actionpack 8.0.0 → 8.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +17 -0
- data/lib/action_controller/metal/data_streaming.rb +4 -2
- data/lib/action_controller/metal/live.rb +3 -2
- data/lib/action_controller/metal/strong_parameters.rb +10 -10
- data/lib/action_dispatch/http/content_security_policy.rb +21 -4
- data/lib/action_dispatch/request/session.rb +1 -0
- data/lib/action_dispatch/testing/test_process.rb +1 -2
- data/lib/action_pack/gem_version.rb +1 -1
- metadata +11 -11
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7e4dddbd1aa72f74822805435b23f5a92c79410529fc9e27048cb00d5092a612
|
|
4
|
+
data.tar.gz: 656ce52971952bc500713fe2892a980426ba65612907138c4ca0159951dbf338
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 814ef02acc2f6218c64045ba3e000fc379657b4cea039991a0fabe96792b0f77a9d843ba9592d04156c346d51b92c91535f4f9e7cde014ee03ffebe20e9292f7
|
|
7
|
+
data.tar.gz: 6568066218b50285be5baac02247119c5d296751e5f437ba6efe0131630f68cfe767656e0e7da485529747f562bebeb7282a8fa4d5a25e473af787da2a6e0c72
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,20 @@
|
|
|
1
|
+
## Rails 8.0.1 (December 13, 2024) ##
|
|
2
|
+
|
|
3
|
+
* Add `ActionDispatch::Request::Session#store` method to conform Rack spec.
|
|
4
|
+
|
|
5
|
+
*Yaroslav*
|
|
6
|
+
|
|
7
|
+
|
|
8
|
+
## Rails 8.0.0.1 (December 10, 2024) ##
|
|
9
|
+
|
|
10
|
+
* Add validation to content security policies to disallow spaces and semicolons.
|
|
11
|
+
Developers should use multiple arguments, and different directive methods instead.
|
|
12
|
+
|
|
13
|
+
[CVE-2024-54133]
|
|
14
|
+
|
|
15
|
+
*Gannon McGibbon*
|
|
16
|
+
|
|
17
|
+
|
|
1
18
|
## Rails 8.0.0 (November 07, 2024) ##
|
|
2
19
|
|
|
3
20
|
* No changes.
|
|
@@ -28,7 +28,8 @@ module ActionController # :nodoc:
|
|
|
28
28
|
# `send_file(params[:path])` allows a malicious user to download any file on
|
|
29
29
|
# your server.
|
|
30
30
|
#
|
|
31
|
-
# Options:
|
|
31
|
+
# #### Options:
|
|
32
|
+
#
|
|
32
33
|
# * `:filename` - suggests a filename for the browser to use. Defaults to
|
|
33
34
|
# `File.basename(path)`.
|
|
34
35
|
# * `:type` - specifies an HTTP content type. You can specify either a string
|
|
@@ -90,7 +91,8 @@ module ActionController # :nodoc:
|
|
|
90
91
|
# inline data. You may also set the content type, the file name, and other
|
|
91
92
|
# things.
|
|
92
93
|
#
|
|
93
|
-
# Options:
|
|
94
|
+
# #### Options:
|
|
95
|
+
#
|
|
94
96
|
# * `:filename` - suggests a filename for the browser to use.
|
|
95
97
|
# * `:type` - specifies an HTTP content type. Defaults to
|
|
96
98
|
# `application/octet-stream`. You can specify either a string or a symbol
|
|
@@ -58,7 +58,7 @@ module ActionController
|
|
|
58
58
|
|
|
59
59
|
module ClassMethods
|
|
60
60
|
def make_response!(request)
|
|
61
|
-
if request.get_header("HTTP_VERSION") == "HTTP/1.0"
|
|
61
|
+
if (request.get_header("SERVER_PROTOCOL") || request.get_header("HTTP_VERSION")) == "HTTP/1.0"
