actionpack 8.0.0.rc2 → 8.0.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 76724412ee5fbe34b92080713c9e9fab617fe1a81c4400ba2ee252d55020a6e3
-  data.tar.gz: 14b34e7e8e188f66b7f7da1542301fa5856fb0b14cb6213282c07c30fffbd76f
+  metadata.gz: f9788d8055b6cde3b25a111756f7ca6ceb3016a0373fc7c0c93acbe4a617feb9
+  data.tar.gz: e991798032e8ae1c6e993d62d7da219fe1dd58ab7242f4805470888c330e3a7f
 SHA512:
-  metadata.gz: d13e4c2bc63c93db23db2ab94786700542926ba9c200f611985dd524fe7cd11602bc592a9124c14d7f08e39bf7e95ed56fbebdadb6c8391d5712bbad47fb62bf
-  data.tar.gz: 8f90ce2cd483f2ac438680310306293ccf733b0052f064bfb265a74a65c81e8bab5a32d699914a6f5c713974367d3ae5756a11e0e88210f4198e0d195339ce9b
+  metadata.gz: 93ecb0819091de8e7792264cc49c0a3f4e6cc7ed18953c2064dfee14769e27fdffefd9c0eb36221a03be1fe20d930dcff1ebd2cba442169bcc74cad0727549fb
+  data.tar.gz: 154e96c7cd09af38ef3bd70db6c0f4c5da4d5c5daf292960b77032eb4c4687d5d0431413ca49893cb7fad9f22f5501da67c7ec6ba64ff11d560b9e496a8c51eb

data/CHANGELOG.md

@@ -1,3 +1,18 @@
+## Rails 8.0.0.1 (December 10, 2024) ##
+
+*   Add validation to content security policies to disallow spaces and semicolons.
+    Developers should use multiple arguments, and different directive methods instead.
+
+    [CVE-2024-54133]
+
+    *Gannon McGibbon*
+
+
+## Rails 8.0.0 (November 07, 2024) ##
+
+*   No changes.
+
+
 ## Rails 8.0.0.rc2 (October 30, 2024) ##
 
 *   Fix routes with `::` in the path.

data/lib/action_controller/base.rb

@@ -266,7 +266,7 @@ module ActionController
       ParamsWrapper
     ]
 
-    # Note: Documenting these severely degrates the performance of rdoc
+    # Note: Documenting these severely degrades the performance of rdoc
     # :stopdoc:
     include AbstractController::Rendering
     include AbstractController::Translation

data/lib/action_controller/metal/redirecting.rb

@@ -106,13 +106,14 @@ module ActionController
 
       allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
 
-      self.status = _extract_redirect_to_status(options, response_options)
+      proposed_status = _extract_redirect_to_status(options, response_options)
 
       redirect_to_location = _compute_redirect_to_location(request, options)
       _ensure_url_is_http_header_safe(redirect_to_location)
 
       self.location      = _enforce_open_redirect_protection(redirect_to_location, allow_other_host: allow_other_host)
       self.response_body = ""
+      self.status        = proposed_status
     end
 
     # Soft deprecated alias for #redirect_back_or_to where the `fallback_location`

data/lib/action_controller/metal/streaming.rb

@@ -171,7 +171,7 @@ module ActionController # :nodoc:
       # Call render_body if we are streaming instead of usual `render`.
       def _render_template(options)
         if options.delete(:stream)
-          # It shoudn't be necessary to set this.
+          # It shouldn't be necessary to set this.
           headers["cache-control"] ||= "no-cache"
 
           view_renderer.render_body(view_context, options)

data/lib/action_dispatch/http/content_security_policy.rb

@@ -26,6 +26,9 @@ module ActionDispatch # :nodoc:
   #       policy.report_uri "/csp-violation-report-endpoint"
   #     end
   class ContentSecurityPolicy
+    class InvalidDirectiveError < StandardError
+    end
+
     class Middleware
       def initialize(app)
         @app = app
@@ -320,9 +323,9 @@ module ActionDispatch # :nodoc:
         @directives.map do |directive, sources|
           if sources.is_a?(Array)
             if nonce && nonce_directive?(directive, nonce_directives)
-              "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
             else
-              "#{directive} #{build_directive(sources, context).join(' ')}"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')}"
             end
           elsif sources
             directive
@@ -332,8 +335,22 @@ module ActionDispatch # :nodoc:
         end
       end
 
-      def build_directive(sources, context)
-        sources.map { |source| resolve_source(source, context) }
+      def validate(directive, sources)
+        sources.flatten.each do |source|
+          if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
+            raise InvalidDirectiveError, <<~MSG.squish
+              Invalid Content Security Policy #{directive}: "#{source}".
+              Directive values must not contain whitespace or semicolons.
+              Please use multiple arguments or other directive methods instead.
+            MSG
+          end
+        end
+      end
+
+      def build_directive(directive, sources, context)
+        resolved_sources = sources.map { |source| resolve_source(source, context) }
+
+        validate(directive, resolved_sources)
       end
 
       def resolve_source(source, context)

data/lib/action_pack/gem_version.rb

@@ -12,7 +12,7 @@ module ActionPack
     MAJOR = 8
     MINOR = 0
     TINY  = 0
-    PRE   = "rc2"
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 8.0.0.rc2
+  version: 8.0.0.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-10-30 00:00:00.000000000 Z
+date: 2024-12-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.rc2
+        version: 8.0.0.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.rc2
+        version: 8.0.0.1
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -128,28 +128,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.rc2
+        version: 8.0.0.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.rc2
+        version: 8.0.0.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.rc2
+        version: 8.0.0.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.rc2
+        version: 8.0.0.1
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -350,10 +350,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v8.0.0.rc2/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v8.0.0.rc2/
+  changelog_uri: https://github.com/rails/rails/blob/v8.0.0.1/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v8.0.0.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v8.0.0.rc2/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v8.0.0.1/actionpack
   rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
@@ -371,7 +371,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.5.16
+rubygems_version: 3.5.22
 signing_key: 
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).