actionpack 8.0.0 → 8.0.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 239a368486048f1afb68d3463355a6a9cde859c5cbe2199a708a35cb538d5dbb
4
- data.tar.gz: 4d16e862e97e3348f81b68a966747a220543cbac4a2ec0a3a804318dda76ce09
3
+ metadata.gz: 7e4dddbd1aa72f74822805435b23f5a92c79410529fc9e27048cb00d5092a612
4
+ data.tar.gz: 656ce52971952bc500713fe2892a980426ba65612907138c4ca0159951dbf338
5
5
  SHA512:
6
- metadata.gz: ddabd2752f936c6a8ef53d0ba4d077b9a28e8a4ef079ba45a0c3b3878ae21dc75675c8d36a16a05ac3f21f20ceae9e38b0f62049abadee67d4b2d15e6eb54b43
7
- data.tar.gz: cfddc2490012b49d47458e41211d17e577b6e748a87e5b9c43a011c3312398a8b00faee7ba283e78bdc2082df3fe116896bfe05b9daf55962596f94c31afaa10
6
+ metadata.gz: 814ef02acc2f6218c64045ba3e000fc379657b4cea039991a0fabe96792b0f77a9d843ba9592d04156c346d51b92c91535f4f9e7cde014ee03ffebe20e9292f7
7
+ data.tar.gz: 6568066218b50285be5baac02247119c5d296751e5f437ba6efe0131630f68cfe767656e0e7da485529747f562bebeb7282a8fa4d5a25e473af787da2a6e0c72
data/CHANGELOG.md CHANGED
@@ -1,3 +1,20 @@
1
+ ## Rails 8.0.1 (December 13, 2024) ##
2
+
3
+ * Add `ActionDispatch::Request::Session#store` method to conform Rack spec.
4
+
5
+ *Yaroslav*
6
+
7
+
8
+ ## Rails 8.0.0.1 (December 10, 2024) ##
9
+
10
+ * Add validation to content security policies to disallow spaces and semicolons.
11
+ Developers should use multiple arguments, and different directive methods instead.
12
+
13
+ [CVE-2024-54133]
14
+
15
+ *Gannon McGibbon*
16
+
17
+
1
18
  ## Rails 8.0.0 (November 07, 2024) ##
2
19
 
3
20
  * No changes.
@@ -28,7 +28,8 @@ module ActionController # :nodoc:
28
28
  # `send_file(params[:path])` allows a malicious user to download any file on
29
29
  # your server.
30
30
  #
31
- # Options:
31
+ # #### Options:
32
+ #
32
33
  # * `:filename` - suggests a filename for the browser to use. Defaults to
33
34
  # `File.basename(path)`.
34
35
  # * `:type` - specifies an HTTP content type. You can specify either a string
@@ -90,7 +91,8 @@ module ActionController # :nodoc:
90
91
  # inline data. You may also set the content type, the file name, and other
91
92
  # things.
92
93
  #
93
- # Options:
94
+ # #### Options:
95
+ #
94
96
  # * `:filename` - suggests a filename for the browser to use.
95
97
  # * `:type` - specifies an HTTP content type. Defaults to
96
98
  # `application/octet-stream`. You can specify either a string or a symbol
@@ -58,7 +58,7 @@ module ActionController
58
58
 