|
|
62
62
|
super
|
|
63
63
|
else
|
|
64
64
|
Live::Response.new.tap do |res|
|
|
@@ -332,7 +332,8 @@ module ActionController
|
|
|
332
332
|
# or other running data where you don't want the entire file buffered in memory
|
|
333
333
|
# first. Similar to send_data, but where the data is generated live.
|
|
334
334
|
#
|
|
335
|
-
# Options:
|
|
335
|
+
# #### Options:
|
|
336
|
+
#
|
|
336
337
|
# * `:filename` - suggests a filename for the browser to use.
|
|
337
338
|
# * `:type` - specifies an HTTP content type. You can specify either a string
|
|
338
339
|
# or a symbol for a registered type with `Mime::Type.register`, for example
|
|
@@ -513,7 +513,7 @@ module ActionController
|
|
|
513
513
|
# It is recommended to use `expect` instead:
|
|
514
514
|
#
|
|
515
515
|
# def person_params
|
|
516
|
-
#
|
|
516
|
+
# params.expect(person: :name).require(:name)
|
|
517
517
|
# end
|
|
518
518
|
#
|
|
519
519
|
def require(key)
|
|
@@ -621,7 +621,7 @@ module ActionController
|
|
|
621
621
|
# })
|
|
622
622
|
#
|
|
623
623
|
# params.permit(person: :contact).require(:person)
|
|
624
|
-
# # =>
|
|
624
|
+
# # => ActionController::ParameterMissing: param is missing or the value is empty or invalid: person
|
|
625
625
|
#
|
|
626
626
|
# params.permit(person: { contact: :phone }).require(:person)
|
|
627
627
|
# # => #<ActionController::Parameters {"contact"=>#<ActionController::Parameters {"phone"=>"555-1234"} permitted: true>} permitted: true>
|
|
@@ -726,19 +726,19 @@ module ActionController
|
|
|
726
726
|
# similar to the `.require.permit` pattern. If multiple root keys are
|
|
727
727
|
# expected, they will all be required.
|
|
728
728
|
#
|
|
729
|
-
#
|
|
730
|
-
#
|
|
731
|
-
#
|
|
732
|
-
#
|
|
729
|
+
# params = ActionController::Parameters.new(name: "Martin", pies: [{ type: "dessert", flavor: "pumpkin"}])
|
|
730
|
+
# name, pies = params.expect(:name, pies: [[:type, :flavor]])
|
|
731
|
+
# name # => "Martin"
|
|
732
|
+
# pies # => [#<ActionController::Parameters {"type"=>"dessert", "flavor"=>"pumpkin"} permitted: true>]
|
|
733
733
|
#
|
|
734
734
|
# When called with a hash with multiple keys, `expect` will permit the
|
|
735
735
|
# parameters and require the keys in the order they are given in the hash,
|
|
736
736
|
# returning an array of the permitted parameters.
|
|
737
737
|
#
|
|
738
|
-
#
|
|
739
|
-
#
|
|
740
|
-
#
|
|
741
|
-
#
|
|
738
|
+
# params = ActionController::Parameters.new(subject: { name: "Martin" }, object: { pie: "pumpkin" })
|
|
739
|
+
# subject, object = params.expect(subject: [:name], object: [:pie])
|
|
740
|
+
# subject # => #<ActionController::Parameters {"name"=>"Martin"} permitted: true>
|
|
741
|
+
# object # => #<ActionController::Parameters {"pie"=>"pumpkin"} permitted: true>
|
|
742
742
|
#
|
|
743
743
|
# Besides being more strict about array vs hash params, `expect` uses permit
|
|
744
744
|
# internally, so it will behave similarly.
|
|
@@ -26,6 +26,9 @@ module ActionDispatch # :nodoc:
|
|
|
26
26
|
# policy.report_uri "/csp-violation-report-endpoint"
|
|
27
27
|
# end
|
|
28
28
|
class ContentSecurityPolicy
|
|
29
|
+
class InvalidDirectiveError < StandardError
|
|
30
|
+
end
|
|
31
|
+
|
|
29
32
|
class Middleware
|
|
30
33
|
def initialize(app)
|
|
31
34
|
@app = app
|
|
@@ -320,9 +323,9 @@ module ActionDispatch # :nodoc:
|
|
|
320
323
|
@directives.map do |directive, sources|
|
|
321
324
|
if sources.is_a?(Array)
|
|
322
325
|
if nonce && nonce_directive?(directive, nonce_directives)
|
|
323
|
-
"#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
|
|
326
|
+
"#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
|
|
324
327
|
else
|
|
325
|
-
"#{directive} #{build_directive(sources, context).join(' ')}"
|
|
328
|
+
"#{directive} #{build_directive(directive, sources, context).join(' ')}"
|
|
326
329
|
end
|
|
327
330
|
elsif sources
|
|
328
331
|
directive
|
|
@@ -332,8 +335,22 @@ module ActionDispatch # :nodoc:
|
|
|
332
335
|
end
|
|
333
336
|
end
|
|
334
337
|
|
|
335
|
-
def
|
|
336
|
-
sources.
