actionpack 7.2.1.2 → 7.2.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +22 -0
- data/lib/abstract_controller/helpers.rb +2 -0
- data/lib/action_controller/api.rb +1 -0
- data/lib/action_controller/metal/allow_browser.rb +1 -1
- data/lib/action_controller/metal/conditional_get.rb +1 -2
- data/lib/action_controller/metal/http_authentication.rb +2 -2
- data/lib/action_controller/metal/live.rb +9 -6
- data/lib/action_controller/test_case.rb +2 -3
- data/lib/action_dispatch/http/content_security_policy.rb +25 -12
- data/lib/action_dispatch/middleware/remote_ip.rb +5 -6
- data/lib/action_dispatch/middleware/ssl.rb +1 -1
- data/lib/action_dispatch/routing/inspector.rb +1 -1
- data/lib/action_dispatch/routing/mapper.rb +2 -1
- data/lib/action_dispatch/routing/route_set.rb +1 -1
- data/lib/action_dispatch.rb +4 -0
- data/lib/action_pack/gem_version.rb +2 -2
- metadata +12 -12
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e2f850764c42d33756dafc52b3a241cd1264cf780ef17f52b9b3b0a8b1c3d98e
|
4
|
+
data.tar.gz: 7febf80d5ab5a57de20b9658daaa10fb21216b30590837e66ceb43cb6cdfe38f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6cd119f952b01a8fdf78c1a3c364bf5e681b6b0de52758a1830b935362bc7c0c9950d371bd6b6667e49dc49e8b9f98d0f60b06781a155bcf752be705e19c875f
|
7
|
+
data.tar.gz: 15339819a72191cd86e77924f9a108ec6c9f7bcc7f3169ba2127bc1ccdefc2a7fdb98609689a7271faf467664df7841f163610445294dbe8eed08c48c431aa01
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,20 @@
|
|
1
|
+
## Rails 7.2.2.1 (December 10, 2024) ##
|
2
|
+
|
3
|
+
* Add validation to content security policies to disallow spaces and semicolons.
|
4
|
+
Developers should use multiple arguments, and different directive methods instead.
|
5
|
+
|
6
|
+
[CVE-2024-54133]
|
7
|
+
|
8
|
+
*Gannon McGibbon*
|
9
|
+
|
10
|
+
|
11
|
+
## Rails 7.2.2 (October 30, 2024) ##
|
12
|
+
|
13
|
+
* Fix non-GET requests not updating cookies in `ActionController::TestCase`.
|
14
|
+
|
15
|
+
*Jon Moss*, *Hartley McGuire*
|
16
|
+
|
17
|
+
|
1
18
|
## Rails 7.2.1.2 (October 23, 2024) ##
|
2
19
|
|
3
20
|
* No changes.
|
@@ -9,10 +26,15 @@
|
|
9
26
|
|
10
27
|
[CVE-2024-47887]
|
11
28
|
|
29
|
+
*John Hawthorn*
|
30
|
+
|
12
31
|
* Avoid regex backtracking in query parameter filtering
|
13
32
|
|
14
33
|
[CVE-2024-41128]
|
15
34
|
|
35
|
+
*John Hawthorn*
|
36
|
+
|
37
|
+
|
16
38
|
## Rails 7.2.1 (August 22, 2024) ##
|
17
39
|
|
18
40
|
* Fix `Request#raw_post` raising `NoMethodError` when `rack.input` is `nil`.
