actionpack 7.1.1 → 7.1.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 01b6630f88d627d0e93a4343d0500faaff1f685bafad46d9600c44cf26d36b80
-  data.tar.gz: cc0218731130dddac745ee72dec869ba75c96820d25928728f3514069966e6da
+  metadata.gz: b8322f0e0b03702b4d77eacd0f77ddc0d0578389b0f9ae056338c97ce3239aa8
+  data.tar.gz: 04614dea6d1bab93cb2a21289272b0ee1a2705355ad260ea9be1a8c069f3c92a
 SHA512:
-  metadata.gz: 1bcfbc773c2468fe2566cc6932742492fa92d364b102d30c5807550052e0bd80268bac976925df52bb9c9e5f2c226b69188e0d16aca67637cf963058b80e17d6
-  data.tar.gz: aad1c61d934637ce06caac52edb2ab1680e55db73450033a39a625d5db5871b7030b672c0be7ae14342a07a87fa2081a84b6cf78dcdb7f2e7b583b811db8601f
+  metadata.gz: a36e9f99ced3f948578e34fc8f32fc1699e39c465374b875c4c987bbc27155bd1f57cb21a6cb92745125cb0bd0c0200ee0e8f2c5942cb008b302a054d1d65fc3
+  data.tar.gz: ed0ce501cbff0a1c315a583b369401d47b7cb2e36300d4a0470cad9366df85cf5dc449e5ef3472170dea52e7837e16d80d2b1ab80189a4818f3f28bdcf85233c

data/CHANGELOG.md

@@ -1,3 +1,65 @@
+## Rails 7.1.3.4 (June 04, 2024) ##
+
+*   Include the HTTP Permissions-Policy on non-HTML Content-Types
+    [CVE-2024-28103]
+
+
+## Rails 7.1.3.3 (May 16, 2024) ##
+
+*   No changes.
+
+
+## Rails 7.1.3.2 (February 21, 2024) ##
+
+*   Fix `raise_on_missing_translations` not working correctly with the
+    `translate` method in controllers after the patch for CVE-2024-26143.
+
+## Rails 7.1.3.1 (February 21, 2024) ##
+
+*   Fix possible XSS vulnerability with the `translate` method in controllers
+
+    CVE-2024-26143
+
+*   Fix ReDoS in Accept header parsing
+
+    CVE-2024-26142
+
+## Rails 7.1.3 (January 16, 2024) ##
+
+*   Fix including `Rails.application.routes.url_helpers` directly in an
+    `ActiveSupport::Concern.`
+
+    *Jonathan Hefner*
+
+*   Fix system tests when using a Chrome binary that has been downloaded by
+    Selenium.
+
+    *Jonathan Hefner*
+
+
+## Rails 7.1.2 (November 10, 2023) ##
+
+*   Fix a race condition that could cause a `Text file busy - chromedriver`
+    error with parallel system tests
+
+    *Matt Brictson*
+
+*   Fix `StrongParameters#extract_value` to include blank values
+
+    Otherwise composite parameters may not be parsed correctly when one of the
+    component is blank.
+
+    *fatkodima*, *Yasha Krasnou*, *Matthias Eiglsperger*
+
+*   Add `racc` as a dependency since it will become a bundled gem in Ruby 3.4.0
+
+    *Hartley McGuire*
+
+*   Support handling Enumerator for non-buffered responses.
+
+    *Zachary Scott*
+
+
 ## Rails 7.1.1 (October 11, 2023) ##
 
 *   No changes.

data/lib/abstract_controller/translation.rb

@@ -21,6 +21,13 @@ module AbstractController
         key = "#{path}.#{action_name}#{key}"
       end
 
+      if options[:default]
+        options[:default] = [options[:default]] unless options[:default].is_a?(Array)
+        options[:default] = options[:default].map do |value|
+          value.is_a?(String) ? ERB::Util.html_escape(value) : value
+        end
+      end
+
       ActiveSupport::HtmlSafeTranslation.translate(key, **options)
     end
     alias :t :translate

data/lib/action_controller/metal/http_authentication.rb

@@ -21,7 +21,7 @@ module ActionController
     #     def edit
     #       render plain: "I'm only accessible if you know the password"
     #     end
-    #  end
+    #   end
     #
     # === Advanced \Basic example
     #

data/lib/action_controller/metal/params_wrapper.rb

@@ -72,7 +72,7 @@ module ActionController
   #
   # will try to check if +Admin::User+ or +User+ model exists, and use it to
   # determine the wrapper key respectively. If both models don't exist,
-  # it will then fallback to use +user+ as the key.
+  # it will then fall back to use +user+ as the key.
   #
   # To disable this functionality for a controller:
   #

data/lib/action_controller/metal/redirecting.rb

@@ -154,7 +154,7 @@ module ActionController
     public :_compute_redirect_to_location
 