|
|
338
|
+
def validate(directive, sources)
|
|
339
|
+
sources.flatten.each do |source|
|
|
340
|
+
if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
|
|
341
|
+
raise InvalidDirectiveError, <<~MSG.squish
|
|
342
|
+
Invalid Content Security Policy #{directive}: "#{source}".
|
|
343
|
+
Directive values must not contain whitespace or semicolons.
|
|
344
|
+
Please use multiple arguments or other directive methods instead.
|
|
345
|
+
MSG
|
|
346
|
+
end
|
|
347
|
+
end
|
|
348
|
+
end
|
|
349
|
+
|
|
350
|
+
def build_directive(directive, sources, context)
|
|
351
|
+
resolved_sources = sources.map { |source| resolve_source(source, context) }
|
|
352
|
+
|
|
353
|
+
validate(directive, resolved_sources)
|
|
337
354
|
end
|
|
338
355
|
|
|
339
356
|
def resolve_source(source, context)
|
|
@@ -9,8 +9,7 @@ module ActionDispatch
|
|
|
9
9
|
module TestProcess
|
|
10
10
|
module FixtureFile
|
|
11
11
|
# Shortcut for
|
|
12
|
-
# `Rack::Test::UploadedFile.new(File.join(ActionDispatch::IntegrationTest.
|
|
13
|
-
# ixture_path, path), type)`:
|
|
12
|
+
# `Rack::Test::UploadedFile.new(File.join(ActionDispatch::IntegrationTest.file_fixture_path, path), type)`:
|
|
14
13
|
#
|
|
15
14
|
# post :change_avatar, params: { avatar: file_fixture_upload('david.png', 'image/png') }
|
|
16
15
|
#
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: actionpack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 8.0.
|
|
4
|
+
version: 8.0.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-12-13 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 8.0.
|
|
19
|
+
version: 8.0.1
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 8.0.
|
|
26
|
+
version: 8.0.1
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: nokogiri
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -128,28 +128,28 @@ dependencies:
|
|
|
128
128
|
requirements:
|
|
129
129
|
- - '='
|
|
130
130
|
- !ruby/object:Gem::Version
|
|
131
|
-
version: 8.0.
|
|
131
|
+
version: 8.0.1
|
|
132
132
|
type: :runtime
|
|
133
133
|
prerelease: false
|
|
134
134
|
version_requirements: !ruby/object:Gem::Requirement
|
|
135
135
|
requirements:
|
|
136
136
|
- - '='
|
|
137
137
|
- !ruby/object:Gem::Version
|
|
138
|
-
version: 8.0.
|
|
138
|
+
version: 8.0.1
|
|
139
139
|
- !ruby/object:Gem::Dependency
|
|
140
140
|
name: activemodel
|
|
141
141
|
requirement: !ruby/object:Gem::Requirement
|
|
142
142
|
requirements:
|
|
143
143
|
- - '='
|
|
144
144
|
- !ruby/object:Gem::Version
|
|
145
|
-
version: 8.0.
|
|
145
|
+
version: 8.0.1
|
|
146
146
|
type: :development
|
|
147
147
|
prerelease: false
|
|
148
148
|
version_requirements: !ruby/object:Gem::Requirement
|
|
149
149
|
requirements:
|
|
150
150
|
- - '='
|
|
151
151
|
- !ruby/object:Gem::Version
|
|
152
|
-
version: 8.0.
|
|
152
|
+
version: 8.0.1
|
|
153
153
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
|
154
154
|
testing MVC web applications. Works with any Rack-compatible server.
|
|
155
155
|
email: david@loudthinking.com
|
|
@@ -350,10 +350,10 @@ licenses:
|
|
|
350
350
|
- MIT
|
|
351
351
|
metadata:
|
|
352
352
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
|
353
|
-
changelog_uri: https://github.com/rails/rails/blob/v8.0.
|
|
354
|
-
documentation_uri: https://api.rubyonrails.org/v8.0.
|
|
353
|
+
changelog_uri: https://github.com/rails/rails/blob/v8.0.1/actionpack/CHANGELOG.md
|
|
354
|
+
documentation_uri: https://api.rubyonrails.org/v8.0.1/
|
|
355
355
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
|
356
|
-
source_code_uri: https://github.com/rails/rails/tree/v8.0.
|
|
356
|
+
source_code_uri: https://github.com/rails/rails/tree/v8.0.1/actionpack
|
|
357
357
|
rubygems_mfa_required: 'true'
|
|
358
358
|
post_install_message:
|
|
359
359
|
rdoc_options: []
|