actionpack 8.0.0.rc2 → 8.0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +15 -0
- data/lib/action_controller/base.rb +1 -1
- data/lib/action_controller/metal/redirecting.rb +2 -1
- data/lib/action_controller/metal/streaming.rb +1 -1
- data/lib/action_dispatch/http/content_security_policy.rb +21 -4
- data/lib/action_pack/gem_version.rb +1 -1
- metadata +12 -12
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f9788d8055b6cde3b25a111756f7ca6ceb3016a0373fc7c0c93acbe4a617feb9
|
4
|
+
data.tar.gz: e991798032e8ae1c6e993d62d7da219fe1dd58ab7242f4805470888c330e3a7f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 93ecb0819091de8e7792264cc49c0a3f4e6cc7ed18953c2064dfee14769e27fdffefd9c0eb36221a03be1fe20d930dcff1ebd2cba442169bcc74cad0727549fb
|
7
|
+
data.tar.gz: 154e96c7cd09af38ef3bd70db6c0f4c5da4d5c5daf292960b77032eb4c4687d5d0431413ca49893cb7fad9f22f5501da67c7ec6ba64ff11d560b9e496a8c51eb
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,18 @@
|
|
1
|
+
## Rails 8.0.0.1 (December 10, 2024) ##
|
2
|
+
|
3
|
+
* Add validation to content security policies to disallow spaces and semicolons.
|
4
|
+
Developers should use multiple arguments, and different directive methods instead.
|
5
|
+
|
6
|
+
[CVE-2024-54133]
|
7
|
+
|
8
|
+
*Gannon McGibbon*
|
9
|
+
|
10
|
+
|
11
|
+
## Rails 8.0.0 (November 07, 2024) ##
|
12
|
+
|
13
|
+
* No changes.
|
14
|
+
|
15
|
+
|
1
16
|
## Rails 8.0.0.rc2 (October 30, 2024) ##
|
2
17
|
|
3
18
|
* Fix routes with `::` in the path.
|
@@ -266,7 +266,7 @@ module ActionController
|
|
266
266
|
ParamsWrapper
|
267
267
|
]
|
268
268
|
|
269
|
-
# Note: Documenting these severely
|
269
|
+
# Note: Documenting these severely degrades the performance of rdoc
|
270
270
|
# :stopdoc:
|
271
271
|
include AbstractController::Rendering
|
272
272
|
include AbstractController::Translation
|
@@ -106,13 +106,14 @@ module ActionController
|
|
106
106
|
|
107
107
|
allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
|
108
108
|
|
109
|
-
|
109
|
+
proposed_status = _extract_redirect_to_status(options, response_options)
|
110
110
|
|
111
111
|
redirect_to_location = _compute_redirect_to_location(request, options)
|
112
112
|
_ensure_url_is_http_header_safe(redirect_to_location)
|
113
113
|
|
114
114
|
self.location = _enforce_open_redirect_protection(redirect_to_location, allow_other_host: allow_other_host)
|
115
115
|
self.response_body = ""
|
116
|
+
self.status = proposed_status
|
116
117
|
end
|
117
118
|
|
118
119
|
# Soft deprecated alias for #redirect_back_or_to where the `fallback_location`
|
@@ -171,7 +171,7 @@ module ActionController # :nodoc:
|
|
171
171
|
# Call render_body if we are streaming instead of usual `render`.
|
172
172
|
def _render_template(options)
|
173
173
|
if options.delete(:stream)
|
174
|
-
# It
|
174
|
+
# It shouldn't be necessary to set this.
|
175
175
|
headers["cache-control"] ||= "no-cache"
|
176
176
|
|
177
177
|
view_renderer.render_body(view_context, options)
|
@@ -26,6 +26,9 @@ module ActionDispatch # :nodoc:
|
|
26
26
|
# policy.report_uri "/csp-violation-report-endpoint"
|
27
27
|
# end
|
28
28
|
class ContentSecurityPolicy
|
29
|
+
class InvalidDirectiveError < StandardError
|
30
|
+
end
|
31
|
+
|
29
32
|
class Middleware
|
30
33
|
def initialize(app)
|
31
34
|
@app = app
|
@@ -320,9 +323,9 @@ module ActionDispatch # :nodoc:
|
|
320
323
|
@directives.map do |directive, sources|
|
321
324
|
if sources.is_a?(Array)
|
322
325
|
if nonce && nonce_directive?(directive, nonce_directives)
|
323
|
-
"#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
|
326
|
+
"#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
|
324
327
|
else
|
325
|
-
"#{directive} #{build_directive(sources, context).join(' ')}"
|
328
|
+
"#{directive} #{build_directive(directive, sources, context).join(' ')}"
|
326
329
|
end
|
327
330
|
elsif sources
|
328
331
|
directive
|
@@ -332,8 +335,22 @@ module ActionDispatch # :nodoc:
|
|
332
335
|
end
|
333
336
|
end
|
334
337
|
|
335
|
-
def
|
336
|
-
sources.
