actionpack 7.0.0.rc3 → 7.0.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +15 -0
- data/lib/action_controller/metal/request_forgery_protection.rb +10 -1
- data/lib/action_controller/metal/strong_parameters.rb +1 -1
- data/lib/action_controller/metal/testing.rb +9 -0
- data/lib/action_controller/test_case.rb +6 -0
- data/lib/action_dispatch/middleware/host_authorization.rb +28 -9
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +1 -1
- data/lib/action_pack/gem_version.rb +1 -1
- metadata +17 -17
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d79cdcfed6867089ed24ecf0bc02b3d82b461df4de9e4c991ceadf17a63e73ef
|
|
4
|
+
data.tar.gz: 9b9dde19de31d0f37ff14c4ffe053c2a3110cab6a68613a4c725e7a184cb0602
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 59f401a0ee0946d52261245762378ae29a5a13199e930a85b95c8891c2c02161757b763d4a780d571bec902db6f89f210664f2b1d06a91e98a811f27da52ba3f
|
|
7
|
+
data.tar.gz: 827e05337ec713bc3f47c5bf16df5ecf0217f3e2a1d293b24c2bd28a797c6c455f1301670c1292e350c2646e9eca3e368f2ce65bf392dbbff88bd2e6a1fc19af
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,16 @@
|
|
|
1
|
+
## Rails 7.0.0 (December 15, 2021) ##
|
|
2
|
+
|
|
3
|
+
* Deprecate `Rails.application.config.action_controller.urlsafe_csrf_tokens`. This config is now always enabled.
|
|
4
|
+
|
|
5
|
+
*Étienne Barrié*
|
|
6
|
+
|
|
7
|
+
* Instance variables set in requests in a `ActionController::TestCase` are now cleared before the next request
|
|
8
|
+
|
|
9
|
+
This means if you make multiple requests in the same test, instance variables set in the first request will
|
|
10
|
+
not persist into the second one. (It's not recommended to make multiple requests in the same test.)
|
|
11
|
+
|
|
12
|
+
*Alex Ghiculescu*
|
|
13
|
+
|
|
1
14
|
## Rails 7.0.0.rc3 (December 14, 2021) ##
|
|
2
15
|
|
|
3
16
|
* No changes.
|
|
@@ -7,6 +20,8 @@
|
|
|
7
20
|
|
|
8
21
|
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
|
|
9
22
|
|
|
23
|
+
## Rails 7.0.0.rc1 (December 06, 2021) ##
|
|
24
|
+
|
|
10
25
|
* `Rails.application.executor` hooks can now be called around every request in a `ActionController::TestCase`
|
|
11
26
|
|
|
12
27
|
This helps to better simulate request or job local state being reset between requests and prevent state
|
|
@@ -92,7 +92,16 @@ module ActionController # :nodoc:
|
|
|
92
92
|
|
|
93
93
|
# Controls whether URL-safe CSRF tokens are generated.
|
|
94
94
|
config_accessor :urlsafe_csrf_tokens, instance_writer: false
|
|
95
|
-
self.urlsafe_csrf_tokens =
|
|
95
|
+
self.urlsafe_csrf_tokens = true
|
|
96
|
+
|
|
97
|
+
singleton_class.redefine_method(:urlsafe_csrf_tokens=) do |urlsafe_csrf_tokens|
|
|
98
|
+
if urlsafe_csrf_tokens
|
|
99
|
+
ActiveSupport::Deprecation.warn("URL-safe CSRF tokens are now the default. Use 6.1 defaults or above.")
|
|
100
|
+
else
|
|
101
|
+
ActiveSupport::Deprecation.warn("Non-URL-safe CSRF tokens are deprecated. Use 6.1 defaults or above.")
|
|
102
|
+
end
|
|
103
|
+
config.urlsafe_csrf_tokens = urlsafe_csrf_tokens
|
|
104
|
+
end
|
|
96
105
|
|
|
97
106
|
helper_method :form_authenticity_token
|
|
98
107
|
helper_method :protect_against_forgery?
