actionpack 7.0.7.2 → 7.0.8

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: fd2e9bc8b51e86e7538c9564e71f9c5024ab9834ed1151a71d98a3c686a7d09c
4
- data.tar.gz: 8ac9abcf1b44d21cf12ca2bb24de509df8c0eba9ad5357a49aafeaa955e2cb41
3
+ metadata.gz: 554db7a8936fc5a1d81baf26f67a4d031f2e7b3c01022695ae842c4a06aa3085
4
+ data.tar.gz: ceb0aad8f1a9abb47bf6bdc79740dc772cbbbd5d06513f9b19e3dae9d77f1c3b
5
5
  SHA512:
6
- metadata.gz: 597c57857dc5aeb0384a51124b731ae98a281244afd93cc77945ce4205837709a22f6f46c790aa354ac18e090335ac497e417915ff0102fc1cc20d28d1d7fb7a
7
- data.tar.gz: 63f69eab7d6302ffdcbfb882f9d8420591b8cbfcf0d970facd534f5abceb8c9f0d84babd023a78ca561156a3f18a5caa7fbfd8727075d0581bf176734e8766fb
6
+ metadata.gz: d6a7fcc80e5f12c8eac3ba474094cf9087049389793f2953e49d25b3519637329bf8ab440e2af2c8427acbf79d1b6e67204e1e907cc8d9ce3bc7ab9ff65e5e89
7
+ data.tar.gz: dfed11835f0aa991c57841aba4ae0a1def553bf086de35bc86db01f2b4424cb9d29823fff6f07ad2fabcc7cc15d752cf7c8b488cf4bf48300ca338e56c8abe2c
data/CHANGELOG.md CHANGED
@@ -1,3 +1,11 @@
1
+ ## Rails 7.0.8 (September 09, 2023) ##
2
+
3
+ * Fix `HostAuthorization` potentially displaying the value of the
4
+ X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
5
+
6
+ *Hartley McGuire*, *Daniel Schlosser*
7
+
8
+
1
9
  ## Rails 7.0.7.2 (August 22, 2023) ##
2
10
 
3
11
  * No changes.
@@ -95,7 +95,7 @@ module ActionDispatch
95
95
  def response_body(request)
96
96
  return "" unless request.get_header("action_dispatch.show_detailed_exceptions")
97
97
 
98
- template = DebugView.new(host: request.host)
98
+ template = DebugView.new(hosts: request.env["action_dispatch.blocked_hosts"])
99
99
  template.render(template: "rescues/blocked_host", layout: "rescues/layout")
100
100
  end
101
101
 
@@ -111,7 +111,7 @@ module ActionDispatch
111
111
 
112
112
  return unless logger
113
113
 
114
- logger.error("[#{self.class.name}] Blocked host: #{request.host}")
114
+ logger.error("[#{self.class.name}] Blocked hosts: #{request.env["action_dispatch.blocked_hosts"].join(", ")}")
115
115
  end
116
116
 
117
117
  def available_logger(request)
@@ -131,21 +131,28 @@ module ActionDispatch
131
131
  return @app.call(env) if @permissions.empty?
132
132
 
133
133
  request = Request.new(env)
134
+ hosts = blocked_hosts(request)
134
135
 
135
- if authorized?(request) || excluded?(request)
136
+ if hosts.empty? || excluded?(request)
136
137
  mark_as_authorized(request)
137
138
  @app.call(env)
138
139
  else
140
+ env["action_dispatch.blocked_hosts"] = hosts
139
141
  @response_app.call(env)
140
142
  end
141
143
  end
142
144
 
143
145
  private
144
- def authorized?(request)
146
+ def blocked_hosts(request)
147
+ hosts = []
148
+
145
149
  origin_host = request.get_header("HTTP_HOST")
150
+ hosts << origin_host unless @permissions.allows?(origin_host)
151
+
146
152
  forwarded_host = request.x_forwarded_host&.split(/,\s?/)&.last
153
+ hosts << forwarded_host unless forwarded_host.blank? || @permissions.allows?(forwarded_host)
147
154
 
