actionpack 8.0.0.rc2 → 8.0.0.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 76724412ee5fbe34b92080713c9e9fab617fe1a81c4400ba2ee252d55020a6e3
4
- data.tar.gz: 14b34e7e8e188f66b7f7da1542301fa5856fb0b14cb6213282c07c30fffbd76f
3
+ metadata.gz: f9788d8055b6cde3b25a111756f7ca6ceb3016a0373fc7c0c93acbe4a617feb9
4
+ data.tar.gz: e991798032e8ae1c6e993d62d7da219fe1dd58ab7242f4805470888c330e3a7f
5
5
  SHA512:
6
- metadata.gz: d13e4c2bc63c93db23db2ab94786700542926ba9c200f611985dd524fe7cd11602bc592a9124c14d7f08e39bf7e95ed56fbebdadb6c8391d5712bbad47fb62bf
7
- data.tar.gz: 8f90ce2cd483f2ac438680310306293ccf733b0052f064bfb265a74a65c81e8bab5a32d699914a6f5c713974367d3ae5756a11e0e88210f4198e0d195339ce9b
6
+ metadata.gz: 93ecb0819091de8e7792264cc49c0a3f4e6cc7ed18953c2064dfee14769e27fdffefd9c0eb36221a03be1fe20d930dcff1ebd2cba442169bcc74cad0727549fb
7
+ data.tar.gz: 154e96c7cd09af38ef3bd70db6c0f4c5da4d5c5daf292960b77032eb4c4687d5d0431413ca49893cb7fad9f22f5501da67c7ec6ba64ff11d560b9e496a8c51eb
data/CHANGELOG.md CHANGED
@@ -1,3 +1,18 @@
1
+ ## Rails 8.0.0.1 (December 10, 2024) ##
2
+
3
+ * Add validation to content security policies to disallow spaces and semicolons.
4
+ Developers should use multiple arguments, and different directive methods instead.
5
+
6
+ [CVE-2024-54133]
7
+
8
+ *Gannon McGibbon*
9
+
10
+
11
+ ## Rails 8.0.0 (November 07, 2024) ##
12
+
13
+ * No changes.
14
+
15
+
1
16
  ## Rails 8.0.0.rc2 (October 30, 2024) ##
2
17
 
3
18
  * Fix routes with `::` in the path.
@@ -266,7 +266,7 @@ module ActionController
266
266
  ParamsWrapper
267
267
  ]
268
268
 
269
- # Note: Documenting these severely degrates the performance of rdoc
269
+ # Note: Documenting these severely degrades the performance of rdoc
270
270
  # :stopdoc:
271
271
  include AbstractController::Rendering
272
272
  include AbstractController::Translation
@@ -106,13 +106,14 @@ module ActionController
106
106
 
107
107
  allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
108
108
 
109
- self.status = _extract_redirect_to_status(options, response_options)
109
+ proposed_status = _extract_redirect_to_status(options, response_options)
110
110
 
111
111
  redirect_to_location = _compute_redirect_to_location(request, options)
112
112
  _ensure_url_is_http_header_safe(redirect_to_location)
113
113
 
114
114
  self.location = _enforce_open_redirect_protection(redirect_to_location, allow_other_host: allow_other_host)
115
115
  self.response_body = ""
116
+ self.status = proposed_status
116
117
  end
117
118
 
118
119
  # Soft deprecated alias for #redirect_back_or_to where the `fallback_location`
@@ -171,7 +171,7 @@ module ActionController # :nodoc:
171
171
  # Call render_body if we are streaming instead of usual `render`.
172
172
  def _render_template(options)
173
173
  if options.delete(:stream)
174
- # It shoudn't be necessary to set this.
174
+ # It shouldn't be necessary to set this.
175
175
  headers["cache-control"] ||= "no-cache"
176
176
 
177
177
  view_renderer.render_body(view_context, options)
@@ -26,6 +26,9 @@ module ActionDispatch # :nodoc:
26
26
  # policy.report_uri "/csp-violation-report-endpoint"
27
27
  # end
28
28
  class ContentSecurityPolicy
29
+ class InvalidDirectiveError < StandardError
30
+ end
31
+
29
32
  class Middleware
30
33
  def initialize(app)
31
34
  @app = app
@@ -320,9 +323,9 @@ module ActionDispatch # :nodoc:
320
323
  @directives.map do |directive, sources|
321
324
  if sources.is_a?(Array)
322
325
  if nonce && nonce_directive?(directive, nonce_directives)
323
- "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
326
+ "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
324
327
  else
325
- "#{directive} #{build_directive(sources, context).join(' ')}"
328
+ "#{directive} #{build_directive(directive, sources, context).join(' ')}"
326
329
  end
327
330
  elsif sources
328
331
  directive
@@ -332,8 +335,22 @@ module ActionDispatch # :nodoc:
332
335
  end
333
336
  end
334
337
 