|
|
@@ -963,7 +963,7 @@ module ActionController
|
|
|
963
963
|
when Array
|
|
964
964
|
return value if converted_arrays.member?(value)
|
|
965
965
|
converted = value.map { |_| convert_value_to_parameters(_) }
|
|
966
|
-
converted_arrays << converted
|
|
966
|
+
converted_arrays << converted.dup
|
|
967
967
|
converted
|
|
968
968
|
when Hash
|
|
969
969
|
self.class.new(value)
|
|
@@ -4,6 +4,15 @@ module ActionController
|
|
|
4
4
|
module Testing
|
|
5
5
|
# Behavior specific to functional tests
|
|
6
6
|
module Functional # :nodoc:
|
|
7
|
+
def clear_instance_variables_between_requests
|
|
8
|
+
if defined?(@_ivars)
|
|
9
|
+
new_ivars = instance_variables - @_ivars
|
|
10
|
+
new_ivars.each { |ivar| remove_instance_variable(ivar) }
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
@_ivars = instance_variables
|
|
14
|
+
end
|
|
15
|
+
|
|
7
16
|
def recycle!
|
|
8
17
|
@_url_options = nil
|
|
9
18
|
self.formats = nil
|
|
@@ -465,9 +465,15 @@ module ActionController
|
|
|
465
465
|
# prefer using #get, #post, #patch, #put, #delete and #head methods
|
|
466
466
|
# respectively which will make tests more expressive.
|
|
467
467
|
#
|
|
468
|
+
# It's not recommended to make more than one request in the same test. Instance
|
|
469
|
+
# variables that are set in one request will not persist to the next request,
|
|
470
|
+
# but it's not guaranteed that all Rails internal state will be reset. Prefer
|
|
471
|
+
# ActionDispatch::IntegrationTest for making multiple requests in the same test.
|
|
472
|
+
#
|
|
468
473
|
# Note that the request method is not verified.
|
|
469
474
|
def process(action, method: "GET", params: nil, session: nil, body: nil, flash: {}, format: nil, xhr: false, as: nil)
|
|
470
475
|
check_required_ivars
|
|
476
|
+
@controller.clear_instance_variables_between_requests
|
|
471
477
|
|
|
472
478
|
action = +action.to_s
|
|
473
479
|
http_method = method.to_s.upcase
|
|
@@ -16,7 +16,16 @@ module ActionDispatch
|
|
|
16
16
|
# responds with <tt>403 Forbidden</tt>. The body of the response contains debug info
|
|
17
17
|
# if +config.consider_all_requests_local+ is set to true, otherwise the body is empty.
|
|
18
18
|
class HostAuthorization
|
|
19
|
-
ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost",
|
|
19
|
+
ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
|
|
20
|
+
PORT_REGEX = /(?::\d+)/ # :nodoc:
|
|
21
|
+
IPV4_HOSTNAME = /(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/ # :nodoc:
|
|
22
|
+
IPV6_HOSTNAME = /(?<host>[a-f0-9]*:[a-f0-9.:]+)/i # :nodoc:
|
|
23
|
+
IPV6_HOSTNAME_WITH_PORT = /\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i # :nodoc:
|
|
24
|
+
VALID_IP_HOSTNAME = Regexp.union( # :nodoc:
|
|
25
|
+
/\A#{IPV4_HOSTNAME}\z/,
|
|
26
|
+
/\A#{IPV6_HOSTNAME}\z/,
|
|
27
|
+
/\A#{IPV6_HOSTNAME_WITH_PORT}\z/,
|
|
28
|
+
)
|
|
20
29
|
|
|
21
30
|
class Permissions # :nodoc:
|
|
22
31
|
def initialize(hosts)
|
|
@@ -29,11 +38,17 @@ module ActionDispatch
|
|
|
29
38
|
|
|
30
39
|
def allows?(host)
|
|
31
40
|
@hosts.any? do |allowed|
|
|
32
|
-
allowed
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
41
|
+
if allowed.is_a?(IPAddr)
|
|
42
|
+
begin
|
|
43
|
+
allowed === extract_hostname(host)
|
|
44
|
+
rescue
|
|
45
|
+
# IPAddr#=== raises an error if you give it a hostname instead of
|
|
46
|
+
# IP. Treat similar errors as blocked access.
|
|
47
|
+
false
|
|
48
|
+
end
|
|
49
|
+
else
|
|
50
|
+
allowed === host
|
|
51
|
+
end
|
|
37
52
|
end
|
|
38
53
|
end
|
|
39
54
|
|
|
@@ -49,16 +64,20 @@ module ActionDispatch
|
|
|
49
64
|
end
|
|
50
65
|
|
|
51
66
|
def sanitize_regexp(host)
|
|
52
|
-
/\A#{host}
|
|
67
|
+
/\A#{host}#{PORT_REGEX}?\z/
|
|
53
68
|
end
|
|
54
69
|
|
|
55
70
|
def sanitize_string(host)
|
|
56
71
|
if host.start_with?(".")
