actionpack 7.2.1.2 → 7.2.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d8587fb38c365e101c7ccedbc8f327e93c2a2bb6ed68d8b3eee91e25c7cc4cc3
4
- data.tar.gz: 12752d536fdccb865158f457758dd09c945934fc81ad1c831ba2fa93a90bf264
3
+ metadata.gz: 805d9e62e9937e7cd8f12e22e2b806035577bd452e5ce321f75372c7f152edd7
4
+ data.tar.gz: 0fb9629eae17852ae5eb92ad885f79a6938e36e8b72dfe4ce775920d8d0c153c
5
5
  SHA512:
6
- metadata.gz: 8f3cce17e7ddf0925224aab95355f0dcc88862090c07bfdfcf4e56b527df43032c6491112287ecc78b4b4966eaadeceb43f4b7ceb2ef1ec88ce7626f358bd51e
7
- data.tar.gz: 1243e708a9570acbdac7defd4345d78575869f0397140ca4ba8c8b422465b56bdcfd0359e9332ac52c54836d8d056611315c81c24ff3e8a163ecf613cdafa14a
6
+ metadata.gz: ed08caeeb60bf9f444ddca5eafb519eab94c8475e0452ba146b98585d3f426f0444730e05f5a1e40583b5237e1ef535cad62c8d92bc96ac62e73987c19aed8a8
7
+ data.tar.gz: 85304714962564e3997fad42e395efe05061bf95d5cc9ef89394d53f99e899862f93a7ff38d12e16c232d7b7ab39ea012268b3f0b7214ed373c9fd39c5608e91
data/CHANGELOG.md CHANGED
@@ -1,3 +1,10 @@
1
+ ## Rails 7.2.2 (October 30, 2024) ##
2
+
3
+ * Fix non-GET requests not updating cookies in `ActionController::TestCase`.
4
+
5
+ *Jon Moss*, *Hartley McGuire*
6
+
7
+
1
8
  ## Rails 7.2.1.2 (October 23, 2024) ##
2
9
 
3
10
  * No changes.
@@ -9,10 +16,15 @@
9
16
 
10
17
  [CVE-2024-47887]
11
18
 
19
+ *John Hawthorn*
20
+
12
21
  * Avoid regex backtracking in query parameter filtering
13
22
 
14
23
  [CVE-2024-41128]
15
24
 
25
+ *John Hawthorn*
26
+
27
+
16
28
  ## Rails 7.2.1 (August 22, 2024) ##
17
29
 
18
30
  * Fix `Request#raw_post` raising `NoMethodError` when `rack.input` is `nil`.
@@ -104,6 +104,7 @@ module AbstractController
104
104
  # Declare a controller method as a helper. For example, the following
105
105
  # makes the `current_user` and `logged_in?` controller methods available
106
106
  # to the view:
107
+ #
107
108
  # class ApplicationController < ActionController::Base
108
109
  # helper_method :current_user, :logged_in?
109
110
  #
@@ -118,6 +119,7 @@ module AbstractController
118
119
  # end
119
120
  #
120
121
  # In a view:
122
+ #
121
123
  # <% if logged_in? -%>Welcome, <%= current_user.name %><% end -%>
122
124
  #
123
125
  # #### Parameters
@@ -123,6 +123,7 @@ module ActionController
123
123
  BasicImplicitRender,
124
124
  StrongParameters,
125
125
  RateLimiting,
126
+ Caching,
126
127
 
127
128
  DataStreaming,
128
129
  DefaultHeaders,
@@ -60,7 +60,7 @@ module ActionController # :nodoc:
60
60
  end
61
61
  end
62
62
 