|
@@ -104,6 +104,7 @@ module AbstractController
|
|
104
104
|
# Declare a controller method as a helper. For example, the following
|
105
105
|
# makes the `current_user` and `logged_in?` controller methods available
|
106
106
|
# to the view:
|
107
|
+
#
|
107
108
|
# class ApplicationController < ActionController::Base
|
108
109
|
# helper_method :current_user, :logged_in?
|
109
110
|
#
|
@@ -118,6 +119,7 @@ module AbstractController
|
|
118
119
|
# end
|
119
120
|
#
|
120
121
|
# In a view:
|
122
|
+
#
|
121
123
|
# <% if logged_in? -%>Welcome, <%= current_user.name %><% end -%>
|
122
124
|
#
|
123
125
|
# #### Parameters
|
@@ -76,8 +76,7 @@ module ActionController
|
|
76
76
|
# `:cache_control`
|
77
77
|
# : When given, will overwrite an existing `Cache-Control` header. For a list
|
78
78
|
# of `Cache-Control` directives, see the [article on
|
79
|
-
# MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-
|
80
|
-
# ol).
|
79
|
+
# MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control).
|
81
80
|
#
|
82
81
|
# `:template`
|
83
82
|
# : By default, the template digest for the current controller/action is
|
@@ -211,7 +211,7 @@ module ActionController
|
|
211
211
|
end
|
212
212
|
end
|
213
213
|
|
214
|
-
# Returns
|
214
|
+
# Returns true on a valid response, false otherwise.
|
215
215
|
def authenticate(request, realm, &password_procedure)
|
216
216
|
request.authorization && validate_digest_response(request, realm, &password_procedure)
|
217
217
|
end
|
@@ -431,7 +431,7 @@ module ActionController
|
|
431
431
|
module ControllerMethods
|
432
432
|
# Authenticate using an HTTP Bearer token, or otherwise render an HTTP header
|
433
433
|
# requesting the client to send a Bearer token. For the authentication to be
|
434
|
-
# considered successful, `login_procedure`
|
434
|
+
# considered successful, `login_procedure` must not return a false value.
|
435
435
|
# Typically, the authenticated user is returned.
|
436
436
|
#
|
437
437
|
# See ActionController::HttpAuthentication::Token for example usage.
|
@@ -77,12 +77,15 @@ module ActionController
|
|
77
77
|
# Writing an object will convert it into standard SSE format with whatever
|
78
78
|
# options you have configured. You may choose to set the following options:
|
79
79
|
#
|
80
|
-
#
|
81
|
-
#
|
82
|
-
#
|
83
|
-
#
|
84
|
-
#
|
85
|
-
#
|
80
|
+
# `:event`
|
81
|
+
# : If specified, an event with this name will be dispatched on the browser.
|
82
|
+
#
|
83
|
+
# `:retry`
|
84
|
+
# : The reconnection time in milliseconds used when attempting to send the event.
|
85
|
+
#
|
86
|
+
# `:id`
|
87
|
+
# : If the connection dies while sending an SSE to the browser, then the
|
88
|
+
# server will receive a `Last-Event-ID` header with value equal to `id`.
|
86
89
|
#
|
87
90
|
# After setting an option in the constructor of the SSE object, all future SSEs
|
88
91
|
# sent across the stream will use those options unless overridden.
|
@@ -427,9 +427,7 @@ module ActionController
|
|
427
427
|
# Note that the request method is not verified. The different methods are
|
428
428
|
# available to make the tests more expressive.
|
429
429
|
def get(action, **args)
|
430
|
-
|
431
|
-
cookies.update res.cookies
|
432
|
-
res
|
430
|
+
process(action, method: "GET", **args)
|
433
431
|
end
|
434
432
|
|
435
433
|
# Simulate a POST request with the given parameters and set/volley the response.
|
@@ -637,6 +635,7 @@ module ActionController
|
|
637
635
|
unless @request.cookie_jar.committed?
|
638
636
|
@request.cookie_jar.write(@response)
|
639
637
|
cookies.update(@request.cookie_jar.instance_variable_get(:@cookies))
|
638
|
+
cookies.update(@response.cookies)
|
640
639
|
end
|
641
640
|
end
|
642
641
|
@response.prepare!