|
|
57
|
-
/\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}
|
|
72
|
+
/\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
|
|
58
73
|
else
|
|
59
|
-
/\A#{Regexp.escape host}
|
|
74
|
+
/\A#{Regexp.escape host}#{PORT_REGEX}?\z/i
|
|
60
75
|
end
|
|
61
76
|
end
|
|
77
|
+
|
|
78
|
+
def extract_hostname(host)
|
|
79
|
+
host.slice(VALID_IP_HOSTNAME, "host") || host
|
|
80
|
+
end
|
|
62
81
|
end
|
|
63
82
|
|
|
64
83
|
class DefaultResponseApp # :nodoc:
|
|
@@ -42,7 +42,7 @@ module ActionDispatch
|
|
|
42
42
|
#
|
|
43
43
|
# +take_failed_screenshot+ is called during system test teardown.
|
|
44
44
|
def take_failed_screenshot
|
|
45
|
-
take_screenshot if failed? && supports_screenshot?
|
|
45
|
+
take_screenshot if failed? && supports_screenshot? && Capybara::Session.instance_created?
|
|
46
46
|
end
|
|
47
47
|
|
|
48
48
|
private
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: actionpack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 7.0.0
|
|
4
|
+
version: 7.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-12-
|
|
11
|
+
date: 2021-12-15 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 7.0.0
|
|
19
|
+
version: 7.0.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 7.0.0
|
|
26
|
+
version: 7.0.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: rack
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -98,28 +98,28 @@ dependencies:
|
|
|
98
98
|
requirements:
|
|
99
99
|
- - '='
|
|
100
100
|
- !ruby/object:Gem::Version
|
|
101
|
-
version: 7.0.0
|
|
101
|
+
version: 7.0.0
|
|
102
102
|
type: :runtime
|
|
103
103
|
prerelease: false
|
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
|
105
105
|
requirements:
|
|
106
106
|
- - '='
|
|
107
107
|
- !ruby/object:Gem::Version
|
|
108
|
-
version: 7.0.0
|
|
108
|
+
version: 7.0.0
|
|
109
109
|
- !ruby/object:Gem::Dependency
|
|
110
110
|
name: activemodel
|
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
|
112
112
|
requirements:
|
|
113
113
|
- - '='
|
|
114
114
|
- !ruby/object:Gem::Version
|
|
115
|
-
version: 7.0.0
|
|
115
|
+
version: 7.0.0
|
|
116
116
|
type: :development
|
|
117
117
|
prerelease: false
|
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
|
119
119
|
requirements:
|
|
120
120
|
- - '='
|
|
121
121
|
- !ruby/object:Gem::Version
|
|
122
|
-
version: 7.0.0
|
|
122
|
+
version: 7.0.0
|
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
|
125
125
|
email: david@loudthinking.com
|
|
@@ -310,12 +310,12 @@ licenses:
|
|
|
310
310
|
- MIT
|
|
311
311
|
metadata:
|
|
312
312
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
|
313
|
-
changelog_uri: https://github.com/rails/rails/blob/v7.0.0
|
|
314
|
-
documentation_uri: https://api.rubyonrails.org/v7.0.0
|
|
313
|
+
changelog_uri: https://github.com/rails/rails/blob/v7.0.0/actionpack/CHANGELOG.md
|
|
314
|
+
documentation_uri: https://api.rubyonrails.org/v7.0.0/
|
|
315
315
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
|
316
|
-
source_code_uri: https://github.com/rails/rails/tree/v7.0.0
|
|
316
|
+
source_code_uri: https://github.com/rails/rails/tree/v7.0.0/actionpack
|
|
317
317
|
rubygems_mfa_required: 'true'
|
|
318
|
-
post_install_message:
|
|
318
|
+
post_install_message:
|
|
319
319
|
rdoc_options: []
|
|
320
320
|
require_paths:
|
|
321
321
|
- lib
|
|
@@ -326,13 +326,13 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
326
326
|
version: 2.7.0
|
|
327
327
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
328
328
|
requirements:
|
|
329
|
-
- - "
|
|
329
|
+
- - ">="
|
|
330
330
|
- !ruby/object:Gem::Version
|
|
331
|
-
version:
|
|
331
|
+
version: '0'
|
|
332
332
|
requirements:
|
|
333
333
|
- none
|
|
334
|
-
rubygems_version: 3.2.
|
|
335
|
-
signing_key:
|
|
334
|
+
rubygems_version: 3.2.32
|
|
335
|
+
signing_key:
|
|
336
336
|
specification_version: 4
|
|
337
337
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|
|
338
338
|
test_files: []
|