actionpack 7.1.3 → 7.1.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: de4819157bf6728b24500c2db2354312b383c5d04ed7edfc67de1b0d9ae08e26
-  data.tar.gz: a4b48135c65dcdcdd0cc894ac01cdfd1fbd9f9b57e51382eb9d80cc75070db41
+  metadata.gz: 4292c39dbe982f29c089fbad81538386ac6b1b4dd79f344e3c1ff7374d4e59f3
+  data.tar.gz: 89469955ba1aaa7c39380024f91094fe396b90171b5ad8a97600954473661a90
 SHA512:
-  metadata.gz: 5fb18f6b0ce92516d38626afcc5e452f27dcf8746c438d5e1e1c50dfea042e01a752648adf9cf661d6c9e9799f180ef59e960db9a069975142e6dbc849007623
-  data.tar.gz: f02bb9ff5739b77a8e2eb4d15e1fcccaf8d0e3b5f0954a5bd5acdb656ec7abd2cf828d42410592b33d7a6147fc11e728ef0b0560a29ff26c900f8b3eb889e10c
+  metadata.gz: 2ce33132f475091c9ebd244ef0c84761af9d5b9eedf89069be5ae47d1164277608f29845f8240a002fb8b7f24b70548948a82f390b786f1161d14a55084f6e41
+  data.tar.gz: 897ca28b4db398d969fa25b5d7a9dc75667eb73c0a94c993732a84b2ddbdaffa0fe12cfa3eab5f8094022d057f2cfb19b3d83716103924c29a5ddc14f9f7f923

data/CHANGELOG.md

@@ -1,3 +1,18 @@
+## Rails 7.1.3.2 (February 21, 2024) ##
+
+*   Fix `raise_on_missing_translations` not working correctly with the
+    `translate` method in controllers after the patch for CVE-2024-26143.
+
+## Rails 7.1.3.1 (February 21, 2024) ##
+
+*   Fix possible XSS vulnerability with the `translate` method in controllers
+
+    CVE-2024-26143
+
+*   Fix ReDoS in Accept header parsing
+
+    CVE-2024-26142
+
 ## Rails 7.1.3 (January 16, 2024) ##
 
 *   Fix including `Rails.application.routes.url_helpers` directly in an

data/lib/abstract_controller/translation.rb

@@ -21,6 +21,13 @@ module AbstractController
         key = "#{path}.#{action_name}#{key}"
       end
 
+      if options[:default]
+        options[:default] = [options[:default]] unless options[:default].is_a?(Array)
+        options[:default] = options[:default].map do |value|
+          value.is_a?(String) ? ERB::Util.html_escape(value) : value
+        end
+      end
+
       ActiveSupport::HtmlSafeTranslation.translate(key, **options)
     end
     alias :t :translate

data/lib/action_dispatch/http/mime_type.rb

@@ -154,7 +154,7 @@ module Mime
       TRAILING_STAR_REGEXP = /^(text|application)\/\*/
       # all media-type parameters need to be before the q-parameter
       # https://www.rfc-editor.org/rfc/rfc7231#section-5.3.2
-      PARAMETER_SEPARATOR_REGEXP = /\s*;\s*q="?/
+      PARAMETER_SEPARATOR_REGEXP = /;\s*q="?/
       ACCEPT_HEADER_REGEXP = /[^,\s"](?:[^,"]|"[^"]*")*/
 
       def register_callback(&block)
@@ -193,7 +193,7 @@ module Mime
       def parse(accept_header)
         if !accept_header.include?(",")
           if (index = accept_header.index(PARAMETER_SEPARATOR_REGEXP))
-            accept_header = accept_header[0, index]
+            accept_header = accept_header[0, index].strip
           end
           return [] if accept_header.blank?
           parse_trailing_star(accept_header) || Array(Mime::Type.lookup(accept_header))

data/lib/action_pack/gem_version.rb

@@ -10,7 +10,7 @@ module ActionPack
     MAJOR = 7
     MINOR = 1
     TINY  = 3
-    PRE   = nil
+    PRE   = "2"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 7.1.3
+  version: 7.1.3.2
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-01-16 00:00:00.000000000 Z
+date: 2024-02-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3
+        version: 7.1.3.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3
+        version: 7.1.3.2
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -128,28 +128,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3
+        version: 7.1.3.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3
+        version: 7.1.3.2
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3
+        version: 7.1.3.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3
+        version: 7.1.3.2
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -346,10 +346,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.1.3/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.1.3/
+  changelog_uri: https://github.com/rails/rails/blob/v7.1.3.2/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.1.3.2/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.1.3/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v7.1.3.2/actionpack
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -367,7 +367,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.4.18
+rubygems_version: 3.5.3
 signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).