59
59
  module ClassMethods
60
60
  def make_response!(request)
61
- if request.get_header("HTTP_VERSION") == "HTTP/1.0"
61
+ if (request.get_header("SERVER_PROTOCOL") || request.get_header("HTTP_VERSION")) == "HTTP/1.0"
62
62
  super
63
63
  else
64
64
  Live::Response.new.tap do |res|
@@ -332,7 +332,8 @@ module ActionController
332
332
  # or other running data where you don't want the entire file buffered in memory
333
333
  # first. Similar to send_data, but where the data is generated live.
334
334
  #
335
- # Options:
335
+ # #### Options:
336
+ #
336
337
  # * `:filename` - suggests a filename for the browser to use.
337
338
  # * `:type` - specifies an HTTP content type. You can specify either a string
338
339
  # or a symbol for a registered type with `Mime::Type.register`, for example
@@ -513,7 +513,7 @@ module ActionController
513
513
  # It is recommended to use `expect` instead:
514
514
  #
515
515
  # def person_params
516
- # # params.expect(person: :name).require(:name)
516
+ # params.expect(person: :name).require(:name)
517
517
  # end
518
518
  #
519
519
  def require(key)
@@ -621,7 +621,7 @@ module ActionController
621
621
  # })
622
622
  #
623
623
  # params.permit(person: :contact).require(:person)
624
- # # => #<ActionController::Parameters {} permitted: true>
624
+ # # => ActionController::ParameterMissing: param is missing or the value is empty or invalid: person
625
625
  #
626
626
  # params.permit(person: { contact: :phone }).require(:person)
627
627
  # # => #<ActionController::Parameters {"contact"=>#<ActionController::Parameters {"phone"=>"555-1234"} permitted: true>} permitted: true>
@@ -726,19 +726,19 @@ module ActionController
726
726
  # similar to the `.require.permit` pattern. If multiple root keys are
727
727
  # expected, they will all be required.
728
728
  #
729
- # params = ActionController::Parameters.new(name: "Martin", pies: [{ type: "dessert", flavor: "pumpkin"}])
730
- # name, pies = params.expect(:name, pies: [[:type, :flavor]])
731
- # name # => "Martin"
732
- # pies # => [#<ActionController::Parameters {"type"=>"dessert", "flavor"=>"pumpkin"} permitted: true>]
729
+ # params = ActionController::Parameters.new(name: "Martin", pies: [{ type: "dessert", flavor: "pumpkin"}])
730
+ # name, pies = params.expect(:name, pies: [[:type, :flavor]])
731
+ # name # => "Martin"
732
+ # pies # => [#<ActionController::Parameters {"type"=>"dessert", "flavor"=>"pumpkin"} permitted: true>]
733
733
  #
734
734
  # When called with a hash with multiple keys, `expect` will permit the
735
735
  # parameters and require the keys in the order they are given in the hash,
736
736
  # returning an array of the permitted parameters.
737
737
  #
738
- # params = ActionController::Parameters.new(subject: { name: "Martin" }, object: { pie: "pumpkin" })
739
- # subject, object = params.expect(subject: [:name], object: [:pie])
740
- # subject # => #<ActionController::Parameters {"name"=>"Martin"} permitted: true>
741
- # object # => #<ActionController::Parameters {"pie"=>"pumpkin"} permitted: true>
738
+ # params = ActionController::Parameters.new(subject: { name: "Martin" }, object: { pie: "pumpkin" })
739
+ # subject, object = params.expect(subject: [:name], object: [:pie])
740
+ # subject # => #<ActionController::Parameters {"name"=>"Martin"} permitted: true>
741
+ # object # => #<ActionController::Parameters {"pie"=>"pumpkin"} permitted: true>
742
742
  #
743
743
  # Besides being more strict about array vs hash params, `expect` uses permit
744
744
  # internally, so it will behave similarly.
@@ -26,6 +26,9 @@ module ActionDispatch # :nodoc:
26
26
  # policy.report_uri "/csp-violation-report-endpoint"
27
27
  # end
28
28
  class ContentSecurityPolicy
29
+ class InvalidDirectiveError < StandardError
30
+ end
31
+
29
32
  class Middleware
30
33
  def initialize(app)
31
34
  @app = app
@@ -320,9 +323,9 @@ module ActionDispatch # :nodoc:
320
323
  @directives.map do |directive, sources|
321
324
  if sources.is_a?(Array)
322
325
  if nonce && nonce_directive?(directive, nonce_directives)
323
- "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
326
+ "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
324
327
  else
325
- "#{directive} #{build_directive(sources, context).join(' ')}"
328
+ "#{directive} #{build_directive(directive, sources, context).join(' ')}"
326
329
  end
327
330
  elsif sources
328
331
  directive
@@ -332,8 +335,22 @@ module ActionDispatch # :nodoc:
332
335
  end
333
336
  end
334
337
 
