actionpack 7.1.2 → 7.1.3.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 27b3fee0fa041bb5e11a19926a50910131e2a8e9f52678491f97626d28272f08
4
- data.tar.gz: 6e7c091c13209ba730de05b35472f5f5af601506ed0a8c27b43ca9a64ee2a73a
3
+ metadata.gz: b8322f0e0b03702b4d77eacd0f77ddc0d0578389b0f9ae056338c97ce3239aa8
4
+ data.tar.gz: 04614dea6d1bab93cb2a21289272b0ee1a2705355ad260ea9be1a8c069f3c92a
5
5
  SHA512:
6
- metadata.gz: 57adb80fbb5071d15c3a89d9086ca18fe353168e5f06e8341815f124a1aaca6e6206443de95c3391ce9b5992313e20517c52bf44450dd03884e6ab084e33ec30
7
- data.tar.gz: 309e1889aa0d61b31caf0f9aff3262480c5cca3b2b08bae86c6632b6cf500fabd9618768326594fffc52fa1ebab93aa1ad8629bc9ce8ca449780f35ca842fcb7
6
+ metadata.gz: a36e9f99ced3f948578e34fc8f32fc1699e39c465374b875c4c987bbc27155bd1f57cb21a6cb92745125cb0bd0c0200ee0e8f2c5942cb008b302a054d1d65fc3
7
+ data.tar.gz: ed0ce501cbff0a1c315a583b369401d47b7cb2e36300d4a0470cad9366df85cf5dc449e5ef3472170dea52e7837e16d80d2b1ab80189a4818f3f28bdcf85233c
data/CHANGELOG.md CHANGED
@@ -1,3 +1,42 @@
1
+ ## Rails 7.1.3.4 (June 04, 2024) ##
2
+
3
+ * Include the HTTP Permissions-Policy on non-HTML Content-Types
4
+ [CVE-2024-28103]
5
+
6
+
7
+ ## Rails 7.1.3.3 (May 16, 2024) ##
8
+
9
+ * No changes.
10
+
11
+
12
+ ## Rails 7.1.3.2 (February 21, 2024) ##
13
+
14
+ * Fix `raise_on_missing_translations` not working correctly with the
15
+ `translate` method in controllers after the patch for CVE-2024-26143.
16
+
17
+ ## Rails 7.1.3.1 (February 21, 2024) ##
18
+
19
+ * Fix possible XSS vulnerability with the `translate` method in controllers
20
+
21
+ CVE-2024-26143
22
+
23
+ * Fix ReDoS in Accept header parsing
24
+
25
+ CVE-2024-26142
26
+
27
+ ## Rails 7.1.3 (January 16, 2024) ##
28
+
29
+ * Fix including `Rails.application.routes.url_helpers` directly in an
30
+ `ActiveSupport::Concern.`
31
+
32
+ *Jonathan Hefner*
33
+
34
+ * Fix system tests when using a Chrome binary that has been downloaded by
35
+ Selenium.
36
+
37
+ *Jonathan Hefner*
38
+
39
+
1
40
  ## Rails 7.1.2 (November 10, 2023) ##
2
41
 
3
42
  * Fix a race condition that could cause a `Text file busy - chromedriver`
@@ -21,6 +21,13 @@ module AbstractController
21
21
  key = "#{path}.#{action_name}#{key}"
22
22
  end
23
23
 
24
+ if options[:default]
25
+ options[:default] = [options[:default]] unless options[:default].is_a?(Array)
26
+ options[:default] = options[:default].map do |value|
27
+ value.is_a?(String) ? ERB::Util.html_escape(value) : value
28
+ end
29
+ end
30
+
24
31
  ActiveSupport::HtmlSafeTranslation.translate(key, **options)
25
32
  end
26
33
  alias :t :translate
@@ -72,7 +72,7 @@ module ActionController
72
72
  #
73
73
  # will try to check if +Admin::User+ or +User+ model exists, and use it to
74
74
  # determine the wrapper key respectively. If both models don't exist,
75
- # it will then fallback to use +user+ as the key.
75
+ # it will then fall back to use +user+ as the key.
76
76
  #
77
77
  # To disable this functionality for a controller:
78
78
  #
@@ -154,7 +154,7 @@ module ActionController
154
154
  public :_compute_redirect_to_location
155
155
 