335
- def build_directive(sources, context)
336
- sources.map { |source| resolve_source(source, context) }
338
+ def validate(directive, sources)
339
+ sources.flatten.each do |source|
340
+ if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
341
+ raise InvalidDirectiveError, <<~MSG.squish
342
+ Invalid Content Security Policy #{directive}: "#{source}".
343
+ Directive values must not contain whitespace or semicolons.
344
+ Please use multiple arguments or other directive methods instead.
345
+ MSG
346
+ end
347
+ end
348
+ end
349
+
350
+ def build_directive(directive, sources, context)
351
+ resolved_sources = sources.map { |source| resolve_source(source, context) }
352
+
353
+ validate(directive, resolved_sources)
337
354
  end
338
355
 
339
356
  def resolve_source(source, context)
@@ -12,7 +12,7 @@ module ActionPack
12
12
  MAJOR = 8
13
13
  MINOR = 0
14
14
  TINY = 0
15
- PRE = "rc2"
15
+ PRE = "1"
16
16
 
17
17
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
18
18
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 8.0.0.rc2
4
+ version: 8.0.0.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-10-30 00:00:00.000000000 Z
11
+ date: 2024-12-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 8.0.0.rc2
19
+ version: 8.0.0.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 8.0.0.rc2
26
+ version: 8.0.0.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: nokogiri
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -128,28 +128,28 @@ dependencies:
128
128
  requirements:
129
129
  - - '='
130
130
  - !ruby/object:Gem::Version
131
- version: 8.0.0.rc2
131
+ version: 8.0.0.1
132
132
  type: :runtime
133
133
  prerelease: false
134
134
  version_requirements: !ruby/object:Gem::Requirement
135
135
  requirements:
136
136
  - - '='
137
137
  - !ruby/object:Gem::Version
138
- version: 8.0.0.rc2
138
+ version: 8.0.0.1
139
139
  - !ruby/object:Gem::Dependency
140
140
  name: activemodel
141
141
  requirement: !ruby/object:Gem::Requirement
142
142
  requirements:
143
143
  - - '='
144
144
  - !ruby/object:Gem::Version
145
- version: 8.0.0.rc2
145
+ version: 8.0.0.1
146
146
  type: :development
147
147
  prerelease: false
148
148
  version_requirements: !ruby/object:Gem::Requirement
149
149
  requirements:
150
150
  - - '='
151
151
  - !ruby/object:Gem::Version
152
- version: 8.0.0.rc2
152
+ version: 8.0.0.1
153
153
  description: Web apps on Rails. Simple, battle-tested conventions for building and
154
154
  testing MVC web applications. Works with any Rack-compatible server.
155
155
  email: david@loudthinking.com
@@ -350,10 +350,10 @@ licenses:
350
350
  - MIT
351
351
  metadata:
352
352
  bug_tracker_uri: https://github.com/rails/rails/issues
353
- changelog_uri: https://github.com/rails/rails/blob/v8.0.0.rc2/actionpack/CHANGELOG.md
354
- documentation_uri: https://api.rubyonrails.org/v8.0.0.rc2/
353
+ changelog_uri: https://github.com/rails/rails/blob/v8.0.0.1/actionpack/CHANGELOG.md
354
+ documentation_uri: https://api.rubyonrails.org/v8.0.0.1/
355
355
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
356
- source_code_uri: https://github.com/rails/rails/tree/v8.0.0.rc2/actionpack
356
+ source_code_uri: https://github.com/rails/rails/tree/v8.0.0.1/actionpack
357
357
  rubygems_mfa_required: 'true'
358
358
  post_install_message:
359
359
  rdoc_options: []
@@ -371,7 +371,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
371
371
  version: '0'
372
372
  requirements:
373
373
  - none
374
- rubygems_version: 3.5.16
374
+ rubygems_version: 3.5.22
375
375
  signing_key:
376
376
  specification_version: 4
377
377
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).