63
- class BrowserBlocker
63
+ class BrowserBlocker # :nodoc:
64
64
  SETS = {
65
65
  modern: { safari: 17.2, chrome: 120, firefox: 121, opera: 106, ie: false }
66
66
  }
@@ -76,8 +76,7 @@ module ActionController
76
76
  # `:cache_control`
77
77
  # : When given, will overwrite an existing `Cache-Control` header. For a list
78
78
  # of `Cache-Control` directives, see the [article on
79
- # MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Contr
80
- # ol).
79
+ # MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control).
81
80
  #
82
81
  # `:template`
83
82
  # : By default, the template digest for the current controller/action is
@@ -211,7 +211,7 @@ module ActionController
211
211
  end
212
212
  end
213
213
 
214
- # Returns false on a valid response, true otherwise.
214
+ # Returns true on a valid response, false otherwise.
215
215
  def authenticate(request, realm, &password_procedure)
216
216
  request.authorization && validate_digest_response(request, realm, &password_procedure)
217
217
  end
@@ -431,7 +431,7 @@ module ActionController
431
431
  module ControllerMethods
432
432
  # Authenticate using an HTTP Bearer token, or otherwise render an HTTP header
433
433
  # requesting the client to send a Bearer token. For the authentication to be
434
- # considered successful, `login_procedure` should return a non-nil value.
434
+ # considered successful, `login_procedure` must not return a false value.
435
435
  # Typically, the authenticated user is returned.
436
436
  #
437
437
  # See ActionController::HttpAuthentication::Token for example usage.
@@ -77,12 +77,15 @@ module ActionController
77
77
  # Writing an object will convert it into standard SSE format with whatever
78
78
  # options you have configured. You may choose to set the following options:
79
79
  #
80
- # 1) Event. If specified, an event with this name will be dispatched on
81
- # the browser.
82
- # 2) Retry. The reconnection time in milliseconds used when attempting
83
- # to send the event.
84
- # 3) Id. If the connection dies while sending an SSE to the browser, then
85
- # the server will receive a +Last-Event-ID+ header with value equal to +id+.
80
+ # `:event`
81
+ # : If specified, an event with this name will be dispatched on the browser.
82
+ #
83
+ # `:retry`
84
+ # : The reconnection time in milliseconds used when attempting to send the event.
85
+ #
86
+ # `:id`
87
+ # : If the connection dies while sending an SSE to the browser, then the
88
+ # server will receive a `Last-Event-ID` header with value equal to `id`.
86
89
  #
87
90
  # After setting an option in the constructor of the SSE object, all future SSEs
88
91
  # sent across the stream will use those options unless overridden.
@@ -427,9 +427,7 @@ module ActionController
427
427
  # Note that the request method is not verified. The different methods are
428
428
  # available to make the tests more expressive.
429
429
  def get(action, **args)
430
- res = process(action, method: "GET", **args)
431
- cookies.update res.cookies
432
- res
430
+ process(action, method: "GET", **args)
433
431
  end
434
432
 
435
433
  # Simulate a POST request with the given parameters and set/volley the response.
@@ -637,6 +635,7 @@ module ActionController
637
635
  unless @request.cookie_jar.committed?
638
636
  @request.cookie_jar.write(@response)
639
637
  cookies.update(@request.cookie_jar.instance_variable_get(:@cookies))
638
+ cookies.update(@response.cookies)
640
639
  end
641
640
  end
642
641
  @response.prepare!
@@ -8,8 +8,7 @@ require "active_support/core_ext/array/wrap"
8
8
  module ActionDispatch # :nodoc:
9
9
  # # Action Dispatch Content Security Policy
10
10
  #
11
- # Configures the HTTP [Content-Security-Policy]
12
- # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
11
+ # Configures the HTTP [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
13
12
  # response header to help protect against XSS and
14
13
  # injection attacks.
15
14
  #
@@ -226,8 +225,7 @@ module ActionDispatch # :nodoc:
226
225
  end
227
226
  end
228
227
 
229
- # Enable the [report-uri]
230
- # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
228
+ # Enable the [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
231
229
  # directive. Violation reports will be sent to the
232
230
  # specified URI:
233
231
  #
@@ -237,8 +235,7 @@ module ActionDispatch # :nodoc:
237
235
  @directives["report-uri"] = [uri]
238
236
  end
239
237
 