156
156
  # Verifies the passed +location+ is an internal URL that's safe to redirect to and returns it, or nil if not.
157
- # Useful to wrap a params provided redirect URL and fallback to an alternate URL to redirect to:
157
+ # Useful to wrap a params provided redirect URL and fall back to an alternate URL to redirect to:
158
158
  #
159
159
  # redirect_to url_from(params[:redirect_url]) || root_url
160
160
  #
@@ -132,7 +132,7 @@ module ActionDispatch
132
132
  # Sets the \formats by string extensions. This differs from #format= by allowing you
133
133
  # to set multiple, ordered formats, which is useful when you want to have a fallback.
134
134
  #
135
- # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fallback
135
+ # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fall back
136
136
  # to the +:html+ format.
137
137
  #
138
138
  # class ApplicationController < ActionController::Base
@@ -154,7 +154,7 @@ module Mime
154
154
  TRAILING_STAR_REGEXP = /^(text|application)\/\*/
155
155
  # all media-type parameters need to be before the q-parameter
156
156
  # https://www.rfc-editor.org/rfc/rfc7231#section-5.3.2
157
- PARAMETER_SEPARATOR_REGEXP = /\s*;\s*q="?/
157
+ PARAMETER_SEPARATOR_REGEXP = /;\s*q="?/
158
158
  ACCEPT_HEADER_REGEXP = /[^,\s"](?:[^,"]|"[^"]*")*/
159
159
 
160
160
  def register_callback(&block)
@@ -193,7 +193,7 @@ module Mime
193
193
  def parse(accept_header)
194
194
  if !accept_header.include?(",")
195
195
  if (index = accept_header.index(PARAMETER_SEPARATOR_REGEXP))
196
- accept_header = accept_header[0, index]
196
+ accept_header = accept_header[0, index].strip
197
197
  end
198
198
  return [] if accept_header.blank?
199
199
  parse_trailing_star(accept_header) || Array(Mime::Type.lookup(accept_header))
@@ -35,7 +35,6 @@ module ActionDispatch # :nodoc:
35
35
  def call(env)
36
36
  _, headers, _ = response = @app.call(env)
37
37
 
38
- return response unless html_response?(headers)
39
38
  return response if policy_present?(headers)
40
39
 
41
40
  request = ActionDispatch::Request.new(env)
@@ -52,12 +51,6 @@ module ActionDispatch # :nodoc:
52
51
  end
53
52
 
54
53
  private
55
- def html_response?(headers)
56
- if content_type = headers[Rack::CONTENT_TYPE]
57
- content_type.include?("html")
58
- end
59
- end
60
-
61
54
  def policy_present?(headers)
62
55
  headers[ActionDispatch::Constants::FEATURE_POLICY]
63
56
  end
@@ -85,7 +78,7 @@ module ActionDispatch # :nodoc:
85
78
  }.freeze
86
79
 
87
80
  # List of available permissions can be found at
88
- # https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#policy-controlled-features
81
+ # https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md#policy-controlled-features
89
82
  DIRECTIVES = {
90
83
  accelerometer: "accelerometer",
91
84
  ambient_light_sensor: "ambient-light-sensor",
@@ -201,7 +201,7 @@ module ActionDispatch
201
201
  # more information.
202
202
  #
203
203
  # For debugging purposes, when called with arguments this method will
204
- # fallback to Object#method
204
+ # fall back to Object#method
205
205
  def method(*args)
206
206
  if args.empty?
207
207
  @method ||= check_method(
@@ -4,7 +4,7 @@ module ActionDispatch
4
4
  # = Action Dispatch \AssumeSSL
5
5
  #
6
6
  # When proxying through a load balancer that terminates SSL, the forwarded request will appear
7
- # as though its HTTP instead of HTTPS to the application. This makes redirects and cookie
7
+ # as though it's HTTP instead of HTTPS to the application. This makes redirects and cookie
8
8
  # security target HTTP instead of HTTPS. This middleware makes the server assume that the
9
9
  # proxy already terminated SSL, and that the request really is HTTPS.
10
10
  class AssumeSSL
@@ -248,7 +248,7 @@ module ActionDispatch
248
248
  end
249
249
 
250
250
  def spot(exc)
251
- if RubyVM::AbstractSyntaxTree.respond_to?(:node_id_for_backtrace_location)
251
+ if RubyVM::AbstractSyntaxTree.respond_to?(:node_id_for_backtrace_location) && __getobj__.is_a?(Thread::Backtrace::Location)
252
252
  location = @template.spot(__getobj__)
253
253
  else
254
254
  location = super
@@ -273,7 +273,12 @@ module ActionDispatch
273
273
 
