actionpack 7.2.1 → 7.2.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: aa5e422c3ae8a04f0fac4410c72203218277a1b813047ad3ce5aa3274eac5a0e
|
|
4
|
+
data.tar.gz: 19620a0b88f940ae2a3183dbf20828228ae3f8fb567d32e715ba92fd9ea29db8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 27b3549782fe4594a04571356362c11a03a1bf9e368fbf49662a1514cc170ec01f85be5085ffe77e62e57435702637db27f0502c118b7084d90d05f00e0d7a1a
|
|
7
|
+
data.tar.gz: d8ba844e9b95cf76ebcbc899678b2752f5f3ddbf3cb81a4ac94c86ed1f4bb5d3fd471f701e69779f9aee99bbd0612f5aa2ddf79e75d32735aab436f58ef99cb7
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,13 @@
|
|
|
1
|
+
## Rails 7.2.1.1 (October 15, 2024) ##
|
|
2
|
+
|
|
3
|
+
* Avoid regex backtracking in HTTP Token authentication
|
|
4
|
+
|
|
5
|
+
[CVE-2024-47887]
|
|
6
|
+
|
|
7
|
+
* Avoid regex backtracking in query parameter filtering
|
|
8
|
+
|
|
9
|
+
[CVE-2024-41128]
|
|
10
|
+
|
|
1
11
|
## Rails 7.2.1 (August 22, 2024) ##
|
|
2
12
|
|
|
3
13
|
* Fix `Request#raw_post` raising `NoMethodError` when `rack.input` is `nil`.
|
|
@@ -513,14 +513,11 @@ module ActionController
|
|
|
513
513
|
array_params.each { |param| (param[1] || +"").gsub! %r/^"|"$/, "" }
|
|
514
514
|
end
|
|
515
515
|
|
|
516
|
-
WHITESPACED_AUTHN_PAIR_DELIMITERS = /\s*#{AUTHN_PAIR_DELIMITERS}\s*/
|
|
517
|
-
private_constant :WHITESPACED_AUTHN_PAIR_DELIMITERS
|
|
518
|
-
|
|
519
516
|
# This method takes an authorization body and splits up the key-value pairs by
|
|
520
517
|
# the standardized `:`, `;`, or `\t` delimiters defined in
|
|
521
518
|
# `AUTHN_PAIR_DELIMITERS`.
|
|
522
519
|
def raw_params(auth)
|
|
523
|
-
_raw_params = auth.sub(TOKEN_REGEX, "").split(
|
|
520
|
+
_raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
|
|
524
521
|
_raw_params.reject!(&:empty?)
|
|
525
522
|
|
|
526
523
|
if !_raw_params.first&.start_with?(TOKEN_KEY)
|
|
@@ -68,12 +68,17 @@ module ActionDispatch
|
|
|
68
68
|
ActiveSupport::ParameterFilter.new(filters)
|
|
69
69
|
end
|
|
70
70
|
|
|
71
|
-
KV_RE = "[^&;=]+"
|
|
72
|
-
PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
|
|
73
71
|
def filtered_query_string # :doc:
|
|
74
|
-
query_string.
|
|
75
|
-
|
|
72
|
+
parts = query_string.split(/([&;])/)
|
|
73
|
+
filtered_parts = parts.map do |part|
|
|
74
|
+
if part.include?("=")
|
|
75
|
+
key, value = part.split("=", 2)
|
|
76
|
+
parameter_filter.filter(key => value).first.join("=")
|
|
77
|
+
else
|
|
78
|
+
part
|
|
79
|
+
end
|
|
76
80
|
end
|
|
81
|
+
filtered_parts.join("")
|
|
77
82
|
end
|
|
78
83
|
end
|
|
79
84
|
end
|
|
@@ -37,9 +37,16 @@ module ActionDispatch
|
|
|
37
37
|
def parameter_filtered_location
|
|
38
38
|
uri = URI.parse(location)
|
|
39
39
|
unless uri.query.nil? || uri.query.empty?
|
|
40
|
-
uri.query.