240
- # Specify asset types for which [Subresource Integrity]
241
- # (https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
238
+ # Specify asset types for which [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
242
239
  #
243
240
  # policy.require_sri_for :script, :style
244
241
  #
@@ -254,8 +251,7 @@ module ActionDispatch # :nodoc:
254
251
  end
255
252
  end
256
253
 
257
- # Specify whether a [sandbox]
258
- # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
254
+ # Specify whether a [sandbox](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
259
255
  # should be enabled for the requested resource:
260
256
  #
261
257
  # policy.sandbox
@@ -18,8 +18,8 @@ module ActionDispatch
18
18
  # 2616](https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2) requires.
19
19
  # Some Rack servers simply drop preceding headers, and only report the value
20
20
  # that was [given in the last
21
- # header](https://andre.arko.net/2011/12/26/repeated-headers-and-ruby-web-server
22
- # s). If you are behind multiple proxy servers (like NGINX to HAProxy to
21
+ # header](https://andre.arko.net/2011/12/26/repeated-headers-and-ruby-web-servers).
22
+ # If you are behind multiple proxy servers (like NGINX to HAProxy to
23
23
  # Unicorn) then you should test your Rack server to make sure your data is good.
24
24
  #
25
25
  # IF YOU DON'T USE A PROXY, THIS MAKES YOU VULNERABLE TO IP SPOOFING. This
@@ -117,10 +117,9 @@ module ActionDispatch
117
117
  # instead, so we check that too.
118
118
  #
119
119
  # As discussed in [this post about Rails IP
120
- # Spoofing](https://web.archive.org/web/20170626095448/https://blog.gingerlime.c
121
- # om/2012/rails-ip-spoofing-vulnerabilities-and-protection/), while the first IP
122
- # in the list is likely to be the "originating" IP, it could also have been set
123
- # by the client maliciously.
120
+ # Spoofing](https://web.archive.org/web/20170626095448/https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/),
121
+ # while the first IP in the list is likely to be the "originating" IP, it
122
+ # could also have been set by the client maliciously.
124
123
  #
125
124
  # In order to find the first address that is (probably) accurate, we take the
126
125
  # list of IPs, remove known and trusted proxies, and then take the last address
@@ -17,7 +17,7 @@ module ActionDispatch
17
17
  #
18
18
  # Requests can opt-out of redirection with `exclude`:
19
19
  #
20
- # config.ssl_options = { redirect: { exclude: -> request { /healthcheck/.match?(request.path) } } }
20
+ # config.ssl_options = { redirect: { exclude: -> request { request.path == "/up" } } }
21
21
  #
22
22
  # Cookies will not be flagged as secure for excluded requests.
23
23
  #
@@ -101,7 +101,7 @@ module ActionDispatch
101
101
  { controller: /#{filter[:controller].underscore.sub(/_?controller\z/, "")}/ }
102
102
  elsif filter[:grep]
103
103
  grep_pattern = Regexp.new(filter[:grep])
104
- path = URI::DEFAULT_PARSER.escape(filter[:grep])
104
+ path = RFC2396_PARSER.escape(filter[:grep])
105
105
  normalized_path = ("/" + path).squeeze("/")
106
106
 
107
107
  {
@@ -1048,6 +1048,7 @@ module ActionDispatch
1048
1048
  end
1049
1049
 
1050
1050
  # Allows you to set default parameters for a route, such as this:
1051
+ #
1051
1052
  # defaults id: 'home' do
1052
1053
  # match 'scoped_pages/(:id)', to: 'pages#show'
1053
1054
  # end
@@ -2024,7 +2025,7 @@ module ActionDispatch
2024
2025
  name_for_action(options.delete(:as), action)
2025
2026
  end
2026
2027
 
2027
- path = Mapping.normalize_path URI::DEFAULT_PARSER.escape(path), formatted
2028
+ path = Mapping.normalize_path RFC2396_PARSER.escape(path), formatted
2028
2029
  ast = Journey::Parser.parse path
2029
2030
 
