actionpack 7.0.7.2 → 7.0.8.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +14 -0
- data/lib/abstract_controller/translation.rb +23 -1
- data/lib/action_dispatch/middleware/host_authorization.rb +12 -5
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -3
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -3
- data/lib/action_dispatch/system_testing/browser.rb +1 -1
- data/lib/action_pack/gem_version.rb +2 -2
- metadata +12 -12
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9c187c6dc06f7cfe2c9eb4fce7787e7f0f8a0f2ecbed6e3f58937b60d641239c
|
4
|
+
data.tar.gz: f8f4e0b1e8f19bf48fd714ac2f15ce18b4fb0c72ff25472c25dc7881579a798a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e77d65ccbb57cfa58561d235e6d02704fe7bdb7b977f9e229e1f1149e6b3464e37238e2e8485e345bc77f79487b0e383bff81758afdd315370f4ac750957e93b
|
7
|
+
data.tar.gz: c00d8015d6861e927b9d887af3001762940d61ebd9268efda856efe92b3e483d047d9b6ea144096d4c7ae3de229dfb69341ad170a281f1014058a623e75d9f9e
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,17 @@
|
|
1
|
+
## Rails 7.0.8.1 (February 21, 2024) ##
|
2
|
+
|
3
|
+
* Fix possible XSS vulnerability with the `translate` method in controllers
|
4
|
+
|
5
|
+
CVE-2024-26143
|
6
|
+
|
7
|
+
## Rails 7.0.8 (September 09, 2023) ##
|
8
|
+
|
9
|
+
* Fix `HostAuthorization` potentially displaying the value of the
|
10
|
+
X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
|
11
|
+
|
12
|
+
*Hartley McGuire*, *Daniel Schlosser*
|
13
|
+
|
14
|
+
|
1
15
|
## Rails 7.0.7.2 (August 22, 2023) ##
|
2
16
|
|
3
17
|
* No changes.
|
@@ -25,7 +25,25 @@ module AbstractController
|
|
25
25
|
|
26
26
|
i18n_raise = options.fetch(:raise, self.raise_on_missing_translations)
|
27
27
|
|
28
|
-
|
28
|
+
if options[:default]
|
29
|
+
options[:default] = [options[:default]] unless options[:default].is_a?(Array)
|
30
|
+
options[:default] = options[:default].map do |value|
|
31
|
+
value.is_a?(String) ? ERB::Util.html_escape(value) : value
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
unless i18n_raise
|
36
|
+
options[:default] = [] unless options[:default]
|
37
|
+
options[:default] << MISSING_TRANSLATION
|
38
|
+
end
|
39
|
+
|
40
|
+
result = ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
|
41
|
+
|
42
|
+
if result == MISSING_TRANSLATION
|
43
|
+
+"translation missing: #{key}"
|
44
|
+
else
|
45
|
+
result
|
46
|
+
end
|
29
47
|
end
|
30
48
|
alias :t :translate
|
31
49
|
|
@@ -34,5 +52,9 @@ module AbstractController
|
|
34
52
|
I18n.localize(object, **options)
|
35
53
|
end
|
36
54
|
alias :l :localize
|
55
|
+
|
56
|
+
private
|
57
|
+
MISSING_TRANSLATION = -(2**60)
|
58
|
+
private_constant :MISSING_TRANSLATION
|
37
59
|
end
|
38
60
|
end
|
@@ -95,7 +95,7 @@ module ActionDispatch
|
|
95
95
|
def response_body(request)
|
96
96
|
return "" unless request.get_header("action_dispatch.show_detailed_exceptions")
|
97
97
|
|
98
|
-
template = DebugView.new(
|
98
|
+
template = DebugView.new(hosts: request.env["action_dispatch.blocked_hosts"])
|
99
99
|
template.render(template: "rescues/blocked_host", layout: "rescues/layout")
|
100
100
|
end
|
101
101
|
|
@@ -111,7 +111,7 @@ module ActionDispatch
|
|
111
111
|
|
112
112
|
return unless logger
|
113
113
|
|
114
|
-
logger.error("[#{self.class.name}] Blocked
|
114
|
+
logger.error("[#{self.class.name}] Blocked hosts: #{request.env["action_dispatch.blocked_hosts"].join(", ")}")
|
115
115
|
end
|
116
116
|
|
117
117
|
def available_logger(request)
|
@@ -131,21 +131,28 @@ module ActionDispatch
|
|
131
131
|
return @app.call(env) if @permissions.empty?
