RubyGems - actionpack - Versions diffs - 7.1.5 → 7.1.5.2 - Mend

actionpack 7.1.5 → 7.1.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +15 -0
data/lib/action_dispatch/http/content_security_policy.rb +21 -4
data/lib/action_pack/gem_version.rb +1 -1
metadata +12 -15

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ef6ded6ec75402697cbeaf5e35774fc5883ec6dea9a31c9698b28949c0b9547f
-  data.tar.gz: d31034f579dbab96df8449bbe31b449aa6c6d94711ce0f394ed3933bd316546b
+  metadata.gz: 6a7008692ffae65ab1ef1cbeaa122083b97317ca660c8b77f5d0bf9ad4400ee8
+  data.tar.gz: 373bc828b7ce749c2e19afd82221d4bf3f3a2e1db4ac47e6562e88f39c540323
 SHA512:
-  metadata.gz: 563f1655070799cff368211fbe55ce13d4cd8a5984ca16d9c94df8fb6fec119c644d0a43a3fadf088cf2df019d4c6266a1e36ea4e3de1a82dbdf92f8e100d3c1
-  data.tar.gz: 170f1c5406ee4c8d740d50b63fd74d8c803b3aa4f8a16b69d73355949bb7a9d7835d4118d685050c3dd967cac6933403e1097575ab1d9e4dbfbdce292defe978
+  metadata.gz: ad31650005df8836752a0524ab4a393a6de9a386249e0270fbd09015a5f56714c1d0fcabc3a564ba6747902862981410ca80d46b19f9e5a60af2c100341cdb84
+  data.tar.gz: d02fbaed346ff5a82a47a1ce5d0ffcae8fc84cec699e1c0ebd4a670f296a7a53e48b3c7f19ea5e417fc53a415929b5e3149bd213bbecd0f622c9c6218498dbeb

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,18 @@
+## Rails 7.1.5.2 (August 13, 2025) ##
+*   No changes.
+## Rails 7.1.5.1 (December 10, 2024) ##
+*   Add validation to content security policies to disallow spaces and semicolons.
+    Developers should use multiple arguments, and different directive methods instead.
+    [CVE-2024-54133]
+    *Gannon McGibbon*
 ## Rails 7.1.5 (October 30, 2024) ##
 *   No changes.

data/lib/action_dispatch/http/content_security_policy.rb CHANGED Viewed

@@ -24,6 +24,9 @@ module ActionDispatch # :nodoc:
   #     policy.report_uri "/csp-violation-report-endpoint"
   #   end
   class ContentSecurityPolicy
+    class InvalidDirectiveError < StandardError
+    end
     class Middleware
       def initialize(app)
         @app = app
@@ -317,9 +320,9 @@ module ActionDispatch # :nodoc:
         @directives.map do |directive, sources|
           if sources.is_a?(Array)
             if nonce && nonce_directive?(directive, nonce_directives)
-              "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
             else
-              "#{directive} #{build_directive(sources, context).join(' ')}"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')}"
             end
           elsif sources
             directive
@@ -329,8 +332,22 @@ module ActionDispatch # :nodoc:
         end
       end
-      def build_directive(sources, context)
-        sources.map { |source| resolve_source(source, context) }
+      def validate(directive, sources)
+        sources.flatten.each do |source|
+          if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
+            raise InvalidDirectiveError, <<~MSG.squish
+              Invalid Content Security Policy #{directive}: "#{source}".
+              Directive values must not contain whitespace or semicolons.
+              Please use multiple arguments or other directive methods instead.
+            MSG
+          end
+        end
+      end
+      def build_directive(directive, sources, context)
+        resolved_sources = sources.map { |source| resolve_source(source, context) }
+        validate(directive, resolved_sources)
       end
       def resolve_source(source, context)

data/lib/action_pack/gem_version.rb CHANGED Viewed

@@ -10,7 +10,7 @@ module ActionPack
     MAJOR = 7
     MINOR = 1
     TINY  = 5
-    PRE   = nil
+    PRE   = "2"
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata CHANGED Viewed

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 7.1.5
+  version: 7.1.5.2
 platform: ruby
 authors:
 - David Heinemeier Hansson
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-31 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.5
+        version: 7.1.5.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.5
+        version: 7.1.5.2
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -128,28 +127,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.5
+        version: 7.1.5.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.5
+        version: 7.1.5.2
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.5
+        version: 7.1.5.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.5
+        version: 7.1.5.2
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -346,12 +345,11 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.1.5/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.1.5/
+  changelog_uri: https://github.com/rails/rails/blob/v7.1.5.2/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.1.5.2/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.1.5/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v7.1.5.2/actionpack
   rubygems_mfa_required: 'true'
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -367,8 +365,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.5.16
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
 test_files: []