|
@@ -8,8 +8,7 @@ require "active_support/core_ext/array/wrap"
|
|
8
8
|
module ActionDispatch # :nodoc:
|
9
9
|
# # Action Dispatch Content Security Policy
|
10
10
|
#
|
11
|
-
# Configures the HTTP [Content-Security-Policy]
|
12
|
-
# (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
|
11
|
+
# Configures the HTTP [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
|
13
12
|
# response header to help protect against XSS and
|
14
13
|
# injection attacks.
|
15
14
|
#
|
@@ -27,6 +26,9 @@ module ActionDispatch # :nodoc:
|
|
27
26
|
# policy.report_uri "/csp-violation-report-endpoint"
|
28
27
|
# end
|
29
28
|
class ContentSecurityPolicy
|
29
|
+
class InvalidDirectiveError < StandardError
|
30
|
+
end
|
31
|
+
|
30
32
|
class Middleware
|
31
33
|
def initialize(app)
|
32
34
|
@app = app
|
@@ -226,8 +228,7 @@ module ActionDispatch # :nodoc:
|
|
226
228
|
end
|
227
229
|
end
|
228
230
|
|
229
|
-
# Enable the [report-uri]
|
230
|
-
# (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
|
231
|
+
# Enable the [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
|
231
232
|
# directive. Violation reports will be sent to the
|
232
233
|
# specified URI:
|
233
234
|
#
|
@@ -237,8 +238,7 @@ module ActionDispatch # :nodoc:
|
|
237
238
|
@directives["report-uri"] = [uri]
|
238
239
|
end
|
239
240
|
|
240
|
-
# Specify asset types for which [Subresource Integrity]
|
241
|
-
# (https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
|
241
|
+
# Specify asset types for which [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
|
242
242
|
#
|
243
243
|
# policy.require_sri_for :script, :style
|
244
244
|
#
|
@@ -254,8 +254,7 @@ module ActionDispatch # :nodoc:
|
|
254
254
|
end
|
255
255
|
end
|
256
256
|
|
257
|
-
# Specify whether a [sandbox]
|
258
|
-
# (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
|
257
|
+
# Specify whether a [sandbox](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
|
259
258
|
# should be enabled for the requested resource:
|
260
259
|
#
|
261
260
|
# policy.sandbox
|
@@ -323,9 +322,9 @@ module ActionDispatch # :nodoc:
|
|
323
322
|
@directives.map do |directive, sources|
|
324
323
|
if sources.is_a?(Array)
|
325
324
|
if nonce && nonce_directive?(directive, nonce_directives)
|
326
|
-
"#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
|
325
|
+
"#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
|
327
326
|
else
|
328
|
-
"#{directive} #{build_directive(sources, context).join(' ')}"
|
327
|
+
"#{directive} #{build_directive(directive, sources, context).join(' ')}"
|
329
328
|
end
|
330
329
|
elsif sources
|
331
330
|
directive
|
@@ -335,8 +334,22 @@ module ActionDispatch # :nodoc:
|
|
335
334
|
end
|
336
335
|
end
|
337
336
|
|
338
|
-
def
|
339
|
-
sources.
|
337
|
+
def validate(directive, sources)
|
338
|
+
sources.flatten.each do |source|
|
339
|
+
if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
|
340
|
+
raise InvalidDirectiveError, <<~MSG.squish
|
341
|
+
Invalid Content Security Policy #{directive}: "#{source}".
|
342
|
+
Directive values must not contain whitespace or semicolons.
|
343
|
+
Please use multiple arguments or other directive methods instead.
|
344
|
+
MSG
|
345
|
+
end
|
346
|
+
end
|
347
|
+
end
|
348
|
+
|
349
|
+
def build_directive(directive, sources, context)
|
350
|
+
resolved_sources = sources.map { |source| resolve_source(source, context) }
|
351
|
+
|
352
|
+
validate(directive, resolved_sources)
|
340
353
|
end
|
341
354
|
|
342
355
|
def resolve_source(source, context)
