actionpack 7.1.1 → 7.1.3.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 01b6630f88d627d0e93a4343d0500faaff1f685bafad46d9600c44cf26d36b80
4
- data.tar.gz: cc0218731130dddac745ee72dec869ba75c96820d25928728f3514069966e6da
3
+ metadata.gz: b8322f0e0b03702b4d77eacd0f77ddc0d0578389b0f9ae056338c97ce3239aa8
4
+ data.tar.gz: 04614dea6d1bab93cb2a21289272b0ee1a2705355ad260ea9be1a8c069f3c92a
5
5
  SHA512:
6
- metadata.gz: 1bcfbc773c2468fe2566cc6932742492fa92d364b102d30c5807550052e0bd80268bac976925df52bb9c9e5f2c226b69188e0d16aca67637cf963058b80e17d6
7
- data.tar.gz: aad1c61d934637ce06caac52edb2ab1680e55db73450033a39a625d5db5871b7030b672c0be7ae14342a07a87fa2081a84b6cf78dcdb7f2e7b583b811db8601f
6
+ metadata.gz: a36e9f99ced3f948578e34fc8f32fc1699e39c465374b875c4c987bbc27155bd1f57cb21a6cb92745125cb0bd0c0200ee0e8f2c5942cb008b302a054d1d65fc3
7
+ data.tar.gz: ed0ce501cbff0a1c315a583b369401d47b7cb2e36300d4a0470cad9366df85cf5dc449e5ef3472170dea52e7837e16d80d2b1ab80189a4818f3f28bdcf85233c
data/CHANGELOG.md CHANGED
@@ -1,3 +1,65 @@
1
+ ## Rails 7.1.3.4 (June 04, 2024) ##
2
+
3
+ * Include the HTTP Permissions-Policy on non-HTML Content-Types
4
+ [CVE-2024-28103]
5
+
6
+
7
+ ## Rails 7.1.3.3 (May 16, 2024) ##
8
+
9
+ * No changes.
10
+
11
+
12
+ ## Rails 7.1.3.2 (February 21, 2024) ##
13
+
14
+ * Fix `raise_on_missing_translations` not working correctly with the
15
+ `translate` method in controllers after the patch for CVE-2024-26143.
16
+
17
+ ## Rails 7.1.3.1 (February 21, 2024) ##
18
+
19
+ * Fix possible XSS vulnerability with the `translate` method in controllers
20
+
21
+ CVE-2024-26143
22
+
23
+ * Fix ReDoS in Accept header parsing
24
+
25
+ CVE-2024-26142
26
+
27
+ ## Rails 7.1.3 (January 16, 2024) ##
28
+
29
+ * Fix including `Rails.application.routes.url_helpers` directly in an
30
+ `ActiveSupport::Concern.`
31
+
32
+ *Jonathan Hefner*
33
+
34
+ * Fix system tests when using a Chrome binary that has been downloaded by
35
+ Selenium.
36
+
37
+ *Jonathan Hefner*
38
+
39
+
40
+ ## Rails 7.1.2 (November 10, 2023) ##
41
+
42
+ * Fix a race condition that could cause a `Text file busy - chromedriver`
43
+ error with parallel system tests
44
+
45
+ *Matt Brictson*
46
+
47
+ * Fix `StrongParameters#extract_value` to include blank values
48
+
49
+ Otherwise composite parameters may not be parsed correctly when one of the
50
+ component is blank.
51
+
52
+ *fatkodima*, *Yasha Krasnou*, *Matthias Eiglsperger*
53
+
54
+ * Add `racc` as a dependency since it will become a bundled gem in Ruby 3.4.0
55
+
56
+ *Hartley McGuire*
57
+
58
+ * Support handling Enumerator for non-buffered responses.
59
+
60
+ *Zachary Scott*
61
+
62
+
1
63
  ## Rails 7.1.1 (October 11, 2023) ##
2
64
 
3
65
  * No changes.
@@ -21,6 +21,13 @@ module AbstractController
21
21
  key = "#{path}.#{action_name}#{key}"
22
22
  end
23
23
 