148
- @permissions.allows?(origin_host) && (forwarded_host.blank? || @permissions.allows?(forwarded_host))
155
+ hosts
149
156
  end
150
157
 
151
158
  def excluded?(request)
@@ -1,8 +1,12 @@
1
1
  <header>
2
- <h1>Blocked host: <%= @host %></h1>
2
+ <h1>Blocked hosts: <%= @hosts.join(", ") %></h1>
3
3
  </header>
4
4
  <main role="main" id="container">
5
- <h2>To allow requests to <%= @host %> make sure it is a valid hostname (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:</h2>
6
- <pre>config.hosts &lt;&lt; "<%= @host %>"</pre>
5
+ <h2>To allow requests to these hosts, make sure they are valid hostnames (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:</h2>
6
+ <pre>
7
+ <% @hosts.each do |host| %>
8
+ config.hosts &lt;&lt; "<%= host %>"
9
+ <% end %>
10
+ </pre>
7
11
  <p>For more details view: <a href="https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization">the Host Authorization guide</a></p>
8
12
  </main>
@@ -1,7 +1,9 @@
1
- Blocked host: <%= @host %>
1
+ Blocked hosts: <%= @hosts.join(", ") %>
2
2
 
3
- To allow requests to <%= @host %> make sure it is a valid hostname (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:
3
+ To allow requests to these hosts, make sure they are valid hostnames (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:
4
4
 
5
- config.hosts << "<%= @host %>"
5
+ <% @hosts.each do |host| %>
6
+ config.hosts << "<%= host %>"
7
+ <% end %>
6
8
 
7
9
  For more details on host authorization view: https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization
@@ -26,7 +26,7 @@ module ActionDispatch
26
26
  yield options if block_given? && options
27
27
  end
28
28
 
29
- # driver_path can be configured as a proc. The webdrivers gem uses this
29
+ # driver_path can be configured as a proc.
30
30
  # proc to update web drivers. Running this proc early allows us to only
31
31
  # update the webdriver once and avoid race conditions when using
32
32
  # parallel tests.
@@ -9,8 +9,8 @@ module ActionPack
9
9
  module VERSION
10
10
  MAJOR = 7
11
11
  MINOR = 0
12
- TINY = 7
13
- PRE = "2"
12
+ TINY = 8
13
+ PRE = nil
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.0.7.2
4
+ version: 7.0.8
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-08-22 00:00:00.000000000 Z
11
+ date: 2023-09-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.0.7.2
19
+ version: 7.0.8
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.0.7.2
26
+ version: 7.0.8
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 7.0.7.2
101
+ version: 7.0.8
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 7.0.7.2
108
+ version: 7.0.8
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 7.0.7.2
115
+ version: 7.0.8
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 7.0.7.2
122
+ version: 7.0.8
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -310,10 +310,10 @@ licenses:
310
310
  - MIT
311
311
  metadata:
312
312
  bug_tracker_uri: https://github.com/rails/rails/issues
313
- changelog_uri: https://github.com/rails/rails/blob/v7.0.7.2/actionpack/CHANGELOG.md
314
- documentation_uri: https://api.rubyonrails.org/v7.0.7.2/
313
+ changelog_uri: https://github.com/rails/rails/blob/v7.0.8/actionpack/CHANGELOG.md
314
+ documentation_uri: https://api.rubyonrails.org/v7.0.8/
315
315
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
316
- source_code_uri: https://github.com/rails/rails/tree/v7.0.7.2/actionpack
316
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.8/actionpack
317
317
  rubygems_mfa_required: 'true'
318
318
  post_install_message:
319
319
  rdoc_options: []
@@ -331,7 +331,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
331
331
  version: '0'
332
332
  requirements:
333
333
  - none
334
- rubygems_version: 3.3.3
334
+ rubygems_version: 3.4.18
335
335
  signing_key:
336
336
  specification_version: 4
337
337
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).