actionpack 7.0.7.2 → 7.0.8
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/lib/action_dispatch/middleware/host_authorization.rb +12 -5
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -3
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -3
- data/lib/action_dispatch/system_testing/browser.rb +1 -1
- data/lib/action_pack/gem_version.rb +2 -2
- metadata +12 -12
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 554db7a8936fc5a1d81baf26f67a4d031f2e7b3c01022695ae842c4a06aa3085
|
|
4
|
+
data.tar.gz: ceb0aad8f1a9abb47bf6bdc79740dc772cbbbd5d06513f9b19e3dae9d77f1c3b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d6a7fcc80e5f12c8eac3ba474094cf9087049389793f2953e49d25b3519637329bf8ab440e2af2c8427acbf79d1b6e67204e1e907cc8d9ce3bc7ab9ff65e5e89
|
|
7
|
+
data.tar.gz: dfed11835f0aa991c57841aba4ae0a1def553bf086de35bc86db01f2b4424cb9d29823fff6f07ad2fabcc7cc15d752cf7c8b488cf4bf48300ca338e56c8abe2c
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,11 @@
|
|
|
1
|
+
## Rails 7.0.8 (September 09, 2023) ##
|
|
2
|
+
|
|
3
|
+
* Fix `HostAuthorization` potentially displaying the value of the
|
|
4
|
+
X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
|
|
5
|
+
|
|
6
|
+
*Hartley McGuire*, *Daniel Schlosser*
|
|
7
|
+
|
|
8
|
+
|
|
1
9
|
## Rails 7.0.7.2 (August 22, 2023) ##
|
|
2
10
|
|
|
3
11
|
* No changes.
|
|
@@ -95,7 +95,7 @@ module ActionDispatch
|
|
|
95
95
|
def response_body(request)
|
|
96
96
|
return "" unless request.get_header("action_dispatch.show_detailed_exceptions")
|
|
97
97
|
|
|
98
|
-
template = DebugView.new(
|
|
98
|
+
template = DebugView.new(hosts: request.env["action_dispatch.blocked_hosts"])
|
|
99
99
|
template.render(template: "rescues/blocked_host", layout: "rescues/layout")
|
|
100
100
|
end
|
|
101
101
|
|
|
@@ -111,7 +111,7 @@ module ActionDispatch
|
|
|
111
111
|
|
|
112
112
|
return unless logger
|
|
113
113
|
|
|
114
|
-
logger.error("[#{self.class.name}] Blocked
|
|
114
|
+
logger.error("[#{self.class.name}] Blocked hosts: #{request.env["action_dispatch.blocked_hosts"].join(", ")}")
|
|
115
115
|
end
|
|
116
116
|
|
|
117
117
|
def available_logger(request)
|
|
@@ -131,21 +131,28 @@ module ActionDispatch
|
|
|
131
131
|
return @app.call(env) if @permissions.empty?
|
|
132
132
|
|
|
133
133
|
request = Request.new(env)
|
|
134
|
+
hosts = blocked_hosts(request)
|
|
134
135
|
|
|
135
|
-
if
|
|
136
|
+
if hosts.empty? || excluded?(request)
|
|
136
137
|
mark_as_authorized(request)
|
|
137
138
|
@app.call(env)
|
|
138
139
|
else
|
|
140
|
+
env["action_dispatch.blocked_hosts"] = hosts
|
|
139
141
|
@response_app.call(env)
|
|
140
142
|
end
|
|
141
143
|
end
|
|
142
144
|
|
|
143
145
|
private
|
|
144
|
-
def
|
|
146
|
+
def blocked_hosts(request)
|
|
147
|
+
hosts = []
|
|
148
|
+
|
|
145
149
|
origin_host = request.get_header("HTTP_HOST")
|
|
150
|
+
hosts << origin_host unless @permissions.allows?(origin_host)
|
|
151
|
+
|
|
146
152
|
forwarded_host = request.x_forwarded_host&.split(/,\s?/)&.last
|
|
153
|
+
hosts << forwarded_host unless forwarded_host.blank? || @permissions.allows?(forwarded_host)
|
|
147
154
|
|
|
148
|
-
|
|
155
|
+
hosts
|
|
149
156
|
end
|
|
150
157
|
|
|
151
158
|
def excluded?(request)
|
|
@@ -1,8 +1,12 @@
|
|
|
1
1
|
<header>
|
|
2
|
-
<h1>Blocked
|
|
2
|
+
<h1>Blocked hosts: <%= @hosts.join(", ") %></h1>
|
|
3
3
|
</header>
|
|
4
4
|
<main role="main" id="container">
|
|
5
|
-
<h2>To allow requests to
|
|
6
|
-
<pre>
|
|
5
|
+
<h2>To allow requests to these hosts, make sure they are valid hostnames (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:</h2>
|
|
6
|
+
<pre>
|
|
7
|
+
<% @hosts.each do |host| %>
|
|
8
|
+
config.hosts << "<%= host %>"
|
|
9
|
+
<% end %>
|
|
10
|
+
</pre>
|
|
7
11
|