24
+ if options[:default]
25
+ options[:default] = [options[:default]] unless options[:default].is_a?(Array)
26
+ options[:default] = options[:default].map do |value|
27
+ value.is_a?(String) ? ERB::Util.html_escape(value) : value
28
+ end
29
+ end
30
+
24
31
  ActiveSupport::HtmlSafeTranslation.translate(key, **options)
25
32
  end
26
33
  alias :t :translate
@@ -21,7 +21,7 @@ module ActionController
21
21
  # def edit
22
22
  # render plain: "I'm only accessible if you know the password"
23
23
  # end
24
- # end
24
+ # end
25
25
  #
26
26
  # === Advanced \Basic example
27
27
  #
@@ -72,7 +72,7 @@ module ActionController
72
72
  #
73
73
  # will try to check if +Admin::User+ or +User+ model exists, and use it to
74
74
  # determine the wrapper key respectively. If both models don't exist,
75
- # it will then fallback to use +user+ as the key.
75
+ # it will then fall back to use +user+ as the key.
76
76
  #
77
77
  # To disable this functionality for a controller:
78
78
  #
@@ -154,7 +154,7 @@ module ActionController
154
154
  public :_compute_redirect_to_location
155
155
 
156
156
  # Verifies the passed +location+ is an internal URL that's safe to redirect to and returns it, or nil if not.
157
- # Useful to wrap a params provided redirect URL and fallback to an alternate URL to redirect to:
157
+ # Useful to wrap a params provided redirect URL and fall back to an alternate URL to redirect to:
158
158
  #
159
159
  # redirect_to url_from(params[:redirect_url]) || root_url
160
160
  #
@@ -967,8 +967,14 @@ module ActionController
967
967
  # params.extract_value(:id) # => ["1", "123"]
968
968
  # params.extract_value(:tags, delimiter: ",") # => ["ruby", "rails"]
969
969
  # params.extract_value(:non_existent_key) # => nil
970
+ #
971
+ # Note that if the given +key+'s value contains blank elements, then
972
+ # the returned array will include empty strings.
973
+ #
974
+ # params = ActionController::Parameters.new(tags: "ruby,rails,,web")
975
+ # params.extract_value(:tags) # => ["ruby", "rails", "", "web"]
970
976
  def extract_value(key, delimiter: "_")
971
- @parameters[key]&.split(delimiter)
977
+ @parameters[key]&.split(delimiter, -1)
972
978
  end
973
979
 
974
980
  protected
@@ -132,7 +132,7 @@ module ActionDispatch
132
132
  # Sets the \formats by string extensions. This differs from #format= by allowing you
133
133
  # to set multiple, ordered formats, which is useful when you want to have a fallback.
134
134
  #
135
- # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fallback
135
+ # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fall back
136
136
  # to the +:html+ format.
137
137
  #
138
138
  # class ApplicationController < ActionController::Base
@@ -154,7 +154,7 @@ module Mime
154
154
  TRAILING_STAR_REGEXP = /^(text|application)\/\*/
155
155
  # all media-type parameters need to be before the q-parameter
156
156
  # https://www.rfc-editor.org/rfc/rfc7231#section-5.3.2
157
- PARAMETER_SEPARATOR_REGEXP = /\s*;\s*q="?/
157
+ PARAMETER_SEPARATOR_REGEXP = /;\s*q="?/
158
158
  ACCEPT_HEADER_REGEXP = /[^,\s"](?:[^,"]|"[^"]*")*/
159
159
 
160
160
  def register_callback(&block)
@@ -193,7 +193,7 @@ module Mime
193
193
  def parse(accept_header)
194
194
  if !accept_header.include?(",")
195
195
  if (index = accept_header.index(PARAMETER_SEPARATOR_REGEXP))
196
- accept_header = accept_header[0, index]
196
+ accept_header = accept_header[0, index].strip
197
197
  end
198
198
  return [] if accept_header.blank?
199
199
  parse_trailing_star(accept_header) || Array(Mime::Type.lookup(accept_header))
@@ -35,7 +35,6 @@ module ActionDispatch # :nodoc:
35
35
  def call(env)
36
36
  _, headers, _ = response = @app.call(env)
37
37
 
38
- return response unless html_response?(headers)
39
38
  return response if policy_present?(headers)
40
39
 
41
40
  request = ActionDispatch::Request.new(env)
@@ -52,12 +51,6 @@ module ActionDispatch # :nodoc:
52
51
  end
53
52
 
