actionpack 7.1.3 → 7.1.3.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/lib/abstract_controller/translation.rb +23 -1
- data/lib/action_dispatch/http/mime_type.rb +2 -2
- data/lib/action_pack/gem_version.rb +1 -1
- metadata +12 -12
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1b62aeaa57b9cd75f878c9fc01bfb6ea6212efb204b11333d90f612e1c00bfda
|
4
|
+
data.tar.gz: 0b92927142cc52e79ba1e16d8b8ba3dbceb9906978ff0d9292835110c08f6637
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: abcb6dd57c8fea664f4a8c8f9124e48188e4d9042620096a877b9b55d7f20c64ee38a4c9b18435add3c81929884f666651befd678aa109760c42d8f03605888a
|
7
|
+
data.tar.gz: 715bbae4ea354077bd17c50ffcab9916278d245861e34913b8ee457eccb6aefd685474720accc4413b5b7eabb7e62e1b0c8abb336e93854fc244abef2b2833f3
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,13 @@
|
|
1
|
+
## Rails 7.1.3.1 (February 21, 2024) ##
|
2
|
+
|
3
|
+
* Fix possible XSS vulnerability with the `translate` method in controllers
|
4
|
+
|
5
|
+
CVE-2024-26143
|
6
|
+
|
7
|
+
* Fix ReDoS in Accept header parsing
|
8
|
+
|
9
|
+
CVE-2024-26142
|
10
|
+
|
1
11
|
## Rails 7.1.3 (January 16, 2024) ##
|
2
12
|
|
3
13
|
* Fix including `Rails.application.routes.url_helpers` directly in an
|
@@ -21,7 +21,25 @@ module AbstractController
|
|
21
21
|
key = "#{path}.#{action_name}#{key}"
|
22
22
|
end
|
23
23
|
|
24
|
-
|
24
|
+
if options[:default]
|
25
|
+
options[:default] = [options[:default]] unless options[:default].is_a?(Array)
|
26
|
+
options[:default] = options[:default].map do |value|
|
27
|
+
value.is_a?(String) ? ERB::Util.html_escape(value) : value
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
if options[:raise].nil?
|
32
|
+
options[:default] = [] unless options[:default]
|
33
|
+
options[:default] << MISSING_TRANSLATION
|
34
|
+
end
|
35
|
+
|
36
|
+
result = ActiveSupport::HtmlSafeTranslation.translate(key, **options)
|
37
|
+
|
38
|
+
if result == MISSING_TRANSLATION
|
39
|
+
+"translation missing: #{key}"
|
40
|
+
else
|
41
|
+
result
|
42
|
+
end
|
25
43
|
end
|
26
44
|
alias :t :translate
|
27
45
|
|
@@ -30,5 +48,9 @@ module AbstractController
|
|
30
48
|
I18n.localize(object, **options)
|
31
49
|
end
|
32
50
|
alias :l :localize
|
51
|
+
|
52
|
+
private
|
53
|
+
MISSING_TRANSLATION = -(2**60)
|
54
|
+
private_constant :MISSING_TRANSLATION
|
33
55
|
end
|
34
56
|
end
|
@@ -154,7 +154,7 @@ module Mime
|
|
154
154
|
TRAILING_STAR_REGEXP = /^(text|application)\/\*/
|
155
155
|
# all media-type parameters need to be before the q-parameter
|
156
156
|
# https://www.rfc-editor.org/rfc/rfc7231#section-5.3.2
|
157
|
-
PARAMETER_SEPARATOR_REGEXP =
|
157
|
+
PARAMETER_SEPARATOR_REGEXP = /;\s*q="?/
|
158
158
|
ACCEPT_HEADER_REGEXP = /[^,\s"](?:[^,"]|"[^"]*")*/
|
159
159
|
|
160
160
|
def register_callback(&block)
|
@@ -193,7 +193,7 @@ module Mime
|
|
193
193
|
def parse(accept_header)
|
194
194
|
if !accept_header.include?(",")
|
195
195
|
if (index = accept_header.index(PARAMETER_SEPARATOR_REGEXP))
|
196
|
-
accept_header = accept_header[0, index]
|
196
|
+
accept_header = accept_header[0, index].strip
|
197
197
|
end
|
198
198
|
return [] if accept_header.blank?
|
199
199
|
parse_trailing_star(accept_header) || Array(Mime::Type.lookup(accept_header))
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 7.1.3
|
4
|
+
version: 7.1.3.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-02-21 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 7.1.3
|
19
|
+
version: 7.1.3.1
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 7.1.3
|
26
|
+
version: 7.1.3.1
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: nokogiri
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -128,28 +128,28 @@ dependencies:
|
|
128
128
|
requirements:
|
129
129
|
- - '='
|
130
130
|
- !ruby/object:Gem::Version
|
131
|
-
version: 7.1.3
|
131
|
+
version: 7.1.3.1
|
132
132
|
type: :runtime
|
133
133
|
prerelease: false
|
134
134
|
version_requirements: !ruby/object:Gem::Requirement
|
135
135
|
requirements:
|
136
136
|
- - '='
|
137
137
|
- !ruby/object:Gem::Version
|
138
|
-
version: 7.1.3
|
138
|
+
version: 7.1.3.1
|
139
139
|
- !ruby/object:Gem::Dependency
|
140
140
|
name: activemodel
|
141
141
|
requirement: !ruby/object:Gem::Requirement
|
142
142
|
requirements:
|
143
143
|
- - '='
|
144
144
|
- !ruby/object:Gem::Version
|
145
|
-
version: 7.1.3
|
145
|
+
version: 7.1.3.1
|
146
146
|
type: :development
|
147
147
|
prerelease: false
|
148
148
|
version_requirements: !ruby/object:Gem::Requirement
|
149
149
|
requirements:
|
150
150
|
- - '='
|
151
151
|
- !ruby/object:Gem::Version
|
152
|
-
version: 7.1.3
|
152
|
+
version: 7.1.3.1
|
153
153
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
154
154
|
testing MVC web applications. Works with any Rack-compatible server.
|
155
155
|
email: david@loudthinking.com
|
@@ -346,10 +346,10 @@ licenses:
|
|
346
346
|
- MIT
|
347
347
|
metadata:
|
348
348
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
349
|
-
changelog_uri: https://github.com/rails/rails/blob/v7.1.3/actionpack/CHANGELOG.md
|
350
|
-
documentation_uri: https://api.rubyonrails.org/v7.1.3/
|
349
|
+
changelog_uri: https://github.com/rails/rails/blob/v7.1.3.1/actionpack/CHANGELOG.md
|
350
|
+
documentation_uri: https://api.rubyonrails.org/v7.1.3.1/
|
351
351
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
352
|
-
source_code_uri: https://github.com/rails/rails/tree/v7.1.3/actionpack
|
352
|
+
source_code_uri: https://github.com/rails/rails/tree/v7.1.3.1/actionpack
|
353
353
|
rubygems_mfa_required: 'true'
|
354
354
|
post_install_message:
|
355
355
|
rdoc_options: []
|
@@ -367,7 +367,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
367
367
|
version: '0'
|
368
368
|
requirements:
|
369
369
|
- none
|
370
|
-
rubygems_version: 3.4.
|
370
|
+
rubygems_version: 3.4.10
|
371
371
|
signing_key:
|
372
372
|
specification_version: 4
|
373
373
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|