activestorage 5.2.4.2 → 5.2.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9d43d7faef40ba0e87e10cdd48ee54cf39d9c62c6a9ceb30a9c459aa4a19aff0
-  data.tar.gz: 450328e96bc8567dabeec9d2cc21ec51ca11581adfbe799a4ffaa94cc495e1b2
+  metadata.gz: 90cbc7290c32f7705cf84c2e0ec69ad638826950f7617239b7316c42f6707552
+  data.tar.gz: 03d9a5500dc862592cab7e7e0e2748d28de0f21b6f5903c0dc6c85c5a59ae3f1
 SHA512:
-  metadata.gz: 20c106e8b8be29d5f6d4fcc8dfab5ea737bce3f57f3d0d6d5392c9ea81115a08970a7ee420ca20a101e5ca93fcbc873526f12e9386e375ca10f7292b06878dd1
-  data.tar.gz: dee7d312a1f086a0a1f0da4c669b61c6d04b674cffce6f27e7635a1fbd6feae0ed216317afda89139dbb61865a3bed2bb7a82dd1730b8c2f85ff7a1c46a96a1e
+  metadata.gz: 4209fb9e393c4698fe4154de23864f694503ec795d0d37cef271d99c05452f42e67ecd133532d188841d72b25b0b57b18b0a555bab2df706a3d92b00386c2d6e
+  data.tar.gz: 8e840de9ebd7cda17e0527fc1d4ba41d91ff8a19270d4a6cae38f6976c8646b5d1dc1482e67376ae8fd3dc28531586022276d26a2e4d7d9c874a6852f9a98475

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 5.2.4.3 (May 18, 2020) ##
+
+*   [CVE-2020-8162] Include Content-Length in signature for ActiveStorage direct upload
+
+
 ## Rails 5.2.4.1 (December 18, 2019) ##
 
 *   No changes.

data/lib/active_storage/gem_version.rb

@@ -10,7 +10,7 @@ module ActiveStorage
     MAJOR = 5
     MINOR = 2
     TINY  = 4
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/active_storage/service/s3_service.rb

@@ -79,7 +79,8 @@ module ActiveStorage
     def url_for_direct_upload(key, expires_in:, content_type:, content_length:, checksum:)
       instrument :url, key: key do |payload|
         generated_url = object_for(key).presigned_url :put, expires_in: expires_in.to_i,
-          content_type: content_type, content_length: content_length, content_md5: checksum
+          content_type: content_type, content_length: content_length, content_md5: checksum,
+          whitelist_headers: ['content-length']
 
         payload[:url] = generated_url
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activestorage
 version: !ruby/object:Gem::Version
-  version: 5.2.4.2
+  version: 5.2.4.3
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-03-19 00:00:00.000000000 Z
+date: 2020-05-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.2
+        version: 5.2.4.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.2
+        version: 5.2.4.3
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.2
+        version: 5.2.4.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.2
+        version: 5.2.4.3
 - !ruby/object:Gem::Dependency
   name: marcel
   requirement: !ruby/object:Gem::Requirement
@@ -124,8 +124,8 @@ homepage: http://rubyonrails.org
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/rails/rails/tree/v5.2.4.2/activestorage
-  changelog_uri: https://github.com/rails/rails/blob/v5.2.4.2/activestorage/CHANGELOG.md
+  source_code_uri: https://github.com/rails/rails/tree/v5.2.4.3/activestorage
+  changelog_uri: https://github.com/rails/rails/blob/v5.2.4.3/activestorage/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -141,7 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Local and cloud file storage framework.