actionpack 4.1.8 → 4.1.9.rc1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +30 -0
- data/lib/action_controller/base.rb +1 -1
- data/lib/action_controller/metal/http_authentication.rb +9 -2
- data/lib/action_dispatch/http/mime_negotiation.rb +1 -1
- data/lib/action_dispatch/http/parameter_filter.rb +1 -1
- data/lib/action_dispatch/middleware/cookies.rb +7 -5
- data/lib/action_dispatch/middleware/flash.rb +1 -1
- data/lib/action_dispatch/routing/route_set.rb +8 -1
- data/lib/action_pack/gem_version.rb +2 -2
- metadata +11 -11
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b7d93f258c227a4ed486fe47ee30e4556c7943fc
|
|
4
|
+
data.tar.gz: ea43ba3a44d7e409e89681b3a8b1598a1f7f2b4e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b0c9487111faab79d1ebbe5bb7c9ed216e9ca82109b39445e953682007f39b7e513aa78f9a54a8f34786948e87888c95b5b482a0d9901c7c1b45965ed9a3740b
|
|
7
|
+
data.tar.gz: d87cf46149032029ef82e4ea2837585f463b8428ff6978d561db18bd2cd70730d3c9cc4af9dc955d9c8890c909f1db8dffabf1c6db85b6476957e93381e1ca29
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,19 @@
|
|
|
1
|
+
* Fixed handling of positional url helper arguments when `format: false`.
|
|
2
|
+
|
|
3
|
+
Fixes #17819.
|
|
4
|
+
|
|
5
|
+
*Andrew White*, *Tatiana Soukiassian*
|
|
6
|
+
|
|
7
|
+
* Restore handling of a bare `Authorization` header, without `token=`
|
|
8
|
+
prefix.
|
|
9
|
+
|
|
10
|
+
Fixes #17108.
|
|
11
|
+
|
|
12
|
+
*Guo Xiang Tan*
|
|
13
|
+
|
|
14
|
+
|
|
15
|
+
## Rails 4.1.8 (November 16, 2014) ##
|
|
16
|
+
|
|
1
17
|
* Fix regression where path was getting overwritten when route anchor was false, and X-Cascade pass
|
|
2
18
|
|
|
3
19
|
fixes #17035.
|
|
@@ -11,6 +27,20 @@
|
|
|
11
27
|
*Yuki Nishijima*
|
|
12
28
|
|
|
13
29
|
|
|
30
|
+
## Rails 4.1.7.1 (November 19, 2014) ##
|
|
31
|
+
|
|
32
|
+
* Fix arbitrary file existence disclosure in Action Pack.
|
|
33
|
+
|
|
34
|
+
CVE-2014-7829.
|
|
35
|
+
|
|
36
|
+
|
|
37
|
+
## Rails 4.1.7 (October 29, 2014) ##
|
|
38
|
+
|
|
39
|
+
* Fix arbitrary file existence disclosure in Action Pack.
|
|
40
|
+
|
|
41
|
+
CVE-2014-7818.
|
|
42
|
+
|
|
43
|
+
|
|
14
44
|
## Rails 4.1.6 (September 11, 2014) ##
|
|
15
45
|
|
|
16
46
|
* Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
|
|
@@ -44,7 +44,7 @@ module ActionController
|
|
|
44
44
|
# The full request object is available via the request accessor and is primarily used to query for HTTP headers:
|
|
45
45
|
#
|
|
46
46
|
# def server_ip
|
|
47
|
-
# location = request.env["
|
|
47
|
+
# location = request.env["REMOTE_ADDR"]
|
|
48
48
|
# render plain: "This server hosted at #{location}"
|
|
49
49
|
# end
|
|
50
50
|
#
|
|
@@ -397,6 +397,7 @@ module ActionController
|
|
|
397
397
|
#
|
|
398
398
|
# RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
|
|
399
399
|
module Token
|
|
400
|
+
TOKEN_KEY = 'token='
|
|
400
401
|
TOKEN_REGEX = /^Token /
|
|
401
402
|
AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
|
|
402
403
|
extend self
|
|
@@ -471,7 +472,13 @@ module ActionController
|
|
|
471
472
|
# pairs by the standardized `:`, `;`, or `\t` delimiters defined in
|
|
472
473
|
# `AUTHN_PAIR_DELIMITERS`.
|
|
473
474
|
def raw_params(auth)
|
|
474
|
-
auth.sub(TOKEN_REGEX, '').split(
|
|
475
|
+
_raw_params = auth.sub(TOKEN_REGEX, '').split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
|
|
476
|
+
|
|
477
|
+
if !(_raw_params.first =~ %r{\A#{TOKEN_KEY}})
