actionpack 8.0.0 → 8.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +17 -0
- data/lib/action_controller/metal/data_streaming.rb +4 -2
- data/lib/action_controller/metal/live.rb +3 -2
- data/lib/action_controller/metal/strong_parameters.rb +10 -10
- data/lib/action_dispatch/http/content_security_policy.rb +21 -4
- data/lib/action_dispatch/request/session.rb +1 -0
- data/lib/action_dispatch/testing/test_process.rb +1 -2
- data/lib/action_pack/gem_version.rb +1 -1
- metadata +11 -11
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 7e4dddbd1aa72f74822805435b23f5a92c79410529fc9e27048cb00d5092a612
|
4
|
+
data.tar.gz: 656ce52971952bc500713fe2892a980426ba65612907138c4ca0159951dbf338
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 814ef02acc2f6218c64045ba3e000fc379657b4cea039991a0fabe96792b0f77a9d843ba9592d04156c346d51b92c91535f4f9e7cde014ee03ffebe20e9292f7
|
7
|
+
data.tar.gz: 6568066218b50285be5baac02247119c5d296751e5f437ba6efe0131630f68cfe767656e0e7da485529747f562bebeb7282a8fa4d5a25e473af787da2a6e0c72
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,20 @@
|
|
1
|
+
## Rails 8.0.1 (December 13, 2024) ##
|
2
|
+
|
3
|
+
* Add `ActionDispatch::Request::Session#store` method to conform Rack spec.
|
4
|
+
|
5
|
+
*Yaroslav*
|
6
|
+
|
7
|
+
|
8
|
+
## Rails 8.0.0.1 (December 10, 2024) ##
|
9
|
+
|
10
|
+
* Add validation to content security policies to disallow spaces and semicolons.
|
11
|
+
Developers should use multiple arguments, and different directive methods instead.
|
12
|
+
|
13
|
+
[CVE-2024-54133]
|
14
|
+
|
15
|
+
*Gannon McGibbon*
|
16
|
+
|
17
|
+
|
1
18
|
## Rails 8.0.0 (November 07, 2024) ##
|
2
19
|
|
3
20
|
* No changes.
|
@@ -28,7 +28,8 @@ module ActionController # :nodoc:
|
|
28
28
|
# `send_file(params[:path])` allows a malicious user to download any file on
|
29
29
|
# your server.
|
30
30
|
#
|
31
|
-
# Options:
|
31
|
+
# #### Options:
|
32
|
+
#
|
32
33
|
# * `:filename` - suggests a filename for the browser to use. Defaults to
|
33
34
|
# `File.basename(path)`.
|
34
35
|
# * `:type` - specifies an HTTP content type. You can specify either a string
|
@@ -90,7 +91,8 @@ module ActionController # :nodoc:
|
|
90
91
|
# inline data. You may also set the content type, the file name, and other
|
91
92
|
# things.
|
92
93
|
#
|
93
|
-
# Options:
|
94
|
+
# #### Options:
|
95
|
+
#
|
94
96
|
# * `:filename` - suggests a filename for the browser to use.
|
95
97
|
# * `:type` - specifies an HTTP content type. Defaults to
|
96
98
|
# `application/octet-stream`. You can specify either a string or a symbol
|
@@ -58,7 +58,7 @@ module ActionController
|
|
58
58
|
|
59
59
|
module ClassMethods
|
60
60
|
def make_response!(request)
|
61
|
-
if request.get_header("HTTP_VERSION") == "HTTP/1.0"
|
61
|
+
if (request.get_header("SERVER_PROTOCOL") || request.get_header("HTTP_VERSION")) == "HTTP/1.0"
