = 0
12
12
  TINY = 4
13
- PRE = nil
13
+ PRE = "2"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.0.4
4
+ version: 7.0.4.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-09-09 00:00:00.000000000 Z
11
+ date: 2023-01-25 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.0.4
19
+ version: 7.0.4.2
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.0.4
26
+ version: 7.0.4.2
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 7.0.4
101
+ version: 7.0.4.2
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 7.0.4
108
+ version: 7.0.4.2
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 7.0.4
115
+ version: 7.0.4.2
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 7.0.4
122
+ version: 7.0.4.2
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -310,10 +310,10 @@ licenses:
310
310
  - MIT
311
311
  metadata:
312
312
  bug_tracker_uri: https://github.com/rails/rails/issues
313
- changelog_uri: https://github.com/rails/rails/blob/v7.0.4/actionpack/CHANGELOG.md
314
- documentation_uri: https://api.rubyonrails.org/v7.0.4/
313
+ changelog_uri: https://github.com/rails/rails/blob/v7.0.4.2/actionpack/CHANGELOG.md
314
+ documentation_uri: https://api.rubyonrails.org/v7.0.4.2/
315
315
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
316
- source_code_uri: https://github.com/rails/rails/tree/v7.0.4/actionpack
316
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.4.2/actionpack
317
317
  rubygems_mfa_required: 'true'
318
318
  post_install_message:
319
319
  rdoc_options: []
@@ -331,7 +331,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
331
331
  version: '0'
332
332
  requirements:
333
333
  - none
334
- rubygems_version: 3.3.3
334
+ rubygems_version: 3.4.3
335
335
  signing_key:
336
336
  specification_version: 4
337
337
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).