274
274
  (@exception.backtrace_locations || []).map do |loc|
275
275
  if built_methods.key?(loc.label.to_s)
276
- SourceMapLocation.new(loc, built_methods[loc.label.to_s])
276
+ thread_backtrace_location = if loc.respond_to?(:__getobj__)
277
+ loc.__getobj__
278
+ else
279
+ loc
280
+ end
281
+ SourceMapLocation.new(thread_backtrace_location, built_methods[loc.label.to_s])
277
282
  else
278
283
  loc
279
284
  end
@@ -217,9 +217,16 @@ module ActionDispatch
217
217
  if to.respond_to?(:action) || to.respond_to?(:call)
218
218
  options
219
219
  else
220
- to_endpoint = split_to to
221
- controller = to_endpoint[0] || default_controller
222
- action = to_endpoint[1] || default_action
220
+ if to.nil?
221
+ controller = default_controller
222
+ action = default_action
223
+ elsif to.is_a?(String) && to.include?("#")
224
+ to_endpoint = to.split("#").map!(&:-@)
225
+ controller = to_endpoint[0]
226
+ action = to_endpoint[1]
227
+ else
228
+ raise ArgumentError, ":to must respond to `action` or `call`, or it must be a String that includes '#'"
229
+ end
223
230
 
224
231
  controller = add_controller_module(controller, modyoule)
225
232
 
@@ -308,14 +315,6 @@ module ActionDispatch
308
315
  hash
309
316
  end
310
317
 
311
- def split_to(to)
312
- if to&.include?("#")
313
- to.split("#").map!(&:-@)
314
- else
315
- []
316
- end
317
- end
318
-
319
318
  def add_controller_module(controller, modyoule)
320
319
  if modyoule && !controller.is_a?(Regexp)
321
320
  if controller&.start_with?("/")
@@ -603,7 +603,7 @@ module ActionDispatch
603
603
  # `included` block is run only for the initial inclusion of each copy.
604
604
  def self.included(base)
605
605
  super
606
- if !base._routes.equal?(@_proxy._routes)
606
+ if base.respond_to?(:_routes) && !base._routes.equal?(@_proxy._routes)
607
607
  @dup_for_reinclude ||= self.dup
608
608
  base.include @dup_for_reinclude
609
609
  end
@@ -29,23 +29,18 @@ module ActionDispatch
29
29
 
30
30
  def method_missing(method, *args)
31
31
  if @helpers.respond_to?(method)
32
- instance_eval <<-RUBY, __FILE__, __LINE__ + 1
33
- def #{method}(*args)
34
- options = args.extract_options!
35
- options = url_options.merge((options || {}).symbolize_keys)
32
+ options = args.extract_options!
33
+ options = url_options.merge((options || {}).symbolize_keys)
36
34
 
37
- if @script_namer
38
- options[:script_name] = merge_script_names(
39
- options[:script_name],
40
- @script_namer.call(options)
41
- )
42
- end
35
+ if @script_namer
36
+ options[:script_name] = merge_script_names(
37
+ options[:script_name],
38
+ @script_namer.call(options)
39
+ )
40
+ end
43
41
 
44
- args << options
45
- @helpers.#{method}(*args)
46
- end
47
- RUBY
48
- public_send(method, *args)
42
+ args << options
43
+ @helpers.public_send(method, *args)
49
44
  else
50
45
  super
51
46
  end
@@ -117,9 +117,9 @@ module ActionDispatch
117
117
  #
118
118
  # # In config/routes.rb
119
119
  # controller :blog do
120
- # get 'blog/show', to: :list
121
- # get 'blog/delete', to: :delete
122
- # get 'blog/edit', to: :edit
120
+ # get 'blog/show' => :list
121
+ # get 'blog/delete' => :delete
122
+ # get 'blog/edit' => :edit
123
123
  # end
124
124
  #
125
125
  # # provides named routes for show, delete, and edit
@@ -238,7 +238,7 @@ module ActionDispatch
238
238
  #
239
239
  # == View a list of all your routes
240
240
  #
241
- # bin/rails routes
241
+ # $ bin/rails routes
242
242
  #
243
243
  # Target a specific controller with <tt>-c</tt>, or grep routes
244
244
  # using <tt>-g</tt>. Useful in conjunction with <tt>--expanded</tt>
@@ -3,7 +3,7 @@
3
3
  module ActionDispatch
4
4
  module SystemTesting
5
5
  class Browser # :nodoc:
6
- attr_reader :name, :options
6
+ attr_reader :name
7
7
 
8
8
  def initialize(name)
9
9
  @name = name
@@ -21,9 +21,18 @@ module ActionDispatch
21
21
  end
22
22
  end
23
23
 
24
+ def options
25
+ @options ||=
26
+ case type
27
+ when :chrome
28
+ ::Selenium::WebDriver::Chrome::Options.new
29
+ when :firefox
30
+ ::Selenium::WebDriver::Firefox::Options.new
31
+ end
32
+ end
33
+
24
34
  def configure
25
- initialize_options
26
- yield options if block_given? && options
35
+ yield options if block_given?
27
36
  end
28
37
 
