actionpack 7.1.3 → 7.1.3.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +10 -0
  3. data/lib/abstract_controller/translation.rb +23 -1
  4. data/lib/action_dispatch/http/mime_type.rb +2 -2
  5. data/lib/action_pack/gem_version.rb +1 -1
  6. metadata +12 -12
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: de4819157bf6728b24500c2db2354312b383c5d04ed7edfc67de1b0d9ae08e26
4
- data.tar.gz: a4b48135c65dcdcdd0cc894ac01cdfd1fbd9f9b57e51382eb9d80cc75070db41
3
+ metadata.gz: 1b62aeaa57b9cd75f878c9fc01bfb6ea6212efb204b11333d90f612e1c00bfda
4
+ data.tar.gz: 0b92927142cc52e79ba1e16d8b8ba3dbceb9906978ff0d9292835110c08f6637
5
5
  SHA512:
6
- metadata.gz: 5fb18f6b0ce92516d38626afcc5e452f27dcf8746c438d5e1e1c50dfea042e01a752648adf9cf661d6c9e9799f180ef59e960db9a069975142e6dbc849007623
7
- data.tar.gz: f02bb9ff5739b77a8e2eb4d15e1fcccaf8d0e3b5f0954a5bd5acdb656ec7abd2cf828d42410592b33d7a6147fc11e728ef0b0560a29ff26c900f8b3eb889e10c
6
+ metadata.gz: abcb6dd57c8fea664f4a8c8f9124e48188e4d9042620096a877b9b55d7f20c64ee38a4c9b18435add3c81929884f666651befd678aa109760c42d8f03605888a
7
+ data.tar.gz: 715bbae4ea354077bd17c50ffcab9916278d245861e34913b8ee457eccb6aefd685474720accc4413b5b7eabb7e62e1b0c8abb336e93854fc244abef2b2833f3
data/CHANGELOG.md CHANGED
@@ -1,3 +1,13 @@
1
+ ## Rails 7.1.3.1 (February 21, 2024) ##
2
+
3
+ * Fix possible XSS vulnerability with the `translate` method in controllers
4
+
5
+ CVE-2024-26143
6
+
7
+ * Fix ReDoS in Accept header parsing
8
+
9
+ CVE-2024-26142
10
+
1
11
  ## Rails 7.1.3 (January 16, 2024) ##
2
12
 
3
13
  * Fix including `Rails.application.routes.url_helpers` directly in an
data/lib/abstract_controller/translation.rb CHANGED
@@ -21,7 +21,25 @@ module AbstractController
21
21
  key = "#{path}.#{action_name}#{key}"
22
22
  end
23
23
 
24
- ActiveSupport::HtmlSafeTranslation.translate(key, **options)
24
+ if options[:default]
25
+ options[:default] = [options[:default]] unless options[:default].is_a?(Array)
26
+ options[:default] = options[:default].map do |value|
27
+ value.is_a?(String) ? ERB::Util.html_escape(value) : value
28
+ end
29
+ end
30
+
31
+ if options[:raise].nil?
32
+ options[:default] = [] unless options[:default]
33
+ options[:default] << MISSING_TRANSLATION
34
+ end
35
+
36
+ result = ActiveSupport::HtmlSafeTranslation.translate(key, **options)
37
+
38
+ if result == MISSING_TRANSLATION
39
+ +"translation missing: #{key}"
40
+ else
41
+ result
42
+ end
25
43
  end
26
44
  alias :t :translate
27
45
 
@@ -30,5 +48,9 @@ module AbstractController
30
48
  I18n.localize(object, **options)
31
49
  end
32
50
  alias :l :localize
51
+
52
+ private
53
+ MISSING_TRANSLATION = -(2**60)
54
+ private_constant :MISSING_TRANSLATION
33
55
  end
34
56
  end
data/lib/action_dispatch/http/mime_type.rb CHANGED
@@ -154,7 +154,7 @@ module Mime
154
154
  TRAILING_STAR_REGEXP = /^(text|application)\/\*/
155
155
  # all media-type parameters need to be before the q-parameter
156
156
  # https://www.rfc-editor.org/rfc/rfc7231#section-5.3.2
157
- PARAMETER_SEPARATOR_REGEXP = /\s*;\s*q="?/
157
+ PARAMETER_SEPARATOR_REGEXP = /;\s*q="?/
158
158
  ACCEPT_HEADER_REGEXP = /[^,\s"](?:[^,"]|"[^"]*")*/
159
159
 
