actionpack 7.2.0 → 7.2.1.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +17 -0
  3. data/lib/action_controller/metal/http_authentication.rb +1 -4
  4. data/lib/action_dispatch/http/filter_parameters.rb +9 -4
  5. data/lib/action_dispatch/http/filter_redirect.rb +9 -2
  6. data/lib/action_dispatch/http/request.rb +23 -4
  7. data/lib/action_pack/gem_version.rb +2 -2
  8. metadata +15 -15
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1c6dfb6390c5d4c6038c8aef6a4c79dd69ac971cc460d4e4f915e3c0c104b09b
4
- data.tar.gz: 4427bf987fa2fa103840ee22673c241e136e978dd29d4d29d2b7f370dc1dc2b8
3
+ metadata.gz: aa5e422c3ae8a04f0fac4410c72203218277a1b813047ad3ce5aa3274eac5a0e
4
+ data.tar.gz: 19620a0b88f940ae2a3183dbf20828228ae3f8fb567d32e715ba92fd9ea29db8
5
5
  SHA512:
6
- metadata.gz: cc8f57cd76f9e51ac42c10970feceedce22c9374f02d5eb96f4812009cba4e1d68b4d2a7bad8f081d939f6628b0447dd73051a32a590cddfa375f8a3084b3a17
7
- data.tar.gz: 1fa922c393a19ec07ae0b9b615ed3bcc82a365f342270be2308c5dc16b8cd871d82f34c78b486aa981e97308aeefdf3d74cdedb91073602e84219ec05f75c520
6
+ metadata.gz: 27b3549782fe4594a04571356362c11a03a1bf9e368fbf49662a1514cc170ec01f85be5085ffe77e62e57435702637db27f0502c118b7084d90d05f00e0d7a1a
7
+ data.tar.gz: d8ba844e9b95cf76ebcbc899678b2752f5f3ddbf3cb81a4ac94c86ed1f4bb5d3fd471f701e69779f9aee99bbd0612f5aa2ddf79e75d32735aab436f58ef99cb7
data/CHANGELOG.md CHANGED
@@ -1,3 +1,20 @@
1
+ ## Rails 7.2.1.1 (October 15, 2024) ##
2
+
3
+ * Avoid regex backtracking in HTTP Token authentication
4
+
5
+ [CVE-2024-47887]
6
+
7
+ * Avoid regex backtracking in query parameter filtering
8
+
9
+ [CVE-2024-41128]
10
+
11
+ ## Rails 7.2.1 (August 22, 2024) ##
12
+
13
+ * Fix `Request#raw_post` raising `NoMethodError` when `rack.input` is `nil`.
14
+
15
+ *Hartley McGuire*
16
+
17
+
1
18
  ## Rails 7.2.0 (August 09, 2024) ##
2
19
 
3
20
  * Allow bots to ignore `allow_browser`.
data/lib/action_controller/metal/http_authentication.rb CHANGED
@@ -513,14 +513,11 @@ module ActionController
513
513
  array_params.each { |param| (param[1] || +"").gsub! %r/^"|"$/, "" }
514
514
  end
515
515
 
516
- WHITESPACED_AUTHN_PAIR_DELIMITERS = /\s*#{AUTHN_PAIR_DELIMITERS}\s*/
517
- private_constant :WHITESPACED_AUTHN_PAIR_DELIMITERS
518
-
519
516
  # This method takes an authorization body and splits up the key-value pairs by
520
517
  # the standardized `:`, `;`, or `\t` delimiters defined in
521
518
  # `AUTHN_PAIR_DELIMITERS`.
522
519
  def raw_params(auth)
523
- _raw_params = auth.sub(TOKEN_REGEX, "").split(WHITESPACED_AUTHN_PAIR_DELIMITERS)
520
+ _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
524
521
  _raw_params.reject!(&:empty?)
525
522
 
526
523
  if !_raw_params.first&.start_with?(TOKEN_KEY)
data/lib/action_dispatch/http/filter_parameters.rb CHANGED
@@ -68,12 +68,17 @@ module ActionDispatch
68
68
  ActiveSupport::ParameterFilter.new(filters)
69
69
  end
70
70
 
71
- KV_RE = "[^&;=]+"
72
- PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
73
71
  def filtered_query_string # :doc:
74
- query_string.gsub(PAIR_RE) do |_|
75
- parameter_filter.filter($1 => $2).first.join("=")
72
+ parts = query_string.split(/([&;])/)
73
+ filtered_parts = parts.map do |part|
74
+ if part.include?("=")
75
+ key, value = part.split("=", 2)
76
+ parameter_filter.filter(key => value).first.join("=")
77
+ else
78
+ part
79
+ end
76
80
  end
81
+ filtered_parts.join("")
77
82
  end
78
83
  end
79
84
  end
data/lib/action_dispatch/http/filter_redirect.rb CHANGED
@@ -37,9 +37,16 @@ module ActionDispatch
37
37
  def parameter_filtered_location
38
38
  uri = URI.parse(location)
39
39
  unless uri.query.nil? || uri.query.empty?
40
- uri.query.gsub!(FilterParameters::PAIR_RE) do
41
- request.parameter_filter.filter($1 => $2).first.join("=")
40
+ parts = uri.query.split(/([&;])/)
41
+ filtered_parts = parts.map do |part|
42
+ if part.include?("=")
43
+ key, value = part.split("=", 2)
44
+ request.parameter_filter.filter(key => value).first.join("=")
45
+ else
46
+ part
47
+ end
42
48
  end
49
+ uri.query = filtered_parts.join("")
43
50
  end
44
51
  uri.to_s
45
52
  rescue URI::Error
data/lib/action_dispatch/http/request.rb CHANGED
@@ -340,7 +340,6 @@ module ActionDispatch
340
340
  def raw_post
341
341
  unless has_header? "RAW_POST_DATA"
342
342
  set_header("RAW_POST_DATA", read_body_stream)
343
- body_stream.rewind if body_stream.respond_to?(:rewind)
344
343
  end
345
344
  get_header "RAW_POST_DATA"
346
345
  end
@@ -467,9 +466,29 @@ module ActionDispatch
467
466
  end
468
467
 