|
338
|
+
def validate(directive, sources)
|
339
|
+
sources.flatten.each do |source|
|
340
|
+
if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
|
341
|
+
raise InvalidDirectiveError, <<~MSG.squish
|
342
|
+
Invalid Content Security Policy #{directive}: "#{source}".
|
343
|
+
Directive values must not contain whitespace or semicolons.
|
344
|
+
Please use multiple arguments or other directive methods instead.
|
345
|
+
MSG
|
346
|
+
end
|
347
|
+
end
|
348
|
+
end
|
349
|
+
|
350
|
+
def build_directive(directive, sources, context)
|
351
|
+
resolved_sources = sources.map { |source| resolve_source(source, context) }
|
352
|
+
|
353
|
+
validate(directive, resolved_sources)
|
337
354
|
end
|
338
355
|
|
339
356
|
def resolve_source(source, context)
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 8.0.0.
|
4
|
+
version: 8.0.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-10
|
11
|
+
date: 2024-12-10 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 8.0.0.
|
19
|
+
version: 8.0.0.1
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 8.0.0.
|
26
|
+
version: 8.0.0.1
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: nokogiri
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -128,28 +128,28 @@ dependencies:
|
|
128
128
|
requirements:
|
129
129
|
- - '='
|
130
130
|
- !ruby/object:Gem::Version
|
131
|
-
version: 8.0.0.
|
131
|
+
version: 8.0.0.1
|
132
132
|
type: :runtime
|
133
133
|
prerelease: false
|
134
134
|
version_requirements: !ruby/object:Gem::Requirement
|
135
135
|
requirements:
|
136
136
|
- - '='
|
137
137
|
- !ruby/object:Gem::Version
|
138
|
-
version: 8.0.0.
|
138
|
+
version: 8.0.0.1
|
139
139
|
- !ruby/object:Gem::Dependency
|
140
140
|
name: activemodel
|
141
141
|
requirement: !ruby/object:Gem::Requirement
|
142
142
|
requirements:
|
143
143
|
- - '='
|
144
144
|
- !ruby/object:Gem::Version
|
145
|
-
version: 8.0.0.
|
145
|
+
version: 8.0.0.1
|
146
146
|
type: :development
|
147
147
|
prerelease: false
|
148
148
|
version_requirements: !ruby/object:Gem::Requirement
|
149
149
|
requirements:
|
150
150
|
- - '='
|
151
151
|
- !ruby/object:Gem::Version
|
152
|
-
version: 8.0.0.
|
152
|
+
version: 8.0.0.1
|
153
153
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
154
154
|
testing MVC web applications. Works with any Rack-compatible server.
|
155
155
|
email: david@loudthinking.com
|
@@ -350,10 +350,10 @@ licenses:
|
|
350
350
|
- MIT
|
351
351
|
metadata:
|
352
352
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
353
|
-
changelog_uri: https://github.com/rails/rails/blob/v8.0.0.
|
354
|
-
documentation_uri: https://api.rubyonrails.org/v8.0.0.
|
353
|
+
changelog_uri: https://github.com/rails/rails/blob/v8.0.0.1/actionpack/CHANGELOG.md
|
354
|
+
documentation_uri: https://api.rubyonrails.org/v8.0.0.1/
|
355
355
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
356
|
-
source_code_uri: https://github.com/rails/rails/tree/v8.0.0.
|
356
|
+
source_code_uri: https://github.com/rails/rails/tree/v8.0.0.1/actionpack
|
357
357
|
rubygems_mfa_required: 'true'
|
358
358
|
post_install_message:
|
359
359
|
rdoc_options: []
|
@@ -371,7 +371,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
371
371
|
version: '0'
|
372
372
|
requirements:
|
373
373
|
- none
|
374
|
-
rubygems_version: 3.5.
|
374
|
+
rubygems_version: 3.5.22
|
375
375
|
signing_key:
|
376
376
|
specification_version: 4
|
377
377
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|