|
132
132
|
|
133
133
|
request = Request.new(env)
|
134
|
+
hosts = blocked_hosts(request)
|
134
135
|
|
135
|
-
if
|
136
|
+
if hosts.empty? || excluded?(request)
|
136
137
|
mark_as_authorized(request)
|
137
138
|
@app.call(env)
|
138
139
|
else
|
140
|
+
env["action_dispatch.blocked_hosts"] = hosts
|
139
141
|
@response_app.call(env)
|
140
142
|
end
|
141
143
|
end
|
142
144
|
|
143
145
|
private
|
144
|
-
def
|
146
|
+
def blocked_hosts(request)
|
147
|
+
hosts = []
|
148
|
+
|
145
149
|
origin_host = request.get_header("HTTP_HOST")
|
150
|
+
hosts << origin_host unless @permissions.allows?(origin_host)
|
151
|
+
|
146
152
|
forwarded_host = request.x_forwarded_host&.split(/,\s?/)&.last
|
153
|
+
hosts << forwarded_host unless forwarded_host.blank? || @permissions.allows?(forwarded_host)
|
147
154
|
|
148
|
-
|
155
|
+
hosts
|
149
156
|
end
|
150
157
|
|
151
158
|
def excluded?(request)
|
@@ -1,8 +1,12 @@
|
|
1
1
|
<header>
|
2
|
-
<h1>Blocked
|
2
|
+
<h1>Blocked hosts: <%= @hosts.join(", ") %></h1>
|
3
3
|
</header>
|
4
4
|
<main role="main" id="container">
|
5
|
-
<h2>To allow requests to
|
6
|
-
<pre>
|
5
|
+
<h2>To allow requests to these hosts, make sure they are valid hostnames (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:</h2>
|
6
|
+
<pre>
|
7
|
+
<% @hosts.each do |host| %>
|
8
|
+
config.hosts << "<%= host %>"
|
9
|
+
<% end %>
|
10
|
+
</pre>
|
7
11
|
<p>For more details view: <a href="https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization">the Host Authorization guide</a></p>
|
8
12
|
</main>
|
@@ -1,7 +1,9 @@
|
|
1
|
-
Blocked
|
1
|
+
Blocked hosts: <%= @hosts.join(", ") %>
|
2
2
|
|
3
|
-
To allow requests to
|
3
|
+
To allow requests to these hosts, make sure they are valid hostnames (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:
|
4
4
|
|
5
|
-
|
5
|
+
<% @hosts.each do |host| %>
|
6
|
+
config.hosts << "<%= host %>"
|
7
|
+
<% end %>
|
6
8
|
|
7
9
|
For more details on host authorization view: https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization
|
@@ -26,7 +26,7 @@ module ActionDispatch
|
|
26
26
|
yield options if block_given? && options
|
27
27
|
end
|
28
28
|
|
29
|
-
# driver_path can be configured as a proc.
|
29
|
+
# driver_path can be configured as a proc.
|
30
30
|
# proc to update web drivers. Running this proc early allows us to only
|
31
31
|
# update the webdriver once and avoid race conditions when using
|
32
32
|
# parallel tests.
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 7.0.
|
4
|
+
version: 7.0.8.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2024-02-21 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 7.0.
|
19
|
+
version: 7.0.8.1
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 7.0.
|
26
|
+
version: 7.0.8.1
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rack
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -98,28 +98,28 @@ dependencies:
|
|
98
98
|
requirements:
|
99
99
|
- - '='
|
100
100
|
- !ruby/object:Gem::Version
|
101
|
-
version: 7.0.
|
101
|
+
version: 7.0.8.1
|
102
102
|
type: :runtime
|
103
103
|
prerelease: false
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
105
105
|
requirements:
|
106
106
|
- - '='
|
107
107
|
- !ruby/object:Gem::Version
|
108
|
-
version: 7.0.
|
108
|
+
version: 7.0.8.1
|
109
109
|
- !ruby/object:Gem::Dependency
|
110
110
|
name: activemodel
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
112
112
|
requirements:
|
113
113
|
- - '='
|
114
114
|
- !ruby/object:Gem::Version
|
115
|
-
version: 7.0.
|
115
|
+
version: 7.0.8.1
|
116
116
|
type: :development
|
117
117
|
prerelease: false
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
119
119
|
requirements:
|
120
120
|
- - '='
|
121
121
|
- !ruby/object:Gem::Version
|
122
|
-
version: 7.0.
|
122
|
+
version: 7.0.8.1
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
125
125
|
email: david@loudthinking.com
|
@@ -310,10 +310,10 @@ licenses:
|
|
310
310
|
- MIT
|
311
311
|
metadata:
|
312
312
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
313
|
-
changelog_uri: https://github.com/rails/rails/blob/v7.0.
|
314
|
-
documentation_uri: https://api.rubyonrails.org/v7.0.
|
313
|
+
changelog_uri: https://github.com/rails/rails/blob/v7.0.8.1/actionpack/CHANGELOG.md
|
314
|
+
documentation_uri: https://api.rubyonrails.org/v7.0.8.1/
|
315
315
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
316
|
-
source_code_uri: https://github.com/rails/rails/tree/v7.0.
|
316
|
+
source_code_uri: https://github.com/rails/rails/tree/v7.0.8.1/actionpack
|
317
317
|
rubygems_mfa_required: 'true'
|
318
318
|
post_install_message:
|
319
319
|
rdoc_options: []
|
@@ -331,7 +331,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
331
331
|
version: '0'
|
332
332
|
requirements:
|
333
333
|
- none
|
334
|
-
rubygems_version: 3.
|
334
|
+
rubygems_version: 3.2.22
|
335
335
|
signing_key:
|
336
336
|
specification_version: 4
|
337
337
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|