160
160
  def register_callback(&block)
@@ -193,7 +193,7 @@ module Mime
193
193
  def parse(accept_header)
194
194
  if !accept_header.include?(",")
195
195
  if (index = accept_header.index(PARAMETER_SEPARATOR_REGEXP))
196
- accept_header = accept_header[0, index]
196
+ accept_header = accept_header[0, index].strip
197
197
  end
198
198
  return [] if accept_header.blank?
199
199
  parse_trailing_star(accept_header) || Array(Mime::Type.lookup(accept_header))
data/lib/action_pack/gem_version.rb CHANGED
@@ -10,7 +10,7 @@ module ActionPack
10
10
  MAJOR = 7
11
11
  MINOR = 1
12
12
  TINY = 3
13
- PRE = nil
13
+ PRE = "1"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.1.3
4
+ version: 7.1.3.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-01-16 00:00:00.000000000 Z
11
+ date: 2024-02-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.1.3
19
+ version: 7.1.3.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.1.3
26
+ version: 7.1.3.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: nokogiri
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -128,28 +128,28 @@ dependencies:
128
128
  requirements:
129
129
  - - '='
130
130
  - !ruby/object:Gem::Version
131
- version: 7.1.3
131
+ version: 7.1.3.1
132
132
  type: :runtime
133
133
  prerelease: false
134
134
  version_requirements: !ruby/object:Gem::Requirement
135
135
  requirements:
136
136
  - - '='
137
137
  - !ruby/object:Gem::Version
138
- version: 7.1.3
138
+ version: 7.1.3.1
139
139
  - !ruby/object:Gem::Dependency
140
140
  name: activemodel
141
141
  requirement: !ruby/object:Gem::Requirement
142
142
  requirements:
143
143
  - - '='
144
144
  - !ruby/object:Gem::Version
145
- version: 7.1.3
145
+ version: 7.1.3.1
146
146
  type: :development
147
147
  prerelease: false
148
148
  version_requirements: !ruby/object:Gem::Requirement
149
149
  requirements:
150
150
  - - '='
151
151
  - !ruby/object:Gem::Version
152
- version: 7.1.3
152
+ version: 7.1.3.1
153
153
  description: Web apps on Rails. Simple, battle-tested conventions for building and
154
154
  testing MVC web applications. Works with any Rack-compatible server.
155
155
  email: david@loudthinking.com
@@ -346,10 +346,10 @@ licenses:
346
346
  - MIT
347
347
  metadata:
348
348
  bug_tracker_uri: https://github.com/rails/rails/issues
349
- changelog_uri: https://github.com/rails/rails/blob/v7.1.3/actionpack/CHANGELOG.md
350
- documentation_uri: https://api.rubyonrails.org/v7.1.3/
349
+ changelog_uri: https://github.com/rails/rails/blob/v7.1.3.1/actionpack/CHANGELOG.md
350
+ documentation_uri: https://api.rubyonrails.org/v7.1.3.1/
351
351
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
352
- source_code_uri: https://github.com/rails/rails/tree/v7.1.3/actionpack
352
+ source_code_uri: https://github.com/rails/rails/tree/v7.1.3.1/actionpack
353
353
  rubygems_mfa_required: 'true'
354
354
  post_install_message:
355
355
  rdoc_options: []
@@ -367,7 +367,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
367
367
  version: '0'
368
368
  requirements:
369
369
  - none
370
- rubygems_version: 3.4.18
370
+ rubygems_version: 3.4.10
371
371
  signing_key:
372
372
  specification_version: 4
373
373
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).