469
468
  def read_body_stream
470
- body_stream.rewind if body_stream.respond_to?(:rewind)
471
- return body_stream.read if headers.key?("Transfer-Encoding") # Read body stream until EOF if "Transfer-Encoding" is present
472
- body_stream.read(content_length)
469
+ if body_stream
470
+ reset_stream(body_stream) do
471
+ if headers.key?("Transfer-Encoding")
472
+ body_stream.read # Read body stream until EOF if "Transfer-Encoding" is present
473
+ else
474
+ body_stream.read(content_length)
475
+ end
476
+ end
477
+ end
478
+ end
479
+
480
+ def reset_stream(body_stream)
481
+ if body_stream.respond_to?(:rewind)
482
+ body_stream.rewind
483
+
484
+ content = yield
485
+
486
+ body_stream.rewind
487
+
488
+ content
489
+ else
490
+ yield
491
+ end
473
492
  end
474
493
  end
475
494
  end
data/lib/action_pack/gem_version.rb CHANGED
@@ -11,8 +11,8 @@ module ActionPack
11
11
  module VERSION
12
12
  MAJOR = 7
13
13
  MINOR = 2
14
- TINY = 0
15
- PRE = nil
14
+ TINY = 1
15
+ PRE = "1"
16
16
 
17
17
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
18
18
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.2.0
4
+ version: 7.2.1.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-08-09 00:00:00.000000000 Z
11
+ date: 2024-10-15 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.2.0
19
+ version: 7.2.1.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.2.0
26
+ version: 7.2.1.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: nokogiri
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -148,28 +148,28 @@ dependencies:
148
148
  requirements:
149
149
  - - '='
150
150
  - !ruby/object:Gem::Version
151
- version: 7.2.0
151
+ version: 7.2.1.1
152
152
  type: :runtime
153
153
  prerelease: false
154
154
  version_requirements: !ruby/object:Gem::Requirement
155
155
  requirements:
156
156
  - - '='
157
157
  - !ruby/object:Gem::Version
158
- version: 7.2.0
158
+ version: 7.2.1.1
159
159
  - !ruby/object:Gem::Dependency
160
160
  name: activemodel
161
161
  requirement: !ruby/object:Gem::Requirement
162
162
  requirements:
163
163
  - - '='
164
164
  - !ruby/object:Gem::Version
165
- version: 7.2.0
165
+ version: 7.2.1.1
166
166
  type: :development
167
167
  prerelease: false
168
168
  version_requirements: !ruby/object:Gem::Requirement
169
169
  requirements:
170
170
  - - '='
171
171
  - !ruby/object:Gem::Version
172
- version: 7.2.0
172
+ version: 7.2.1.1
173
173
  description: Web apps on Rails. Simple, battle-tested conventions for building and
174
174
  testing MVC web applications. Works with any Rack-compatible server.
175
175
  email: david@loudthinking.com
@@ -369,12 +369,12 @@ licenses:
369
369
  - MIT
370
370
  metadata:
371
371
  bug_tracker_uri: https://github.com/rails/rails/issues
372
- changelog_uri: https://github.com/rails/rails/blob/v7.2.0/actionpack/CHANGELOG.md
373
- documentation_uri: https://api.rubyonrails.org/v7.2.0/
372
+ changelog_uri: https://github.com/rails/rails/blob/v7.2.1.1/actionpack/CHANGELOG.md
373
+ documentation_uri: https://api.rubyonrails.org/v7.2.1.1/
374
374
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
375
- source_code_uri: https://github.com/rails/rails/tree/v7.2.0/actionpack
375
+ source_code_uri: https://github.com/rails/rails/tree/v7.2.1.1/actionpack
376
376
  rubygems_mfa_required: 'true'
377
- post_install_message:
377
+ post_install_message:
378
378
  rdoc_options: []
379
379
  require_paths:
380
380
  - lib
@@ -390,8 +390,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
390
390
  version: '0'
391
391
  requirements:
392
392
  - none
393
- rubygems_version: 3.5.11
394
- signing_key:
393
+ rubygems_version: 3.5.16
394
+ signing_key:
395
395
  specification_version: 4
396
396
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
397
397
  test_files: []