     # Verifies the passed +location+ is an internal URL that's safe to redirect to and returns it, or nil if not.
-    # Useful to wrap a params provided redirect URL and fallback to an alternate URL to redirect to:
+    # Useful to wrap a params provided redirect URL and fall back to an alternate URL to redirect to:
     #
     #   redirect_to url_from(params[:redirect_url]) || root_url
     #

data/lib/action_controller/metal/strong_parameters.rb

@@ -967,8 +967,14 @@ module ActionController
     #   params.extract_value(:id) # => ["1", "123"]
     #   params.extract_value(:tags, delimiter: ",") # => ["ruby", "rails"]
     #   params.extract_value(:non_existent_key) # => nil
+    #
+    # Note that if the given +key+'s value contains blank elements, then
+    # the returned array will include empty strings.
+    #
+    #   params = ActionController::Parameters.new(tags: "ruby,rails,,web")
+    #   params.extract_value(:tags) # => ["ruby", "rails", "", "web"]
     def extract_value(key, delimiter: "_")
-      @parameters[key]&.split(delimiter)
+      @parameters[key]&.split(delimiter, -1)
     end
 
     protected

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -132,7 +132,7 @@ module ActionDispatch
       # Sets the \formats by string extensions. This differs from #format= by allowing you
       # to set multiple, ordered formats, which is useful when you want to have a fallback.
       #
-      # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fallback
+      # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fall back
       # to the +:html+ format.
       #
       #   class ApplicationController < ActionController::Base

data/lib/action_dispatch/http/mime_type.rb

@@ -154,7 +154,7 @@ module Mime
       TRAILING_STAR_REGEXP = /^(text|application)\/\*/
       # all media-type parameters need to be before the q-parameter
       # https://www.rfc-editor.org/rfc/rfc7231#section-5.3.2
-      PARAMETER_SEPARATOR_REGEXP = /\s*;\s*q="?/
+      PARAMETER_SEPARATOR_REGEXP = /;\s*q="?/
       ACCEPT_HEADER_REGEXP = /[^,\s"](?:[^,"]|"[^"]*")*/
 
       def register_callback(&block)
@@ -193,7 +193,7 @@ module Mime
       def parse(accept_header)
         if !accept_header.include?(",")
           if (index = accept_header.index(PARAMETER_SEPARATOR_REGEXP))
-            accept_header = accept_header[0, index]
+            accept_header = accept_header[0, index].strip
           end
           return [] if accept_header.blank?
           parse_trailing_star(accept_header) || Array(Mime::Type.lookup(accept_header))

data/lib/action_dispatch/http/permissions_policy.rb

@@ -35,7 +35,6 @@ module ActionDispatch # :nodoc:
       def call(env)
         _, headers, _ = response = @app.call(env)
 
-        return response unless html_response?(headers)
         return response if policy_present?(headers)
 
         request = ActionDispatch::Request.new(env)
@@ -52,12 +51,6 @@ module ActionDispatch # :nodoc:
       end
 
       private
-        def html_response?(headers)
-          if content_type = headers[Rack::CONTENT_TYPE]
-            content_type.include?("html")
-          end
-        end
-
         def policy_present?(headers)
           headers[ActionDispatch::Constants::FEATURE_POLICY]
         end
@@ -85,7 +78,7 @@ module ActionDispatch # :nodoc:
     }.freeze
 
