actionpack 7.0.8.3 → 7.0.8.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +17 -0
  3. data/lib/action_controller/metal/http_authentication.rb +2 -1
  4. data/lib/action_dispatch/http/filter_parameters.rb +9 -4
  5. data/lib/action_dispatch/http/permissions_policy.rb +0 -7
  6. data/lib/action_pack/gem_version.rb +1 -1
  7. metadata +12 -12
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d360b26cd2791d9a49dd735c08a9459e435665c0d060105ac067a3d44053f3ec
4
- data.tar.gz: 51d45cfea83e59aaaef9dbd99aec1d2fa67dba33f301a9f8dbad380cf4c228c9
3
+ metadata.gz: 674d7ab95a19a8e20618b674de61f05a16b8525904ec04088b9e51c35ec57910
4
+ data.tar.gz: 4e118b499335d173215d2012baa270e03ba10fa683b663b25ab5e656e7d28608
5
5
  SHA512:
6
- metadata.gz: d615b9f5f1a1ce80a1c629304119a94fcb35f22d422169c63359e05b160bac887b447d241500755adb77274fd60f1926ada3ed75e43e9736a12d743ecb1463c4
7
- data.tar.gz: 8ae47c8f143a577573a7feb32e3810fc9f5b4242d70300bc1b683d7f7b227ef355ea5fd32d2f0207f4d452db55be73c0d21b4d86e96c7337e44dd2ca9ba40dfe
6
+ metadata.gz: 5df4f331a6622ab1286b48b3588f9475b7ed6132c7a6063e50306170634aba0affa2ab1401581dbbfab898553d7b92b34cb1e3987fc100a8956a2255a5cb91fa
7
+ data.tar.gz: da8be10bca3b1ec2379d39b7bcc70639621bd86c0922e4422efa76560d0de65775bd997e9b9edf00f9eb2acd9889044aaa451fa11d33f8da02982affe9c64adb
data/CHANGELOG.md CHANGED
@@ -1,3 +1,20 @@
1
+ ## Rails 7.0.8.5 (October 15, 2024) ##
2
+
3
+ * Avoid regex backtracking in HTTP Token authentication
4
+
5
+ [CVE-2024-47887]
6
+
7
+ * Avoid regex backtracking in query parameter filtering
8
+
9
+ [CVE-2024-41128]
10
+
11
+
12
+ ## Rails 7.0.8.4 (June 04, 2024) ##
13
+
14
+ * Include the HTTP Permissions-Policy on non-HTML Content-Types
15
+ [CVE-2024-28103]
16
+
17
+
1
18
  ## Rails 7.0.8.3 (May 17, 2024) ##
2
19
 
3
20
  * No changes.
data/lib/action_controller/metal/http_authentication.rb CHANGED
@@ -506,7 +506,8 @@ module ActionController
506
506
  # pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
507
507
  # delimiters defined in +AUTHN_PAIR_DELIMITERS+.
508
508
  def raw_params(auth)
509
- _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
509
+ _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
510
+ _raw_params.reject!(&:empty?)
510
511
 
511
512
  if !_raw_params.first&.start_with?(TOKEN_KEY)
512
513
  _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
data/lib/action_dispatch/http/filter_parameters.rb CHANGED
@@ -58,12 +58,17 @@ module ActionDispatch
58
58
  ActiveSupport::ParameterFilter.new(filters)
59
59
  end
60
60
 
61
- KV_RE = "[^&;=]+"
62
- PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
63
61
  def filtered_query_string # :doc:
64
- query_string.gsub(PAIR_RE) do |_|
65
- parameter_filter.filter($1 => $2).first.join("=")
62
+ parts = query_string.split(/([&;])/)
63
+ filtered_parts = parts.map do |part|
64
+ if part.include?("=")
65
+ key, value = part.split("=", 2)
66
+ parameter_filter.filter(key => value).first.join("=")
67
+ else
68
+ part
69
+ end
66
70
  end
71
+ filtered_parts.join("")
67
72
  end
68
73
  end
69
74
  end
data/lib/action_dispatch/http/permissions_policy.rb CHANGED
@@ -37,7 +37,6 @@ module ActionDispatch # :nodoc:
37
37
  request = ActionDispatch::Request.new(env)
38
38
  _, headers, _ = response = @app.call(env)
39
39
 
40
- return response unless html_response?(headers)
41
40
  return response if policy_present?(headers)
42
41
 
43
42
  if policy = request.permissions_policy
@@ -52,12 +51,6 @@ module ActionDispatch # :nodoc:
52
51
  end
53
52
 
54
53
  private
55
- def html_response?(headers)
56
- if content_type = headers[CONTENT_TYPE]
57
- /html/.match?(content_type)
58
- end
59
- end
60
-
61
54
  def policy_present?(headers)
62
55
  headers[POLICY]
63
56
  end
data/lib/action_pack/gem_version.rb CHANGED
@@ -10,7 +10,7 @@ module ActionPack
10
10
  MAJOR = 7
11
11
  MINOR = 0
12
12
  TINY = 8
13
- PRE = "3"
13
+ PRE = "5"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.0.8.3
4
+ version: 7.0.8.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-05-17 00:00:00.000000000 Z
11
+ date: 2024-10-15 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.0.8.3
19
+ version: 7.0.8.5
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.0.8.3
26
+ version: 7.0.8.5
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 7.0.8.3
101
+ version: 7.0.8.5
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 7.0.8.3
108
+ version: 7.0.8.5
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 7.0.8.3
115
+ version: 7.0.8.5
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 7.0.8.3
122
+ version: 7.0.8.5
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -310,10 +310,10 @@ licenses:
310
310
  - MIT
311
311
  metadata:
312
312
  bug_tracker_uri: https://github.com/rails/rails/issues
313
- changelog_uri: https://github.com/rails/rails/blob/v7.0.8.3/actionpack/CHANGELOG.md
314
- documentation_uri: https://api.rubyonrails.org/v7.0.8.3/
313
+ changelog_uri: https://github.com/rails/rails/blob/v7.0.8.5/actionpack/CHANGELOG.md
314
+ documentation_uri: https://api.rubyonrails.org/v7.0.8.5/
315
315
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
316
- source_code_uri: https://github.com/rails/rails/tree/v7.0.8.3/actionpack
316
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.8.5/actionpack
317
317
  rubygems_mfa_required: 'true'
318
318
  post_install_message:
319
319
  rdoc_options: []
@@ -331,7 +331,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
331
331
  version: '0'
332
332
  requirements:
333
333
  - none
334
- rubygems_version: 3.5.10
334
+ rubygems_version: 3.5.16
335
335
  signing_key:
336
336
  specification_version: 4
337
337
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).