|
@@ -18,8 +18,8 @@ module ActionDispatch
|
|
18
18
|
# 2616](https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2) requires.
|
19
19
|
# Some Rack servers simply drop preceding headers, and only report the value
|
20
20
|
# that was [given in the last
|
21
|
-
# header](https://andre.arko.net/2011/12/26/repeated-headers-and-ruby-web-
|
22
|
-
#
|
21
|
+
# header](https://andre.arko.net/2011/12/26/repeated-headers-and-ruby-web-servers).
|
22
|
+
# If you are behind multiple proxy servers (like NGINX to HAProxy to
|
23
23
|
# Unicorn) then you should test your Rack server to make sure your data is good.
|
24
24
|
#
|
25
25
|
# IF YOU DON'T USE A PROXY, THIS MAKES YOU VULNERABLE TO IP SPOOFING. This
|
@@ -117,10 +117,9 @@ module ActionDispatch
|
|
117
117
|
# instead, so we check that too.
|
118
118
|
#
|
119
119
|
# As discussed in [this post about Rails IP
|
120
|
-
# Spoofing](https://web.archive.org/web/20170626095448/https://blog.gingerlime.
|
121
|
-
#
|
122
|
-
#
|
123
|
-
# by the client maliciously.
|
120
|
+
# Spoofing](https://web.archive.org/web/20170626095448/https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/),
|
121
|
+
# while the first IP in the list is likely to be the "originating" IP, it
|
122
|
+
# could also have been set by the client maliciously.
|
124
123
|
#
|
125
124
|
# In order to find the first address that is (probably) accurate, we take the
|
126
125
|
# list of IPs, remove known and trusted proxies, and then take the last address
|
@@ -17,7 +17,7 @@ module ActionDispatch
|
|
17
17
|
#
|
18
18
|
# Requests can opt-out of redirection with `exclude`:
|
19
19
|
#
|
20
|
-
# config.ssl_options = { redirect: { exclude: -> request {
|
20
|
+
# config.ssl_options = { redirect: { exclude: -> request { request.path == "/up" } } }
|
21
21
|
#
|
22
22
|
# Cookies will not be flagged as secure for excluded requests.
|
23
23
|
#
|
@@ -101,7 +101,7 @@ module ActionDispatch
|
|
101
101
|
{ controller: /#{filter[:controller].underscore.sub(/_?controller\z/, "")}/ }
|
102
102
|
elsif filter[:grep]
|
103
103
|
grep_pattern = Regexp.new(filter[:grep])
|
104
|
-
path =
|
104
|
+
path = RFC2396_PARSER.escape(filter[:grep])
|
105
105
|
normalized_path = ("/" + path).squeeze("/")
|
106
106
|
|
107
107
|
{
|
@@ -1048,6 +1048,7 @@ module ActionDispatch
|
|
1048
1048
|
end
|
1049
1049
|
|
1050
1050
|
# Allows you to set default parameters for a route, such as this:
|
1051
|
+
#
|
1051
1052
|
# defaults id: 'home' do
|
1052
1053
|
# match 'scoped_pages/(:id)', to: 'pages#show'
|
1053
1054
|
# end
|
@@ -2024,7 +2025,7 @@ module ActionDispatch
|
|
2024
2025
|
name_for_action(options.delete(:as), action)
|
2025
2026
|
end
|
2026
2027
|
|
2027
|
-
path = Mapping.normalize_path
|
2028
|
+
path = Mapping.normalize_path RFC2396_PARSER.escape(path), formatted
|
2028
2029
|
ast = Journey::Parser.parse path
|
2029
2030
|
|
2030
2031
|
mapping = Mapping.build(@scope, @set, ast, controller, default_action, to, via, formatted, options_constraints, anchor, options)
|
@@ -917,7 +917,7 @@ module ActionDispatch
|
|
917
917
|
params.each do |key, value|
|
918
918
|
if value.is_a?(String)
|
919
919
|
value = value.dup.force_encoding(Encoding::BINARY)
|
920
|
-
params[key] =
|
920
|
+
params[key] = RFC2396_PARSER.unescape(value)
|
921
921
|
end
|
922
922
|
end
|
923
923
|