     # List of available permissions can be found at
-    # https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#policy-controlled-features
+    # https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md#policy-controlled-features
     DIRECTIVES = {
       accelerometer:        "accelerometer",
       ambient_light_sensor: "ambient-light-sensor",

data/lib/action_dispatch/http/request.rb

@@ -201,7 +201,7 @@ module ActionDispatch
     # more information.
     #
     # For debugging purposes, when called with arguments this method will
-    # fallback to Object#method
+    # fall back to Object#method
     def method(*args)
       if args.empty?
         @method ||= check_method(

data/lib/action_dispatch/http/response.rb

@@ -104,7 +104,9 @@ module ActionDispatch # :nodoc:
       end
 
       def to_ary
-        @buf.to_ary
+        @buf.respond_to?(:to_ary) ?
+          @buf.to_ary :
+          @buf.each
       end
 
       def body

data/lib/action_dispatch/middleware/assume_ssl.rb

@@ -4,7 +4,7 @@ module ActionDispatch
   # = Action Dispatch \AssumeSSL
   #
   # When proxying through a load balancer that terminates SSL, the forwarded request will appear
-  # as though its HTTP instead of HTTPS to the application. This makes redirects and cookie
+  # as though it's HTTP instead of HTTPS to the application. This makes redirects and cookie
   # security target HTTP instead of HTTPS. This middleware makes the server assume that the
   # proxy already terminated SSL, and that the request really is HTTPS.
   class AssumeSSL

data/lib/action_dispatch/middleware/exception_wrapper.rb

@@ -248,7 +248,7 @@ module ActionDispatch
         end
 
         def spot(exc)
-          if RubyVM::AbstractSyntaxTree.respond_to?(:node_id_for_backtrace_location)
+          if RubyVM::AbstractSyntaxTree.respond_to?(:node_id_for_backtrace_location) && __getobj__.is_a?(Thread::Backtrace::Location)
             location = @template.spot(__getobj__)
           else
             location = super
@@ -273,7 +273,12 @@ module ActionDispatch
 
         (@exception.backtrace_locations || []).map do |loc|
           if built_methods.key?(loc.label.to_s)
-            SourceMapLocation.new(loc, built_methods[loc.label.to_s])
+            thread_backtrace_location = if loc.respond_to?(:__getobj__)
+              loc.__getobj__
+            else
+              loc
+            end
+            SourceMapLocation.new(thread_backtrace_location, built_methods[loc.label.to_s])
           else
             loc
           end

data/lib/action_dispatch/routing/mapper.rb

@@ -217,9 +217,16 @@ module ActionDispatch
             if to.respond_to?(:action) || to.respond_to?(:call)
               options
             else
-              to_endpoint = split_to to
-              controller  = to_endpoint[0] || default_controller
-              action      = to_endpoint[1] || default_action
+              if to.nil?
+                controller = default_controller
+                action = default_action
+              elsif to.is_a?(String) && to.include?("#")
+                to_endpoint = to.split("#").map!(&:-@)
+                controller  = to_endpoint[0]
+                action      = to_endpoint[1]
+              else
+                raise ArgumentError, ":to must respond to `action` or `call`, or it must be a String that includes '#'"
+              end
 
               controller = add_controller_module(controller, modyoule)
 
@@ -308,14 +315,6 @@ module ActionDispatch
             hash
           end
 
-          def split_to(to)
-            if to&.include?("#")
-              to.split("#").map!(&:-@)
-            else
-              []
-            end
-          end
-
           def add_controller_module(controller, modyoule)
             if modyoule && !controller.is_a?(Regexp)
               if controller&.start_with?("/")

data/lib/action_dispatch/routing/route_set.rb

@@ -603,7 +603,7 @@ module ActionDispatch
           # `included` block is run only for the initial inclusion of each copy.
           def self.included(base)
             super
-            if !base._routes.equal?(@_proxy._routes)
+            if base.respond_to?(:_routes) && !base._routes.equal?(@_proxy._routes)
               @dup_for_reinclude ||= self.dup
               base.include @dup_for_reinclude
             end

data/lib/action_dispatch/routing/routes_proxy.rb

@@ -29,23 +29,18 @@ module ActionDispatch
 
       def method_missing(method, *args)
         if @helpers.respond_to?(method)
-          instance_eval <<-RUBY, __FILE__, __LINE__ + 1
-            def #{method}(*args)
-              options = args.extract_options!
-              options = url_options.merge((options || {}).symbolize_keys)
+          options = args.extract_options!
+          options = url_options.merge((options || {}).symbolize_keys)
 
-              if @script_namer
-                options[:script_name] = merge_script_names(
-                  options[:script_name],
-                  @script_namer.call(options)
-                )
-              end
+          if @script_namer
+            options[:script_name] = merge_script_names(
+              options[:script_name],
+              @script_namer.call(options)
+            )
+          end
 