|
|
41
|
-
|
|
40
|
+
parts = uri.query.split(/([&;])/)
|
|
41
|
+
filtered_parts = parts.map do |part|
|
|
42
|
+
if part.include?("=")
|
|
43
|
+
key, value = part.split("=", 2)
|
|
44
|
+
request.parameter_filter.filter(key => value).first.join("=")
|
|
45
|
+
else
|
|
46
|
+
part
|
|
47
|
+
end
|
|
42
48
|
end
|
|
49
|
+
uri.query = filtered_parts.join("")
|
|
43
50
|
end
|
|
44
51
|
uri.to_s
|
|
45
52
|
rescue URI::Error
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: actionpack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 7.2.1
|
|
4
|
+
version: 7.2.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-10-15 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 7.2.1
|
|
19
|
+
version: 7.2.1.1
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 7.2.1
|
|
26
|
+
version: 7.2.1.1
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: nokogiri
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -148,28 +148,28 @@ dependencies:
|
|
|
148
148
|
requirements:
|
|
149
149
|
- - '='
|
|
150
150
|
- !ruby/object:Gem::Version
|
|
151
|
-
version: 7.2.1
|
|
151
|
+
version: 7.2.1.1
|
|
152
152
|
type: :runtime
|
|
153
153
|
prerelease: false
|
|
154
154
|
version_requirements: !ruby/object:Gem::Requirement
|
|
155
155
|
requirements:
|
|
156
156
|
- - '='
|
|
157
157
|
- !ruby/object:Gem::Version
|
|
158
|
-
version: 7.2.1
|
|
158
|
+
version: 7.2.1.1
|
|
159
159
|
- !ruby/object:Gem::Dependency
|
|
160
160
|
name: activemodel
|
|
161
161
|
requirement: !ruby/object:Gem::Requirement
|
|
162
162
|
requirements:
|
|
163
163
|
- - '='
|
|
164
164
|
- !ruby/object:Gem::Version
|
|
165
|
-
version: 7.2.1
|
|
165
|
+
version: 7.2.1.1
|
|
166
166
|
type: :development
|
|
167
167
|
prerelease: false
|
|
168
168
|
version_requirements: !ruby/object:Gem::Requirement
|
|
169
169
|
requirements:
|
|
170
170
|
- - '='
|
|
171
171
|
- !ruby/object:Gem::Version
|
|
172
|
-
version: 7.2.1
|
|
172
|
+
version: 7.2.1.1
|
|
173
173
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
|
174
174
|
testing MVC web applications. Works with any Rack-compatible server.
|
|
175
175
|
email: david@loudthinking.com
|
|
@@ -369,12 +369,12 @@ licenses:
|
|
|
369
369
|
- MIT
|
|
370
370
|
metadata:
|
|
371
371
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
|
372
|
-
changelog_uri: https://github.com/rails/rails/blob/v7.2.1/actionpack/CHANGELOG.md
|
|
373
|
-
documentation_uri: https://api.rubyonrails.org/v7.2.1/
|
|
372
|
+
changelog_uri: https://github.com/rails/rails/blob/v7.2.1.1/actionpack/CHANGELOG.md
|
|
373
|
+
documentation_uri: https://api.rubyonrails.org/v7.2.1.1/
|
|
374
374
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
|
375
|
-
source_code_uri: https://github.com/rails/rails/tree/v7.2.1/actionpack
|
|
375
|
+
source_code_uri: https://github.com/rails/rails/tree/v7.2.1.1/actionpack
|
|
376
376
|
rubygems_mfa_required: 'true'
|
|
377
|
-
post_install_message:
|
|
377
|
+
post_install_message:
|
|
378
378
|
rdoc_options: []
|
|
379
379
|
require_paths:
|
|
380
380
|
- lib
|
|
@@ -390,8 +390,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
390
390
|
version: '0'
|
|
391
391
|
requirements:
|
|
392
392
|
- none
|
|
393
|
-
rubygems_version: 3.5.
|
|
394
|
-
signing_key:
|
|
393
|
+
rubygems_version: 3.5.16
|
|
394
|
+
signing_key:
|
|
395
395
|
specification_version: 4
|
|
396
396
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|
|
397
397
|
test_files: []
|