req.path_parameters = params
|
data/lib/action_dispatch.rb
CHANGED
@@ -30,6 +30,7 @@ require "active_support/core_ext/module/attribute_accessors"
|
|
30
30
|
|
31
31
|
require "action_pack"
|
32
32
|
require "rack"
|
33
|
+
require "uri"
|
33
34
|
require "action_dispatch/deprecator"
|
34
35
|
|
35
36
|
module Rack # :nodoc:
|
@@ -47,6 +48,9 @@ end
|
|
47
48
|
module ActionDispatch
|
48
49
|
extend ActiveSupport::Autoload
|
49
50
|
|
51
|
+
RFC2396_PARSER = defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::RFC2396_Parser.new
|
52
|
+
private_constant :RFC2396_PARSER
|
53
|
+
|
50
54
|
class MissingController < NameError
|
51
55
|
end
|
52
56
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 7.2.1
|
4
|
+
version: 7.2.2.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-10
|
11
|
+
date: 2024-12-10 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 7.2.1
|
19
|
+
version: 7.2.2.1
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 7.2.1
|
26
|
+
version: 7.2.2.1
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: nokogiri
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -148,28 +148,28 @@ dependencies:
|
|
148
148
|
requirements:
|
149
149
|
- - '='
|
150
150
|
- !ruby/object:Gem::Version
|
151
|
-
version: 7.2.1
|
151
|
+
version: 7.2.2.1
|
152
152
|
type: :runtime
|
153
153
|
prerelease: false
|
154
154
|
version_requirements: !ruby/object:Gem::Requirement
|
155
155
|
requirements:
|
156
156
|
- - '='
|
157
157
|
- !ruby/object:Gem::Version
|
158
|
-
version: 7.2.1
|
158
|
+
version: 7.2.2.1
|
159
159
|
- !ruby/object:Gem::Dependency
|
160
160
|
name: activemodel
|
161
161
|
requirement: !ruby/object:Gem::Requirement
|
162
162
|
requirements:
|
163
163
|
- - '='
|
164
164
|
- !ruby/object:Gem::Version
|
165
|
-
version: 7.2.1
|
165
|
+
version: 7.2.2.1
|
166
166
|
type: :development
|
167
167
|
prerelease: false
|
168
168
|
version_requirements: !ruby/object:Gem::Requirement
|
169
169
|
requirements:
|
170
170
|
- - '='
|
171
171
|
- !ruby/object:Gem::Version
|
172
|
-
version: 7.2.1
|
172
|
+
version: 7.2.2.1
|
173
173
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
174
174
|
testing MVC web applications. Works with any Rack-compatible server.
|
175
175
|
email: david@loudthinking.com
|
@@ -369,10 +369,10 @@ licenses:
|
|
369
369
|
- MIT
|
370
370
|
metadata:
|
371
371
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
372
|
-
changelog_uri: https://github.com/rails/rails/blob/v7.2.1
|
373
|
-
documentation_uri: https://api.rubyonrails.org/v7.2.1
|
372
|
+
changelog_uri: https://github.com/rails/rails/blob/v7.2.2.1/actionpack/CHANGELOG.md
|
373
|
+
documentation_uri: https://api.rubyonrails.org/v7.2.2.1/
|
374
374
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
375
|
-
source_code_uri: https://github.com/rails/rails/tree/v7.2.1
|
375
|
+
source_code_uri: https://github.com/rails/rails/tree/v7.2.2.1/actionpack
|
376
376
|
rubygems_mfa_required: 'true'
|
377
377
|
post_install_message:
|
378
378
|
rdoc_options: []
|
@@ -390,7 +390,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
390
390
|
version: '0'
|
391
391
|
requirements:
|
392
392
|
- none
|
393
|
-
rubygems_version: 3.5.
|
393
|
+
rubygems_version: 3.5.22
|
394
394
|
signing_key:
|
395
395
|
specification_version: 4
|
396
396
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|