-              args << options
-              @helpers.#{method}(*args)
-            end
-          RUBY
-          public_send(method, *args)
+          args << options
+          @helpers.public_send(method, *args)
         else
           super
         end

data/lib/action_dispatch/routing.rb

@@ -117,9 +117,9 @@ module ActionDispatch
   #
   #   # In config/routes.rb
   #   controller :blog do
-  #     get 'blog/show',    to: :list
-  #     get 'blog/delete',  to: :delete
-  #     get 'blog/edit',    to: :edit
+  #     get 'blog/show'    => :list
+  #     get 'blog/delete'  => :delete
+  #     get 'blog/edit'    => :edit
   #   end
   #
   #   # provides named routes for show, delete, and edit
@@ -238,7 +238,7 @@ module ActionDispatch
   #
   # == View a list of all your routes
   #
-  #   bin/rails routes
+  #   $ bin/rails routes
   #
   # Target a specific controller with <tt>-c</tt>, or grep routes
   # using <tt>-g</tt>. Useful in conjunction with <tt>--expanded</tt>

data/lib/action_dispatch/system_testing/browser.rb

@@ -3,7 +3,7 @@
 module ActionDispatch
   module SystemTesting
     class Browser # :nodoc:
-      attr_reader :name, :options
+      attr_reader :name
 
       def initialize(name)
         @name = name
@@ -21,34 +21,32 @@ module ActionDispatch
         end
       end
 
+      def options
+        @options ||=
+          case type
+          when :chrome
+            ::Selenium::WebDriver::Chrome::Options.new
+          when :firefox
+            ::Selenium::WebDriver::Firefox::Options.new
+          end
+      end
+
       def configure
-        initialize_options
-        yield options if block_given? && options
+        yield options if block_given?
       end
 
-      # driver_path can be configured as a proc. Running this proc early allows
-      # us to only update the webdriver once and avoid race conditions when
-      # using parallel tests.
+      # driver_path is lazily initialized by default. Eagerly set it to
+      # avoid race conditions when using parallel tests.
       def preload
         case type
         when :chrome
-          ::Selenium::WebDriver::Chrome::Service.driver_path.try(:call)
+          resolve_driver_path(::Selenium::WebDriver::Chrome)
         when :firefox
-          ::Selenium::WebDriver::Firefox::Service.driver_path.try(:call)
+          resolve_driver_path(::Selenium::WebDriver::Firefox)
         end
       end
 
       private
-        def initialize_options
-          @options ||=
-            case type
-            when :chrome
-              ::Selenium::WebDriver::Chrome::Options.new
-            when :firefox
-              ::Selenium::WebDriver::Firefox::Options.new
-            end
-        end
-
         def set_default_options
           case name
           when :headless_chrome
@@ -70,6 +68,10 @@ module ActionDispatch
             capabilities.add_argument("-headless")
           end
         end
+
+        def resolve_driver_path(namespace)
+          namespace::Service.driver_path = ::Selenium::WebDriver::DriverFinder.path(options, namespace::Service)
+        end
     end
   end
 end

data/lib/action_dispatch/testing/assertion_response.rb

@@ -36,7 +36,7 @@ module ActionDispatch
 
     private
       def code_from_name(name)
-        GENERIC_RESPONSE_CODES[name] || Rack::Utils::SYMBOL_TO_STATUS_CODE[name]
+        GENERIC_RESPONSE_CODES[name] || Rack::Utils.status_code(name)
       end
 
       def name_from_code(code)

data/lib/action_pack/gem_version.rb

@@ -9,8 +9,8 @@ module ActionPack
   module VERSION
     MAJOR = 7
     MINOR = 1
-    TINY  = 1
-    PRE   = nil
+    TINY  = 3
+    PRE   = "4"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 7.1.1
+  version: 7.1.3.4
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-10-11 00:00:00.000000000 Z
+date: 2024-06-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.1
+        version: 7.1.3.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.1
+        version: 7.1.3.4
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -38,6 +38,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.8.5
+- !ruby/object:Gem::Dependency
+  name: racc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -114,28 +128,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.1
+        version: 7.1.3.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.1
+        version: 7.1.3.4
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.1
+        version: 7.1.3.4
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.1
+        version: 7.1.3.4
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -332,10 +346,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.1.1/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.1.1/
+  changelog_uri: https://github.com/rails/rails/blob/v7.1.3.4/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.1.3.4/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.1.1/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v7.1.3.4/actionpack
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -353,7 +367,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.4.18
+rubygems_version: 3.3.27
 signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).