29
38
  # driver_path is lazily initialized by default. Eagerly set it to
@@ -38,16 +47,6 @@ module ActionDispatch
38
47
  end
39
48
 
40
49
  private
41
- def initialize_options
42
- @options ||=
43
- case type
44
- when :chrome
45
- ::Selenium::WebDriver::Chrome::Options.new
46
- when :firefox
47
- ::Selenium::WebDriver::Firefox::Options.new
48
- end
49
- end
50
-
51
50
  def set_default_options
52
51
  case name
53
52
  when :headless_chrome
@@ -71,10 +70,7 @@ module ActionDispatch
71
70
  end
72
71
 
73
72
  def resolve_driver_path(namespace)
74
- namespace::Service.driver_path = ::Selenium::WebDriver::DriverFinder.path(
75
- options || namespace::Options.new,
76
- namespace::Service
77
- )
73
+ namespace::Service.driver_path = ::Selenium::WebDriver::DriverFinder.path(options, namespace::Service)
78
74
  end
79
75
  end
80
76
  end
@@ -36,7 +36,7 @@ module ActionDispatch
36
36
 
37
37
  private
38
38
  def code_from_name(name)
39
- GENERIC_RESPONSE_CODES[name] || Rack::Utils::SYMBOL_TO_STATUS_CODE[name]
39
+ GENERIC_RESPONSE_CODES[name] || Rack::Utils.status_code(name)
40
40
  end
41
41
 
42
42
  def name_from_code(code)
@@ -9,8 +9,8 @@ module ActionPack
9
9
  module VERSION
10
10
  MAJOR = 7
11
11
  MINOR = 1
12
- TINY = 2
13
- PRE = nil
12
+ TINY = 3
13
+ PRE = "4"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.1.2
4
+ version: 7.1.3.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-11-10 00:00:00.000000000 Z
11
+ date: 2024-06-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.1.2
19
+ version: 7.1.3.4
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.1.2
26
+ version: 7.1.3.4
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: nokogiri
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -128,28 +128,28 @@ dependencies:
128
128
  requirements:
129
129
  - - '='
130
130
  - !ruby/object:Gem::Version
131
- version: 7.1.2
131
+ version: 7.1.3.4
132
132
  type: :runtime
133
133
  prerelease: false
134
134
  version_requirements: !ruby/object:Gem::Requirement
135
135
  requirements:
136
136
  - - '='
137
137
  - !ruby/object:Gem::Version
138
- version: 7.1.2
138
+ version: 7.1.3.4
139
139
  - !ruby/object:Gem::Dependency
140
140
  name: activemodel
141
141
  requirement: !ruby/object:Gem::Requirement
142
142
  requirements:
143
143
  - - '='
144
144
  - !ruby/object:Gem::Version
145
- version: 7.1.2
145
+ version: 7.1.3.4
146
146
  type: :development
147
147
  prerelease: false
148
148
  version_requirements: !ruby/object:Gem::Requirement
149
149
  requirements:
150
150
  - - '='
151
151
  - !ruby/object:Gem::Version
152
- version: 7.1.2
152
+ version: 7.1.3.4
153
153
  description: Web apps on Rails. Simple, battle-tested conventions for building and
154
154
  testing MVC web applications. Works with any Rack-compatible server.
155
155
  email: david@loudthinking.com
@@ -346,10 +346,10 @@ licenses:
346
346
  - MIT
347
347
  metadata:
348
348
  bug_tracker_uri: https://github.com/rails/rails/issues
349
- changelog_uri: https://github.com/rails/rails/blob/v7.1.2/actionpack/CHANGELOG.md
350
- documentation_uri: https://api.rubyonrails.org/v7.1.2/
349
+ changelog_uri: https://github.com/rails/rails/blob/v7.1.3.4/actionpack/CHANGELOG.md
350
+ documentation_uri: https://api.rubyonrails.org/v7.1.3.4/
351
351
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
352
- source_code_uri: https://github.com/rails/rails/tree/v7.1.2/actionpack
352
+ source_code_uri: https://github.com/rails/rails/tree/v7.1.3.4/actionpack
353
353
  rubygems_mfa_required: 'true'
354
354
  post_install_message:
355
355
  rdoc_options: []
@@ -367,7 +367,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
367
367
  version: '0'
368
368
  requirements:
369
369
  - none
370
- rubygems_version: 3.4.18
370
+ rubygems_version: 3.3.27
371
371
  signing_key:
372
372
  specification_version: 4
373
373
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).