actionpack 7.0.8.5 → 7.0.8.7

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 674d7ab95a19a8e20618b674de61f05a16b8525904ec04088b9e51c35ec57910
4
- data.tar.gz: 4e118b499335d173215d2012baa270e03ba10fa683b663b25ab5e656e7d28608
3
+ metadata.gz: 70dee7a29aa49cddf5164963e3f5686ee864164d8fa28da67bd989d7cdebf4d4
4
+ data.tar.gz: 7612f71cb68820c1ed4b5c0c6f620f326b30692e34bc9f835cb85c0baa5a0eb2
5
5
  SHA512:
6
- metadata.gz: 5df4f331a6622ab1286b48b3588f9475b7ed6132c7a6063e50306170634aba0affa2ab1401581dbbfab898553d7b92b34cb1e3987fc100a8956a2255a5cb91fa
7
- data.tar.gz: da8be10bca3b1ec2379d39b7bcc70639621bd86c0922e4422efa76560d0de65775bd997e9b9edf00f9eb2acd9889044aaa451fa11d33f8da02982affe9c64adb
6
+ metadata.gz: c7b71a3f0fa3039dccac396aa80c7f765476de45c59c75a3afb4556b10b3265d80e8105139c6fc45bbfcac09dff851b16850e41e21bfb951d9bcb514ea2f0814
7
+ data.tar.gz: 3097c2c8ad4ed6f2453f58a5b0c2587e67f120cc18ce94f8dad7ce5d1381cc6d055294a4977a65f148d2f526e188b4a4a5c14b5dde750e042b73438ec32e7674
data/CHANGELOG.md CHANGED
@@ -1,3 +1,17 @@
1
+ ## Rails 7.0.8.7 (December 10, 2024) ##
2
+
3
+ * Add validation to content security policies to disallow spaces and semicolons.
4
+ Developers should use multiple arguments, and different directive methods instead.
5
+
6
+ [CVE-2024-54133]
7
+
8
+ *Gannon McGibbon*
9
+
10
+ ## Rails 7.0.8.6 (October 23, 2024) ##
11
+
12
+ * No changes.
13
+
14
+
1
15
  ## Rails 7.0.8.5 (October 15, 2024) ##
2
16
 
3
17
  * Avoid regex backtracking in HTTP Token authentication
@@ -22,6 +22,9 @@ module ActionDispatch # :nodoc:
22
22
  # policy.report_uri "/csp-violation-report-endpoint"
23
23
  # end
24
24
  class ContentSecurityPolicy
25
+ class InvalidDirectiveError < StandardError
26
+ end
27
+
25
28
  class Middleware
26
29
  CONTENT_TYPE = "Content-Type"
27
30
  POLICY = "Content-Security-Policy"
@@ -316,9 +319,9 @@ module ActionDispatch # :nodoc:
316
319
  @directives.map do |directive, sources|
317
320
  if sources.is_a?(Array)
318
321
  if nonce && nonce_directive?(directive, nonce_directives)
319
- "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
322
+ "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
320
323
  else
321
- "#{directive} #{build_directive(sources, context).join(' ')}"
324
+ "#{directive} #{build_directive(directive, sources, context).join(' ')}"
322
325
  end
323
326
  elsif sources
324
327
  directive
@@ -328,8 +331,22 @@ module ActionDispatch # :nodoc:
328
331
  end
329
332
  end
330
333
 
331
- def build_directive(sources, context)
332
- sources.map { |source| resolve_source(source, context) }
334
+ def validate(directive, sources)
335
+ sources.flatten.each do |source|
336
+ if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
337
+ raise InvalidDirectiveError, <<~MSG.squish
338
+ Invalid Content Security Policy #{directive}: "#{source}".
339
+ Directive values must not contain whitespace or semicolons.
340
+ Please use multiple arguments or other directive methods instead.
341
+ MSG
342
+ end
343
+ end
344
+ end
345
+
346
+ def build_directive(directive, sources, context)
347
+ resolved_sources = sources.map { |source| resolve_source(source, context) }
348
+
349
+ validate(directive, resolved_sources)
333
350
  end
334
351
 
335
352
  def resolve_source(source, context)
@@ -10,7 +10,7 @@ module ActionPack
10
10
  MAJOR = 7
11
11
  MINOR = 0
12
12
  TINY = 8
13
- PRE = "5"
13
+ PRE = "7"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.0.8.5
4
+ version: 7.0.8.7
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-10-15 00:00:00.000000000 Z
11
+ date: 2024-12-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.0.8.5
19
+ version: 7.0.8.7
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.0.8.5
26
+ version: 7.0.8.7
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 7.0.8.5
101
+ version: 7.0.8.7
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 7.0.8.5
108
+ version: 7.0.8.7
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 7.0.8.5
115
+ version: 7.0.8.7
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 7.0.8.5
122
+ version: 7.0.8.7
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -310,12 +310,12 @@ licenses:
310
310
  - MIT
311
311
  metadata:
312
312
  bug_tracker_uri: https://github.com/rails/rails/issues
313
- changelog_uri: https://github.com/rails/rails/blob/v7.0.8.5/actionpack/CHANGELOG.md
314
- documentation_uri: https://api.rubyonrails.org/v7.0.8.5/
313
+ changelog_uri: https://github.com/rails/rails/blob/v7.0.8.7/actionpack/CHANGELOG.md
314
+ documentation_uri: https://api.rubyonrails.org/v7.0.8.7/
315
315
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
316
- source_code_uri: https://github.com/rails/rails/tree/v7.0.8.5/actionpack
316
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.8.7/actionpack
317
317
  rubygems_mfa_required: 'true'
318
- post_install_message:
318
+ post_install_message:
319
319
  rdoc_options: []
320
320
  require_paths:
321
321
  - lib
@@ -331,8 +331,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
331
331
  version: '0'
332
332
  requirements:
333
333
  - none
334
- rubygems_version: 3.5.16
335
- signing_key:
334
+ rubygems_version: 3.5.22
335
+ signing_key:
336
336
  specification_version: 4
337
337
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
338
338
  test_files: []