335
- def build_directive(sources, context)
336
- sources.map { |source| resolve_source(source, context) }
338
+ def validate(directive, sources)
339
+ sources.flatten.each do |source|
340
+ if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
341
+ raise InvalidDirectiveError, <<~MSG.squish
342
+ Invalid Content Security Policy #{directive}: "#{source}".
343
+ Directive values must not contain whitespace or semicolons.
344
+ Please use multiple arguments or other directive methods instead.
345
+ MSG
346
+ end
347
+ end
348
+ end
349
+
350
+ def build_directive(directive, sources, context)
351
+ resolved_sources = sources.map { |source| resolve_source(source, context) }
352
+
353
+ validate(directive, resolved_sources)
337
354
  end
338
355
 
339
356
  def resolve_source(source, context)
@@ -155,6 +155,7 @@ module ActionDispatch
155
155
  load_for_write!
156
156
  @delegate[key.to_s] = value
157
157
  end
158
+ alias store []=
158
159
 
159
160
  # Clears the session.
160
161
  def clear
@@ -9,8 +9,7 @@ module ActionDispatch
9
9
  module TestProcess
10
10
  module FixtureFile
11
11
  # Shortcut for
12
- # `Rack::Test::UploadedFile.new(File.join(ActionDispatch::IntegrationTest.file_f
13
- # ixture_path, path), type)`:
12
+ # `Rack::Test::UploadedFile.new(File.join(ActionDispatch::IntegrationTest.file_fixture_path, path), type)`:
14
13
  #
15
14
  # post :change_avatar, params: { avatar: file_fixture_upload('david.png', 'image/png') }
16
15
  #
@@ -11,7 +11,7 @@ module ActionPack
11
11
  module VERSION
12
12
  MAJOR = 8
13
13
  MINOR = 0
14
- TINY = 0
14
+ TINY = 1
15
15
  PRE = nil
16
16
 
17
17
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 8.0.0
4
+ version: 8.0.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-11-07 00:00:00.000000000 Z
11
+ date: 2024-12-13 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 8.0.0
19
+ version: 8.0.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 8.0.0
26
+ version: 8.0.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: nokogiri
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -128,28 +128,28 @@ dependencies:
128
128
  requirements:
129
129
  - - '='
130
130
  - !ruby/object:Gem::Version
131
- version: 8.0.0
131
+ version: 8.0.1
132
132
  type: :runtime
133
133
  prerelease: false
134
134
  version_requirements: !ruby/object:Gem::Requirement
135
135
  requirements:
136
136
  - - '='
137
137
  - !ruby/object:Gem::Version
138
- version: 8.0.0
138
+ version: 8.0.1
139
139
  - !ruby/object:Gem::Dependency
140
140
  name: activemodel
141
141
  requirement: !ruby/object:Gem::Requirement
142
142
  requirements:
143
143
  - - '='
144
144
  - !ruby/object:Gem::Version
145
- version: 8.0.0
145
+ version: 8.0.1
146
146
  type: :development
147
147
  prerelease: false
148
148
  version_requirements: !ruby/object:Gem::Requirement
149
149
  requirements:
150
150
  - - '='
151
151
  - !ruby/object:Gem::Version
152
- version: 8.0.0
152
+ version: 8.0.1
153
153
  description: Web apps on Rails. Simple, battle-tested conventions for building and
154
154
  testing MVC web applications. Works with any Rack-compatible server.
155
155
  email: david@loudthinking.com
@@ -350,10 +350,10 @@ licenses:
350
350
  - MIT
351
351
  metadata:
352
352
  bug_tracker_uri: https://github.com/rails/rails/issues
353
- changelog_uri: https://github.com/rails/rails/blob/v8.0.0/actionpack/CHANGELOG.md
354
- documentation_uri: https://api.rubyonrails.org/v8.0.0/
353
+ changelog_uri: https://github.com/rails/rails/blob/v8.0.1/actionpack/CHANGELOG.md
354
+ documentation_uri: https://api.rubyonrails.org/v8.0.1/
355
355
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
356
- source_code_uri: https://github.com/rails/rails/tree/v8.0.0/actionpack
356
+ source_code_uri: https://github.com/rails/rails/tree/v8.0.1/actionpack
357
357
  rubygems_mfa_required: 'true'
358
358
  post_install_message:
359
359
  rdoc_options: []