actionpack 5.2.4.6 → 5.2.5
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -12
- data/lib/action_controller/metal/http_authentication.rb +1 -1
- data/lib/action_controller/metal/request_forgery_protection.rb +4 -9
- data/lib/action_controller/test_case.rb +2 -2
- data/lib/action_dispatch/request/session.rb +1 -1
- data/lib/action_dispatch/routing/polymorphic_routes.rb +4 -8
- data/lib/action_dispatch/testing/integration.rb +1 -0
- data/lib/action_pack/gem_version.rb +2 -2
- metadata +13 -13
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3b9466cc66aef89ae39a6f759279293fa180454f543f7149d1ab8de9ed9ae899
|
4
|
+
data.tar.gz: a72f72e877d142cc9c377615429190f6327fbd6d8e522f7ada200c30ec02bba8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: caf16e1e2886b217f359e358d24d6eb33e692f40165c96a324571b009ceb7d1b97df22320c2e320106aad26e4f7874db26790ba7cc4f61c9a6a21fae13f9e366
|
7
|
+
data.tar.gz: 30094a122031f1a4cff32d7cc0ad6fe4a14e318267e3cfea6ff85f9ca172f8b1f6677299634c776df580c4b3a44200e494fa06f6933821d4d5b8838d9a7a4815
|
data/CHANGELOG.md
CHANGED
@@ -1,17 +1,7 @@
|
|
1
|
-
## Rails 5.2.
|
1
|
+
## Rails 5.2.5 (March 26, 2021) ##
|
2
2
|
|
3
|
-
*
|
4
|
-
CVE-2021-22904
|
5
|
-
|
6
|
-
* Prevent string polymorphic route arguments.
|
7
|
-
|
8
|
-
`url_for` supports building polymorphic URLs via an array
|
9
|
-
of arguments (usually symbols and records). If a developer passes a
|
10
|
-
user input array, strings can result in unwanted route helper calls.
|
11
|
-
|
12
|
-
CVE-2021-22885
|
3
|
+
* No changes.
|
13
4
|
|
14
|
-
*Gannon McGibbon*
|
15
5
|
|
16
6
|
## Rails 5.2.4.5 (February 10, 2021) ##
|
17
7
|
|
@@ -30,12 +20,22 @@
|
|
30
20
|
* [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
|
31
21
|
|
32
22
|
|
23
|
+
## Rails 5.2.4.2 (March 19, 2020) ##
|
24
|
+
|
25
|
+
* No changes.
|
26
|
+
|
27
|
+
|
33
28
|
## Rails 5.2.4.1 (December 18, 2019) ##
|
34
29
|
|
35
30
|
* Fix possible information leak / session hijacking vulnerability.
|
36
31
|
|
37
32
|
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
38
33
|
gem dalli to be updated as well.
|
34
|
+
|
35
|
+
_Breaking changes:_
|
36
|
+
* `session.id` now returns an instance of `Rack::Session::SessionId` and not a String (use `session.id.public_id` to restore the old behaviour, see #38063)
|
37
|
+
* Accessing the session id using `session[:session_id]`/`session['session_id']` no longer works with
|
38
|
+
ruby 2.2 (see https://github.com/rails/rails/commit/2a52a38cb51b65d71cf91fc960777213cf96f962#commitcomment-37929811)
|
39
39
|
|
40
40
|
CVE-2019-16782.
|
41
41
|
|
@@ -321,11 +321,6 @@ module ActionController #:nodoc:
|
|
321
321
|
global_csrf_token(session)
|
322
322
|
end
|
323
323
|
|
324
|
-
one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
|
325
|
-
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
|
326
|
-
masked_token = one_time_pad + encrypted_csrf_token
|
327
|
-
Base64.urlsafe_encode64(masked_token, padding: false)
|
328
|
-
|
329
324
|
mask_token(raw_token)
|
330
325
|
end
|
331
326
|
|
@@ -338,7 +333,7 @@ module ActionController #:nodoc:
|
|
338
333
|
end
|
339
334
|
|
340
335
|
begin
|
341
|
-
masked_token = Base64.
|
336
|
+
masked_token = Base64.urlsafe_decode64(encoded_masked_token)
|
342
337
|
rescue ArgumentError # encoded_masked_token is invalid Base64
|
343
338
|
return false
|
344
339
|
end
|
@@ -376,7 +371,7 @@ module ActionController #:nodoc:
|
|
376
371
|
one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
|
377
372
|
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
|
378
373
|
masked_token = one_time_pad + encrypted_csrf_token
|
379
|
-
Base64.
|
374
|
+
Base64.urlsafe_encode64(masked_token).delete("=")
|
380
375
|
end
|
381
376
|
|
382
377
|
def compare_with_real_token(token, session) # :doc:
|
@@ -402,8 +397,8 @@ module ActionController #:nodoc:
|
|
402
397
|
end
|
403
398
|
|
404
399
|
def real_csrf_token(session) # :doc:
|
405
|
-
session[:_csrf_token] ||= SecureRandom.
