actionpack 7.1.4 → 7.1.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b4d5f38e40fa62a9e501f3cb6f6f569af105e1e4a3690f6246890b50fada2595
-  data.tar.gz: e3d511f1c6de7e525c7512be7913f153f918de39dac5fd4c1a26aa99882d2d85
+  metadata.gz: 6d6c0075e31a2470da87034e8352742903c176696808a902d17a33b8db79c0cd
+  data.tar.gz: a6c9e27f6650d1356b68de05dd835f7aa663d131410d188034d25c5f745f3a5e
 SHA512:
-  metadata.gz: 918629b0d717a17eaf28f523b56e292b1f98ec7ebf7fe635a53b1ba395e1411810c00fcd0754d4822736deceabccf37f17fa3a2349d31fef26a767df89591949
-  data.tar.gz: d5bbb185497884aed4bfc496680c5774e2838447ac306da5c41bf6c047ac916d6bb4ca6d373be43b16ca5ff8a8913961c248560fbef43fb1db27b23509c61bed
+  metadata.gz: e26080c351f2d9d2218a77a7a4583473eb6ecbec52f8eb5fd2879393f4037459acfaed714c0db8ead7905aa8234b48480d1ab313eb281eda1e9a7c8bb5f2cefe
+  data.tar.gz: bd2fa076443257da863689d42f1ca5e076a91282f374c8389452ec8604fe5e528830cdb5cd7763c79bd4194e1c3345221f2a409e80ae24dc625bba4d08a2d0d1

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+## Rails 7.1.4.1 (October 15, 2024) ##
+
+*   Avoid regex backtracking in HTTP Token authentication
+
+    [CVE-2024-47887]
+
+*   Avoid regex backtracking in query parameter filtering
+
+    [CVE-2024-41128]
+
 ## Rails 7.1.4 (August 22, 2024) ##
 
 *   Resolve deprecation warning in latest `selenium-webdriver`.

data/lib/action_controller/metal/http_authentication.rb

@@ -507,14 +507,11 @@ module ActionController
         array_params.each { |param| (param[1] || +"").gsub! %r/^"|"$/, "" }
       end
 
-      WHITESPACED_AUTHN_PAIR_DELIMITERS = /\s*#{AUTHN_PAIR_DELIMITERS}\s*/
-      private_constant :WHITESPACED_AUTHN_PAIR_DELIMITERS
-
       # This method takes an authorization body and splits up the key-value
       # pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
       # delimiters defined in +AUTHN_PAIR_DELIMITERS+.
       def raw_params(auth)
-        _raw_params = auth.sub(TOKEN_REGEX, "").split(WHITESPACED_AUTHN_PAIR_DELIMITERS)
+        _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
         _raw_params.reject!(&:empty?)
 
         if !_raw_params.first&.start_with?(TOKEN_KEY)

data/lib/action_dispatch/http/filter_parameters.rb

@@ -64,12 +64,17 @@ module ActionDispatch
         ActiveSupport::ParameterFilter.new(filters)
       end
 
-      KV_RE   = "[^&;=]+"
-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter($1 => $2).first.join("=")
+        parts = query_string.split(/([&;])/)
+        filtered_parts = parts.map do |part|
+          if part.include?("=")
+            key, value = part.split("=", 2)
+            parameter_filter.filter(key => value).first.join("=")
+          else
+            part
+          end
         end
+        filtered_parts.join("")
       end
     end
   end

data/lib/action_pack/gem_version.rb

@@ -10,7 +10,7 @@ module ActionPack
     MAJOR = 7
     MINOR = 1
     TINY  = 4
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 7.1.4
+  version: 7.1.4.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-08-22 00:00:00.000000000 Z
+date: 2024-10-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.4
+        version: 7.1.4.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.4
+        version: 7.1.4.1
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -128,28 +128,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.4
+        version: 7.1.4.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.4
+        version: 7.1.4.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.4
+        version: 7.1.4.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.4
+        version: 7.1.4.1
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -346,12 +346,12 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.1.4/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.1.4/
+  changelog_uri: https://github.com/rails/rails/blob/v7.1.4.1/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.1.4.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.1.4/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v7.1.4.1/actionpack
   rubygems_mfa_required: 'true'
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -367,8 +367,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.5.11
-signing_key:
+rubygems_version: 3.5.16
+signing_key: 
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
 test_files: []