|
62
62
|
super
|
63
63
|
else
|
64
64
|
Live::Response.new.tap do |res|
|
@@ -332,7 +332,8 @@ module ActionController
|
|
332
332
|
# or other running data where you don't want the entire file buffered in memory
|
333
333
|
# first. Similar to send_data, but where the data is generated live.
|
334
334
|
#
|
335
|
-
# Options:
|
335
|
+
# #### Options:
|
336
|
+
#
|
336
337
|
# * `:filename` - suggests a filename for the browser to use.
|
337
338
|
# * `:type` - specifies an HTTP content type. You can specify either a string
|
338
339
|
# or a symbol for a registered type with `Mime::Type.register`, for example
|
@@ -513,7 +513,7 @@ module ActionController
|
|
513
513
|
# It is recommended to use `expect` instead:
|
514
514
|
#
|
515
515
|
# def person_params
|
516
|
-
#
|
516
|
+
# params.expect(person: :name).require(:name)
|
517
517
|
# end
|
518
518
|
#
|
519
519
|
def require(key)
|
@@ -621,7 +621,7 @@ module ActionController
|
|
621
621
|
# })
|
622
622
|
#
|
623
623
|
# params.permit(person: :contact).require(:person)
|
624
|
-
# # =>
|
624
|
+
# # => ActionController::ParameterMissing: param is missing or the value is empty or invalid: person
|
625
625
|
#
|
626
626
|
# params.permit(person: { contact: :phone }).require(:person)
|
627
627
|
# # => #<ActionController::Parameters {"contact"=>#<ActionController::Parameters {"phone"=>"555-1234"} permitted: true>} permitted: true>
|
@@ -726,19 +726,19 @@ module ActionController
|
|
726
726
|
# similar to the `.require.permit` pattern. If multiple root keys are
|
727
727
|
# expected, they will all be required.
|
728
728
|
#
|
729
|
-
#
|
730
|
-
#
|
731
|
-
#
|
732
|
-
#
|
729
|
+
# params = ActionController::Parameters.new(name: "Martin", pies: [{ type: "dessert", flavor: "pumpkin"}])
|
730
|
+
# name, pies = params.expect(:name, pies: [[:type, :flavor]])
|
731
|
+
# name # => "Martin"
|
732
|
+
# pies # => [#<ActionController::Parameters {"type"=>"dessert", "flavor"=>"pumpkin"} permitted: true>]
|
733
733
|
#
|
734
734
|
# When called with a hash with multiple keys, `expect` will permit the
|
735
735
|
# parameters and require the keys in the order they are given in the hash,
|
736
736
|
# returning an array of the permitted parameters.
|
737
737
|
#
|
738
|
-
#
|
739
|
-
#
|
740
|
-
#
|
741
|
-
#
|
738
|
+
# params = ActionController::Parameters.new(subject: { name: "Martin" }, object: { pie: "pumpkin" })
|
739
|
+
# subject, object = params.expect(subject: [:name], object: [:pie])
|
740
|
+
# subject # => #<ActionController::Parameters {"name"=>"Martin"} permitted: true>
|
741
|
+
# object # => #<ActionController::Parameters {"pie"=>"pumpkin"} permitted: true>
|
742
742
|
#
|
743
743
|
# Besides being more strict about array vs hash params, `expect` uses permit
|
744
744
|
# internally, so it will behave similarly.
|
@@ -26,6 +26,9 @@ module ActionDispatch # :nodoc:
|
|
26
26
|
# policy.report_uri "/csp-violation-report-endpoint"
|
27
27
|
# end
|
28
28
|
class ContentSecurityPolicy
|
29
|
+
class InvalidDirectiveError < StandardError
|
30
|
+
end
|
31
|
+
|
29
32
|
class Middleware
|
30
33
|
def initialize(app)
|
31
34
|
@app = app
|
@@ -320,9 +323,9 @@ module ActionDispatch # :nodoc:
|
|
320
323
|
@directives.map do |directive, sources|
|
321
324
|
if sources.is_a?(Array)
|
322
325
|
if nonce && nonce_directive?(directive, nonce_directives)
|
323
|
-
"#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
|
326
|
+
"#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
|
324
327
|
else
|
325
|
-
"#{directive} #{build_directive(sources, context).join(' ')}"
|
328
|
+
"#{directive} #{build_directive(directive, sources, context).join(' ')}"
|
326
329
|
end
|
327
330
|
elsif sources
|
328
331
|
directive
|
@@ -332,8 +335,22 @@ module ActionDispatch # :nodoc:
|
|
332
335
|
end
|
333
336
|
end
|
334
337
|
|
335
|
-
def
|
336
|
-
sources.