54
53
  private
55
- def html_response?(headers)
56
- if content_type = headers[Rack::CONTENT_TYPE]
57
- content_type.include?("html")
58
- end
59
- end
60
-
61
54
  def policy_present?(headers)
62
55
  headers[ActionDispatch::Constants::FEATURE_POLICY]
63
56
  end
@@ -85,7 +78,7 @@ module ActionDispatch # :nodoc:
85
78
  }.freeze
86
79
 
87
80
  # List of available permissions can be found at
88
- # https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#policy-controlled-features
81
+ # https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md#policy-controlled-features
89
82
  DIRECTIVES = {
90
83
  accelerometer: "accelerometer",
91
84
  ambient_light_sensor: "ambient-light-sensor",
@@ -201,7 +201,7 @@ module ActionDispatch
201
201
  # more information.
202
202
  #
203
203
  # For debugging purposes, when called with arguments this method will
204
- # fallback to Object#method
204
+ # fall back to Object#method
205
205
  def method(*args)
206
206
  if args.empty?
207
207
  @method ||= check_method(
@@ -104,7 +104,9 @@ module ActionDispatch # :nodoc:
104
104
  end
105
105
 
106
106
  def to_ary
107
- @buf.to_ary
107
+ @buf.respond_to?(:to_ary) ?
108
+ @buf.to_ary :
109
+ @buf.each
108
110
  end
109
111
 
110
112
  def body
@@ -4,7 +4,7 @@ module ActionDispatch
4
4
  # = Action Dispatch \AssumeSSL
5
5
  #
6
6
  # When proxying through a load balancer that terminates SSL, the forwarded request will appear
7
- # as though its HTTP instead of HTTPS to the application. This makes redirects and cookie
7
+ # as though it's HTTP instead of HTTPS to the application. This makes redirects and cookie
8
8
  # security target HTTP instead of HTTPS. This middleware makes the server assume that the
9
9
  # proxy already terminated SSL, and that the request really is HTTPS.
10
10
  class AssumeSSL
@@ -248,7 +248,7 @@ module ActionDispatch
248
248
  end
249
249
 
250
250
  def spot(exc)
251
- if RubyVM::AbstractSyntaxTree.respond_to?(:node_id_for_backtrace_location)
251
+ if RubyVM::AbstractSyntaxTree.respond_to?(:node_id_for_backtrace_location) && __getobj__.is_a?(Thread::Backtrace::Location)
252
252
  location = @template.spot(__getobj__)
253
253
  else
254
254
  location = super
@@ -273,7 +273,12 @@ module ActionDispatch
273
273
 
274
274
  (@exception.backtrace_locations || []).map do |loc|
275
275
  if built_methods.key?(loc.label.to_s)
276
- SourceMapLocation.new(loc, built_methods[loc.label.to_s])
276
+ thread_backtrace_location = if loc.respond_to?(:__getobj__)
277
+ loc.__getobj__
278
+ else
279
+ loc
280
+ end
281
+ SourceMapLocation.new(thread_backtrace_location, built_methods[loc.label.to_s])
277
282
  else
278
283
  loc
279
284
  end
@@ -217,9 +217,16 @@ module ActionDispatch
217
217
  if to.respond_to?(:action) || to.respond_to?(:call)
218
218
  options
219
219
  else
220
- to_endpoint = split_to to
221
- controller = to_endpoint[0] || default_controller
222
- action = to_endpoint[1] || default_action
220
+ if to.nil?
221
+ controller = default_controller
222
+ action = default_action
223
+ elsif to.is_a?(String) && to.include?("#")
224
+ to_endpoint = to.split("#").map!(&:-@)
225
+ controller = to_endpoint[0]
226
+ action = to_endpoint[1]
227
+ else
228
+ raise ArgumentError, ":to must respond to `action` or `call`, or it must be a String that includes '#'"
229
+ end
223
230
 
224
231
  controller = add_controller_module(controller, modyoule)
225
232
 
@@ -308,14 +315,6 @@ module ActionDispatch
308
315
  hash
309
316
  end
310
317
 
311
- def split_to(to)
312
- if to&.include?("#")
313
- to.split("#").map!(&:-@)
314
- else
315
- []
316
- end
317
- end
318
-
319
318
  def add_controller_module(controller, modyoule)
320
319
  if modyoule && !controller.is_a?(Regexp)
321
320
  if controller&.start_with?("/")
@@ -603,7 +603,7 @@ module ActionDispatch
603
603
  # `included` block is run only for the initial inclusion of each copy.
604
604
  def self.included(base)
605
605
  super
606
- if !base._routes.equal?(@_proxy._routes)
606
+ if base.respond_to?(:_routes) && !base._routes.equal?(@_proxy._routes)
607
607
  @dup_for_reinclude ||= self.dup
608
608
  base.include @dup_for_reinclude
609
609
  end
@@ -29,23 +29,18 @@ module ActionDispatch
29
29
 