2030
2031
  mapping = Mapping.build(@scope, @set, ast, controller, default_action, to, via, formatted, options_constraints, anchor, options)
@@ -917,7 +917,7 @@ module ActionDispatch
917
917
  params.each do |key, value|
918
918
  if value.is_a?(String)
919
919
  value = value.dup.force_encoding(Encoding::BINARY)
920
- params[key] = URI::DEFAULT_PARSER.unescape(value)
920
+ params[key] = RFC2396_PARSER.unescape(value)
921
921
  end
922
922
  end
923
923
  req.path_parameters = params
@@ -30,6 +30,7 @@ require "active_support/core_ext/module/attribute_accessors"
30
30
 
31
31
  require "action_pack"
32
32
  require "rack"
33
+ require "uri"
33
34
  require "action_dispatch/deprecator"
34
35
 
35
36
  module Rack # :nodoc:
@@ -47,6 +48,9 @@ end
47
48
  module ActionDispatch
48
49
  extend ActiveSupport::Autoload
49
50
 
51
+ RFC2396_PARSER = defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::RFC2396_Parser.new
52
+ private_constant :RFC2396_PARSER
53
+
50
54
  class MissingController < NameError
51
55
  end
52
56
 
@@ -11,8 +11,8 @@ module ActionPack
11
11
  module VERSION
12
12
  MAJOR = 7
13
13
  MINOR = 2
14
- TINY = 1
15
- PRE = "2"
14
+ TINY = 2
15
+ PRE = nil
16
16
 
17
17
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
18
18
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.2.1.2
4
+ version: 7.2.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-10-23 00:00:00.000000000 Z
11
+ date: 2024-10-31 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.2.1.2
19
+ version: 7.2.2
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.2.1.2
26
+ version: 7.2.2
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: nokogiri
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -148,28 +148,28 @@ dependencies:
148
148
  requirements:
149
149
  - - '='
150
150
  - !ruby/object:Gem::Version
151
- version: 7.2.1.2
151
+ version: 7.2.2
152
152
  type: :runtime
153
153
  prerelease: false
154
154
  version_requirements: !ruby/object:Gem::Requirement
155
155
  requirements:
156
156
  - - '='
157
157
  - !ruby/object:Gem::Version
158
- version: 7.2.1.2
158
+ version: 7.2.2
159
159
  - !ruby/object:Gem::Dependency
160
160
  name: activemodel
161
161
  requirement: !ruby/object:Gem::Requirement
162
162
  requirements:
163
163
  - - '='
164
164
  - !ruby/object:Gem::Version
165
- version: 7.2.1.2
165
+ version: 7.2.2
166
166
  type: :development
167
167
  prerelease: false
168
168
  version_requirements: !ruby/object:Gem::Requirement
169
169
  requirements:
170
170
  - - '='
171
171
  - !ruby/object:Gem::Version
172
- version: 7.2.1.2
172
+ version: 7.2.2
173
173
  description: Web apps on Rails. Simple, battle-tested conventions for building and
174
174
  testing MVC web applications. Works with any Rack-compatible server.
175
175
  email: david@loudthinking.com
@@ -369,10 +369,10 @@ licenses:
369
369
  - MIT
370
370
  metadata:
371
371
  bug_tracker_uri: https://github.com/rails/rails/issues
372
- changelog_uri: https://github.com/rails/rails/blob/v7.2.1.2/actionpack/CHANGELOG.md
373
- documentation_uri: https://api.rubyonrails.org/v7.2.1.2/
372
+ changelog_uri: https://github.com/rails/rails/blob/v7.2.2/actionpack/CHANGELOG.md
373
+ documentation_uri: https://api.rubyonrails.org/v7.2.2/
374
374
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
375
- source_code_uri: https://github.com/rails/rails/tree/v7.2.1.2/actionpack
375
+ source_code_uri: https://github.com/rails/rails/tree/v7.2.2/actionpack
376
376
  rubygems_mfa_required: 'true'
377
377
  post_install_message:
378
378
  rdoc_options: []