|
338
|
+
def validate(directive, sources)
|
339
|
+
sources.flatten.each do |source|
|
340
|
+
if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
|
341
|
+
raise InvalidDirectiveError, <<~MSG.squish
|
342
|
+
Invalid Content Security Policy #{directive}: "#{source}".
|
343
|
+
Directive values must not contain whitespace or semicolons.
|
344
|
+
Please use multiple arguments or other directive methods instead.
|
345
|
+
MSG
|
346
|
+
end
|
347
|
+
end
|
348
|
+
end
|
349
|
+
|
350
|
+
def build_directive(directive, sources, context)
|
351
|
+
resolved_sources = sources.map { |source| resolve_source(source, context) }
|
352
|
+
|
353
|
+
validate(directive, resolved_sources)
|
337
354
|
end
|
338
355
|
|
339
356
|
def resolve_source(source, context)
|
@@ -9,8 +9,7 @@ module ActionDispatch
|
|
9
9
|
module TestProcess
|
10
10
|
module FixtureFile
|
11
11
|
# Shortcut for
|
12
|
-
# `Rack::Test::UploadedFile.new(File.join(ActionDispatch::IntegrationTest.
|
13
|
-
# ixture_path, path), type)`:
|
12
|
+
# `Rack::Test::UploadedFile.new(File.join(ActionDispatch::IntegrationTest.file_fixture_path, path), type)`:
|
14
13
|
#
|
15
14
|
# post :change_avatar, params: { avatar: file_fixture_upload('david.png', 'image/png') }
|
16
15
|
#
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 8.0.
|
4
|
+
version: 8.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-12-13 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 8.0.
|
19
|
+
version: 8.0.1
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 8.0.
|
26
|
+
version: 8.0.1
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: nokogiri
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -128,28 +128,28 @@ dependencies:
|
|
128
128
|
requirements:
|
129
129
|
- - '='
|
130
130
|
- !ruby/object:Gem::Version
|
131
|
-
version: 8.0.
|
131
|
+
version: 8.0.1
|
132
132
|
type: :runtime
|
133
133
|
prerelease: false
|
134
134
|
version_requirements: !ruby/object:Gem::Requirement
|
135
135
|
requirements:
|
136
136
|
- - '='
|
137
137
|
- !ruby/object:Gem::Version
|
138
|
-
version: 8.0.
|
138
|
+
version: 8.0.1
|
139
139
|
- !ruby/object:Gem::Dependency
|
140
140
|
name: activemodel
|
141
141
|
requirement: !ruby/object:Gem::Requirement
|
142
142
|
requirements:
|
143
143
|
- - '='
|
144
144
|
- !ruby/object:Gem::Version
|
145
|
-
version: 8.0.
|
145
|
+
version: 8.0.1
|
146
146
|
type: :development
|
147
147
|
prerelease: false
|
148
148
|
version_requirements: !ruby/object:Gem::Requirement
|
149
149
|
requirements:
|
150
150
|
- - '='
|
151
151
|
- !ruby/object:Gem::Version
|
152
|
-
version: 8.0.
|
152
|
+
version: 8.0.1
|
153
153
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
154
154
|
testing MVC web applications. Works with any Rack-compatible server.
|
155
155
|
email: david@loudthinking.com
|
@@ -350,10 +350,10 @@ licenses:
|
|
350
350
|
- MIT
|
351
351
|
metadata:
|
352
352
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
353
|
-
changelog_uri: https://github.com/rails/rails/blob/v8.0.
|
354
|
-
documentation_uri: https://api.rubyonrails.org/v8.0.
|
353
|
+
changelog_uri: https://github.com/rails/rails/blob/v8.0.1/actionpack/CHANGELOG.md
|
354
|
+
documentation_uri: https://api.rubyonrails.org/v8.0.1/
|
355
355
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
356
|
-
source_code_uri: https://github.com/rails/rails/tree/v8.0.
|
356
|
+
source_code_uri: https://github.com/rails/rails/tree/v8.0.1/actionpack
|
357
357
|
rubygems_mfa_required: 'true'
|
358
358
|
post_install_message:
|
359
359
|
rdoc_options: []
|