|
|
478
|
+
_raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
|
|
479
|
+
end
|
|
480
|
+
|
|
481
|
+
_raw_params
|
|
475
482
|
end
|
|
476
483
|
|
|
477
484
|
# Encodes the given token and options into an Authorization header value.
|
|
@@ -481,7 +488,7 @@ module ActionController
|
|
|
481
488
|
#
|
|
482
489
|
# Returns String.
|
|
483
490
|
def encode_credentials(token, options = {})
|
|
484
|
-
values = ["
|
|
491
|
+
values = ["#{TOKEN_KEY}#{token.to_s.inspect}"] + options.map do |key, value|
|
|
485
492
|
"#{key}=#{value.to_s.inspect}"
|
|
486
493
|
end
|
|
487
494
|
"Token #{values * ", "}"
|
|
@@ -70,7 +70,7 @@ module ActionDispatch
|
|
|
70
70
|
def variant=(variant)
|
|
71
71
|
if variant.is_a?(Symbol)
|
|
72
72
|
@variant = [variant]
|
|
73
|
-
elsif variant.is_a?(Array) && variant.any? && variant.all?{ |v| v.is_a?(Symbol) }
|
|
73
|
+
elsif variant.nil? || variant.is_a?(Array) && variant.any? && variant.all?{ |v| v.is_a?(Symbol) }
|
|
74
74
|
@variant = variant
|
|
75
75
|
else
|
|
76
76
|
raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols, not a #{variant.class}. " \
|
|
@@ -56,7 +56,7 @@ module ActionDispatch
|
|
|
56
56
|
elsif value.is_a?(Array)
|
|
57
57
|
value = value.map { |v| v.is_a?(Hash) ? call(v) : v }
|
|
58
58
|
elsif blocks.any?
|
|
59
|
-
key = key.dup
|
|
59
|
+
key = key.dup if key.duplicable?
|
|
60
60
|
value = value.dup if value.duplicable?
|
|
61
61
|
blocks.each { |b| b.call(key, value) }
|
|
62
62
|
end
|
|
@@ -70,11 +70,13 @@ module ActionDispatch
|
|
|
70
70
|
# restrict to the domain level. If you use a schema like www.example.com
|
|
71
71
|
# and want to share session with user.example.com set <tt>:domain</tt>
|
|
72
72
|
# to <tt>:all</tt>. Make sure to specify the <tt>:domain</tt> option with
|
|
73
|
-
# <tt>:all</tt> again when deleting cookies.
|
|
73
|
+
# <tt>:all</tt> or <tt>Array</tt> again when deleting cookies.
|
|
74
74
|
#
|
|
75
75
|
# domain: nil # Does not sets cookie domain. (default)
|
|
76
76
|
# domain: :all # Allow the cookie for the top most level
|
|
77
77
|
# domain and subdomains.
|
|
78
|
+
# domain: %w(.example.com .example.org) # Allow the cookie
|
|
79
|
+
# for concrete domain names.
|
|
78
80
|
#
|
|
79
81
|
# * <tt>:expires</tt> - The time at which this cookie expires, as a \Time object.
|
|
80
82
|
# * <tt>:secure</tt> - Whether this cookie is only transmitted to HTTPS servers.
|
|
@@ -118,7 +120,7 @@ module ActionDispatch
|
|
|
118
120
|
# the cookie again. This is useful for creating cookies with values that the user is not supposed to change. If a signed
|
|
119
121
|
# cookie was tampered with by the user (or a 3rd party), nil will be returned.
|
|
120
122
|
#
|
|
121
|
-
# If +secrets.secret_key_base+ and +
|
|
123
|
+
# If +secrets.secret_key_base+ and +secrets.secret_token+ (deprecated) are both set,
|
|
122
124
|
# legacy cookies signed with the old key generator will be transparently upgraded.
|
|
123
125
|
#
|
|
124
126
|
# This jar requires that you set a suitable secret for the verification on your app's +secrets.secret_key_base+.
|
|
@@ -141,7 +143,7 @@ module ActionDispatch
|
|
|
141
143
|
# Returns a jar that'll automatically encrypt cookie values before sending them to the client and will decrypt them for read.