<p>For more details view: <a href="https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization">the Host Authorization guide</a></p>
|
|
8
12
|
</main>
|
|
@@ -1,7 +1,9 @@
|
|
|
1
|
-
Blocked
|
|
1
|
+
Blocked hosts: <%= @hosts.join(", ") %>
|
|
2
2
|
|
|
3
|
-
To allow requests to
|
|
3
|
+
To allow requests to these hosts, make sure they are valid hostnames (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:
|
|
4
4
|
|
|
5
|
-
|
|
5
|
+
<% @hosts.each do |host| %>
|
|
6
|
+
config.hosts << "<%= host %>"
|
|
7
|
+
<% end %>
|
|
6
8
|
|
|
7
9
|
For more details on host authorization view: https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization
|
|
@@ -26,7 +26,7 @@ module ActionDispatch
|
|
|
26
26
|
yield options if block_given? && options
|
|
27
27
|
end
|
|
28
28
|
|
|
29
|
-
# driver_path can be configured as a proc.
|
|
29
|
+
# driver_path can be configured as a proc.
|
|
30
30
|
# proc to update web drivers. Running this proc early allows us to only
|
|
31
31
|
# update the webdriver once and avoid race conditions when using
|
|
32
32
|
# parallel tests.
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: actionpack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 7.0.
|
|
4
|
+
version: 7.0.8
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-09-09 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 7.0.
|
|
19
|
+
version: 7.0.8
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 7.0.
|
|
26
|
+
version: 7.0.8
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: rack
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -98,28 +98,28 @@ dependencies:
|
|
|
98
98
|
requirements:
|
|
99
99
|
- - '='
|
|
100
100
|
- !ruby/object:Gem::Version
|
|
101
|
-
version: 7.0.
|
|
101
|
+
version: 7.0.8
|
|
102
102
|
type: :runtime
|
|
103
103
|
prerelease: false
|
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
|
105
105
|
requirements:
|
|
106
106
|
- - '='
|
|
107
107
|
- !ruby/object:Gem::Version
|
|
108
|
-
version: 7.0.
|
|
108
|
+
version: 7.0.8
|
|
109
109
|
- !ruby/object:Gem::Dependency
|
|
110
110
|
name: activemodel
|
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
|
112
112
|
requirements:
|
|
113
113
|
- - '='
|
|
114
114
|
- !ruby/object:Gem::Version
|
|
115
|
-
version: 7.0.
|
|
115
|
+
version: 7.0.8
|
|
116
116
|
type: :development
|
|
117
117
|
prerelease: false
|
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
|
119
119
|
requirements:
|
|
120
120
|
- - '='
|
|
121
121
|
- !ruby/object:Gem::Version
|
|
122
|
-
version: 7.0.
|
|
122
|
+
version: 7.0.8
|
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
|
125
125
|
email: david@loudthinking.com
|
|
@@ -310,10 +310,10 @@ licenses:
|
|
|
310
310
|
- MIT
|
|
311
311
|
metadata:
|
|
312
312
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
|
313
|
-
changelog_uri: https://github.com/rails/rails/blob/v7.0.
|
|
314
|
-
documentation_uri: https://api.rubyonrails.org/v7.0.
|
|
313
|
+
changelog_uri: https://github.com/rails/rails/blob/v7.0.8/actionpack/CHANGELOG.md
|
|
314
|
+
documentation_uri: https://api.rubyonrails.org/v7.0.8/
|
|
315
315
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
|
316
|
-
source_code_uri: https://github.com/rails/rails/tree/v7.0.
|
|
316
|
+
source_code_uri: https://github.com/rails/rails/tree/v7.0.8/actionpack
|
|
317
317
|
rubygems_mfa_required: 'true'
|
|
318
318
|
post_install_message:
|
|
319
319
|
rdoc_options: []
|
|
@@ -331,7 +331,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
331
331
|
version: '0'
|
|
332
332
|
requirements:
|
|
333
333
|
- none
|
|
334
|
-
rubygems_version: 3.
|
|
334
|
+
rubygems_version: 3.4.18
|
|
335
335
|
signing_key:
|
|
336
336
|
specification_version: 4
|
|
337
337
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|