30
30
  def method_missing(method, *args)
31
31
  if @helpers.respond_to?(method)
32
- instance_eval <<-RUBY, __FILE__, __LINE__ + 1
33
- def #{method}(*args)
34
- options = args.extract_options!
35
- options = url_options.merge((options || {}).symbolize_keys)
32
+ options = args.extract_options!
33
+ options = url_options.merge((options || {}).symbolize_keys)
36
34
 
37
- if @script_namer
38
- options[:script_name] = merge_script_names(
39
- options[:script_name],
40
- @script_namer.call(options)
41
- )
42
- end
35
+ if @script_namer
36
+ options[:script_name] = merge_script_names(
37
+ options[:script_name],
38
+ @script_namer.call(options)
39
+ )
40
+ end
43
41
 
44
- args << options
45
- @helpers.#{method}(*args)
46
- end
47
- RUBY
48
- public_send(method, *args)
42
+ args << options
43
+ @helpers.public_send(method, *args)
49
44
  else
50
45
  super
51
46
  end
@@ -117,9 +117,9 @@ module ActionDispatch
117
117
  #
118
118
  # # In config/routes.rb
119
119
  # controller :blog do
120
- # get 'blog/show', to: :list
121
- # get 'blog/delete', to: :delete
122
- # get 'blog/edit', to: :edit
120
+ # get 'blog/show' => :list
121
+ # get 'blog/delete' => :delete
122
+ # get 'blog/edit' => :edit
123
123
  # end
124
124
  #
125
125
  # # provides named routes for show, delete, and edit
@@ -238,7 +238,7 @@ module ActionDispatch
238
238
  #
239
239
  # == View a list of all your routes
240
240
  #
241
- # bin/rails routes
241
+ # $ bin/rails routes
242
242
  #
243
243
  # Target a specific controller with <tt>-c</tt>, or grep routes
244
244
  # using <tt>-g</tt>. Useful in conjunction with <tt>--expanded</tt>
@@ -3,7 +3,7 @@
3
3
  module ActionDispatch
4
4
  module SystemTesting
5
5
  class Browser # :nodoc:
6
- attr_reader :name, :options
6
+ attr_reader :name
7
7
 
8
8
  def initialize(name)
9
9
  @name = name
@@ -21,34 +21,32 @@ module ActionDispatch
21
21
  end
22
22
  end
23
23
 
24
+ def options
25
+ @options ||=
26
+ case type
27
+ when :chrome
28
+ ::Selenium::WebDriver::Chrome::Options.new
29
+ when :firefox
30
+ ::Selenium::WebDriver::Firefox::Options.new
31
+ end
32
+ end
33
+
24
34
  def configure
25
- initialize_options
26
- yield options if block_given? && options
35
+ yield options if block_given?
27
36
  end
28
37
 
29
- # driver_path can be configured as a proc. Running this proc early allows
30
- # us to only update the webdriver once and avoid race conditions when
31
- # using parallel tests.
38
+ # driver_path is lazily initialized by default. Eagerly set it to
39
+ # avoid race conditions when using parallel tests.
32
40
  def preload
33
41
  case type
34
42
  when :chrome
35
- ::Selenium::WebDriver::Chrome::Service.driver_path.try(:call)
43
+ resolve_driver_path(::Selenium::WebDriver::Chrome)
36
44
  when :firefox
37
- ::Selenium::WebDriver::Firefox::Service.driver_path.try(:call)
45
+ resolve_driver_path(::Selenium::WebDriver::Firefox)
38
46
  end
39
47
  end
40
48
 
41
49
  private
42
- def initialize_options
43
- @options ||=
44
- case type
45
- when :chrome
46
- ::Selenium::WebDriver::Chrome::Options.new
47
- when :firefox
48
- ::Selenium::WebDriver::Firefox::Options.new
49
- end
50
- end
51
-
52
50
  def set_default_options
53
51
  case name
54
52
  when :headless_chrome
@@ -70,6 +68,10 @@ module ActionDispatch
70
68
  capabilities.add_argument("-headless")
71
69
  end
72
70
  end
71
+
72
+ def resolve_driver_path(namespace)
73
+ namespace::Service.driver_path = ::Selenium::WebDriver::DriverFinder.path(options, namespace::Service)
74
+ end
73
75
  end
74
76
  end
75
77
  end
@@ -36,7 +36,7 @@ module ActionDispatch
36
36
 