|
|
142
144
|
# If the cookie was tampered with by the user (or a 3rd party), nil will be returned.
|
|
143
145
|
#
|
|
144
|
-
# If +secrets.secret_key_base+ and +
|
|
146
|
+
# If +secrets.secret_key_base+ and +secrets.secret_token+ (deprecated) are both set,
|
|
145
147
|
# legacy cookies signed with the old key generator will be transparently upgraded.
|
|
146
148
|
#
|
|
147
149
|
# This jar requires that you set a suitable secret for the verification on your app's +secrets.secret_key_base+.
|
|
@@ -481,7 +483,7 @@ module ActionDispatch
|
|
|
481
483
|
end
|
|
482
484
|
|
|
483
485
|
# UpgradeLegacySignedCookieJar is used instead of SignedCookieJar if
|
|
484
|
-
#
|
|
486
|
+
# secrets.secret_token and secrets.secret_key_base are both set. It reads
|
|
485
487
|
# legacy cookies signed with the old dummy key generator and re-saves
|
|
486
488
|
# them using the new key generator to provide a smooth upgrade path.
|
|
487
489
|
class UpgradeLegacySignedCookieJar < SignedCookieJar #:nodoc:
|
|
@@ -539,7 +541,7 @@ module ActionDispatch
|
|
|
539
541
|
end
|
|
540
542
|
|
|
541
543
|
# UpgradeLegacyEncryptedCookieJar is used by ActionDispatch::Session::CookieStore
|
|
542
|
-
# instead of EncryptedCookieJar if
|
|
544
|
+
# instead of EncryptedCookieJar if secrets.secret_token and secrets.secret_key_base
|
|
543
545
|
# are both set. It reads legacy cookies signed with the old dummy key generator and
|
|
544
546
|
# encrypts and re-saves them using the new key generator to provide a smooth upgrade path.
|
|
545
547
|
class UpgradeLegacyEncryptedCookieJar < EncryptedCookieJar #:nodoc:
|
|
@@ -235,7 +235,14 @@ module ActionDispatch
|
|
|
235
235
|
result = options.dup
|
|
236
236
|
|
|
237
237
|
if args.size > 0
|
|
238
|
-
|
|
238
|
+
# take format into account
|
|
239
|
+
if keys.include?(:format)
|
|
240
|
+
keys_size = keys.size - 1
|
|
241
|
+
else
|
|
242
|
+
keys_size = keys.size
|
|
243
|
+
end
|
|
244
|
+
|
|
245
|
+
if args.size < keys_size
|
|
239
246
|
keys -= t.url_options.keys if t.respond_to?(:url_options)
|
|
240
247
|
keys -= options.keys
|
|
241
248
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: actionpack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.1.
|
|
4
|
+
version: 4.1.9.rc1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2015-01-02 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 4.1.
|
|
19
|
+
version: 4.1.9.rc1
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 4.1.
|
|
26
|
+
version: 4.1.9.rc1
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: rack
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -58,28 +58,28 @@ dependencies:
|
|
|
58
58
|
requirements:
|
|
59
59
|
- - '='
|
|
60
60
|
- !ruby/object:Gem::Version
|
|
61
|
-
version: 4.1.
|
|
61
|
+
version: 4.1.9.rc1
|
|
62
62
|
type: :runtime
|
|
63
63
|
prerelease: false
|
|
64
64
|
version_requirements: !ruby/object:Gem::Requirement
|
|
65
65
|
requirements:
|
|
66
66
|
- - '='
|
|
67
67
|
- !ruby/object:Gem::Version
|
|
68
|
-
version: 4.1.
|
|
68
|
+
version: 4.1.9.rc1
|
|
69
69
|
- !ruby/object:Gem::Dependency
|
|
70
70
|
name: activemodel
|
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
|
72
72
|
requirements:
|
|
73
73
|
- - '='
|
|
74
74
|
- !ruby/object:Gem::Version
|
|
75
|
-
version: 4.1.
|
|
75
|
+
version: 4.1.9.rc1
|
|
76
76
|
type: :development
|
|
77
77
|
prerelease: false
|
|
78
78
|
version_requirements: !ruby/object:Gem::Requirement
|
|
79
79
|
requirements:
|
|
80
80
|
- - '='
|
|
81
81
|
- !ruby/object:Gem::Version
|
|
82
|
-
version: 4.1.
|
|
82
|
+
version: 4.1.9.rc1
|
|
83
83
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
|
84
84
|
testing MVC web applications. Works with any Rack-compatible server.
|
|
85
85
|
email: david@loudthinking.com
|
|
@@ -252,13 +252,13 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
252
252
|
version: 1.9.3
|
|
253
253
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
254
254
|
requirements:
|
|
255
|
-
- - "
|
|
255
|
+
- - ">"
|
|
256
256
|
- !ruby/object:Gem::Version
|
|
257
|
-
version:
|
|
257
|
+
version: 1.3.1
|
|
258
258
|
requirements:
|
|
259
259
|
- none
|
|
260
260
|
rubyforge_project:
|
|
261
|
-
rubygems_version: 2.4.
|
|
261
|
+
rubygems_version: 2.4.5
|
|
262
262
|
signing_key:
|
|
263
263
|
specification_version: 4
|
|
264
264
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|