|
406
|
-
Base64.
|
400
|
+
session[:_csrf_token] ||= SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH)
|
401
|
+
Base64.urlsafe_decode64(session[:_csrf_token])
|
407
402
|
end
|
408
403
|
|
409
404
|
def per_form_csrf_token(session, action_path, method) # :doc:
|
@@ -177,12 +177,12 @@ module ActionController
|
|
177
177
|
|
178
178
|
# Methods #destroy and #load! are overridden to avoid calling methods on the
|
179
179
|
# @store object, which does not exist for the TestSession class.
|
180
|
-
class TestSession < Rack::Session::Abstract::
|
180
|
+
class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash #:nodoc:
|
181
181
|
DEFAULT_OPTIONS = Rack::Session::Abstract::Persisted::DEFAULT_OPTIONS
|
182
182
|
|
183
183
|
def initialize(session = {})
|
184
184
|
super(nil, nil)
|
185
|
-
@id = SecureRandom.hex(16)
|
185
|
+
@id = Rack::Session::SessionId.new(SecureRandom.hex(16))
|
186
186
|
@data = stringify_keys(session)
|
187
187
|
@loaded = true
|
188
188
|
end
|
@@ -288,12 +288,10 @@ module ActionDispatch
|
|
288
288
|
|
289
289
|
args = []
|
290
290
|
|
291
|
-
route = record_list.map
|
291
|
+
route = record_list.map { |parent|
|
292
292
|
case parent
|
293
|
-
when Symbol
|
293
|
+
when Symbol, String
|
294
294
|
parent.to_s
|
295
|
-
when String
|
296
|
-
raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
|
297
295
|
when Class
|
298
296
|
args << parent
|
299
297
|
parent.model_name.singular_route_key
|
@@ -301,14 +299,12 @@ module ActionDispatch
|
|
301
299
|
args << parent.to_model
|
302
300
|
parent.to_model.model_name.singular_route_key
|
303
301
|
end
|
304
|
-
|
302
|
+
}
|
305
303
|
|
306
304
|
route <<
|
307
305
|
case record
|
308
|
-
when Symbol
|
306
|
+
when Symbol, String
|
309
307
|
record.to_s
|
310
|
-
when String
|
311
|
-
raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
|
312
308
|
when Class
|
313
309
|
@key_strategy.call record.model_name
|
314
310
|
else
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.2.
|
4
|
+
version: 5.2.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-03-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 5.2.
|
19
|
+
version: 5.2.5
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 5.2.
|
26
|
+
version: 5.2.5
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rack
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -98,28 +98,28 @@ dependencies:
|
|
98
98
|
requirements:
|
99
99
|
- - '='
|
100
100
|
- !ruby/object:Gem::Version
|
101
|
-
version: 5.2.
|
101
|
+
version: 5.2.5
|
102
102
|
type: :runtime
|
103
103
|
prerelease: false
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
105
105
|
requirements:
|
106
106
|
- - '='
|
107
107
|
- !ruby/object:Gem::Version
|
108
|
-
version: 5.2.
|
108
|
+
version: 5.2.5
|
109
109
|
- !ruby/object:Gem::Dependency
|
110
110
|
name: activemodel
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
112
112
|
requirements:
|
113
113
|
- - '='
|
114
114
|
- !ruby/object:Gem::Version
|
115
|
-
version: 5.2.
|
115
|
+
version: 5.2.5
|
116
116
|
type: :development
|
117
117
|
prerelease: false
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
119
119
|
requirements:
|
120
120
|
- - '='
|
121
121
|
- !ruby/object:Gem::Version
|
122
|
-
version: 5.2.
|
122
|
+
version: 5.2.5
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
125
125
|
email: david@loudthinking.com
|
@@ -299,9 +299,9 @@ homepage: http://rubyonrails.org
|
|
299
299
|
licenses:
|
300
300
|
- MIT
|
301
301
|
metadata:
|
302
|
-
source_code_uri: https://github.com/rails/rails/tree/v5.2.
|
303
|
-
changelog_uri: https://github.com/rails/rails/blob/v5.2.
|
304
|
-
post_install_message:
|
302
|
+
source_code_uri: https://github.com/rails/rails/tree/v5.2.5/actionpack
|
303
|
+
changelog_uri: https://github.com/rails/rails/blob/v5.2.5/actionpack/CHANGELOG.md
|
304
|
+
post_install_message:
|
305
305
|
rdoc_options: []
|
306
306
|
require_paths:
|
307
307
|
- lib
|
@@ -318,7 +318,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
318
318
|
requirements:
|
319
319
|
- none
|
320
320
|
rubygems_version: 3.1.2
|
321
|
-
signing_key:
|
321
|
+
signing_key:
|
322
322
|
specification_version: 4
|
323
323
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|
324
324
|
test_files: []
|