37
37
  private
38
38
  def code_from_name(name)
39
- GENERIC_RESPONSE_CODES[name] || Rack::Utils::SYMBOL_TO_STATUS_CODE[name]
39
+ GENERIC_RESPONSE_CODES[name] || Rack::Utils.status_code(name)
40
40
  end
41
41
 
42
42
  def name_from_code(code)
@@ -9,8 +9,8 @@ module ActionPack
9
9
  module VERSION
10
10
  MAJOR = 7
11
11
  MINOR = 1
12
- TINY = 1
13
- PRE = nil
12
+ TINY = 3
13
+ PRE = "4"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.1.1
4
+ version: 7.1.3.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-10-11 00:00:00.000000000 Z
11
+ date: 2024-06-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.1.1
19
+ version: 7.1.3.4
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.1.1
26
+ version: 7.1.3.4
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: nokogiri
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -38,6 +38,20 @@ dependencies:
38
38
  - - ">="
39
39
  - !ruby/object:Gem::Version
40
40
  version: 1.8.5
41
+ - !ruby/object:Gem::Dependency
42
+ name: racc
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - ">="
46
+ - !ruby/object:Gem::Version
47
+ version: '0'
48
+ type: :runtime
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - ">="
53
+ - !ruby/object:Gem::Version
54
+ version: '0'
41
55
  - !ruby/object:Gem::Dependency
42
56
  name: rack
43
57
  requirement: !ruby/object:Gem::Requirement
@@ -114,28 +128,28 @@ dependencies:
114
128
  requirements:
115
129
  - - '='
116
130
  - !ruby/object:Gem::Version
117
- version: 7.1.1
131
+ version: 7.1.3.4
118
132
  type: :runtime
119
133
  prerelease: false
120
134
  version_requirements: !ruby/object:Gem::Requirement
121
135
  requirements:
122
136
  - - '='
123
137
  - !ruby/object:Gem::Version
124
- version: 7.1.1
138
+ version: 7.1.3.4
125
139
  - !ruby/object:Gem::Dependency
126
140
  name: activemodel
127
141
  requirement: !ruby/object:Gem::Requirement
128
142
  requirements:
129
143
  - - '='
130
144
  - !ruby/object:Gem::Version
131
- version: 7.1.1
145
+ version: 7.1.3.4
132
146
  type: :development
133
147
  prerelease: false
134
148
  version_requirements: !ruby/object:Gem::Requirement
135
149
  requirements:
136
150
  - - '='
137
151
  - !ruby/object:Gem::Version
138
- version: 7.1.1
152
+ version: 7.1.3.4
139
153
  description: Web apps on Rails. Simple, battle-tested conventions for building and
140
154
  testing MVC web applications. Works with any Rack-compatible server.
141
155
  email: david@loudthinking.com
@@ -332,10 +346,10 @@ licenses:
332
346
  - MIT
333
347
  metadata:
334
348
  bug_tracker_uri: https://github.com/rails/rails/issues
335
- changelog_uri: https://github.com/rails/rails/blob/v7.1.1/actionpack/CHANGELOG.md
336
- documentation_uri: https://api.rubyonrails.org/v7.1.1/
349
+ changelog_uri: https://github.com/rails/rails/blob/v7.1.3.4/actionpack/CHANGELOG.md
350
+ documentation_uri: https://api.rubyonrails.org/v7.1.3.4/
337
351
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
338
- source_code_uri: https://github.com/rails/rails/tree/v7.1.1/actionpack
352
+ source_code_uri: https://github.com/rails/rails/tree/v7.1.3.4/actionpack
339
353
  rubygems_mfa_required: 'true'
340
354
  post_install_message:
341
355
  rdoc_options: []
@@ -353,7 +367,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
353
367
  version: '0'
354
368
  requirements:
355
369
  - none
356
- rubygems_version: 3.4.18
370
+ rubygems_version: 3.3.27
357
371
  signing_key:
358
372
  specification_version: 4
359
373
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).