activesupport 5.2.4.2 → 5.2.4.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of activesupport might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0dbc3c6455b658fef338e38b62badea8ee5fae2a3071bea878d00f0284c186ea
4
- data.tar.gz: c0522d8c21a83712106d7d3f169af5cc00fe7b750c34bf479900c4577947fe23
3
+ metadata.gz: 52200cba1081f52ab46b0fbb797549ec4f37ec724232511041c17279af00c23a
4
+ data.tar.gz: 8f67df12d04d8a83698d73ba5c961058156000fc77f344f2c10bbdc0bb5d1bd3
5
5
  SHA512:
6
- metadata.gz: 27b40fe00539e8920149a177fa29c5f073d90a86f61e2661519ce66549ac12564e91f81550329e163519229cfb36ba556e53ea6ddc1df10445cd968cc186c100
7
- data.tar.gz: 4106e25be80a14d15a45d6ff0afbcaf0adc697770454ec4e5ad74f49032fb959d69fd27a84c63bf7c5a4c454329eb8fbf369b1524e06040481bf053a8652bdbe
6
+ metadata.gz: cb196f7b65d12c1a5be5178772fc9f449dd6408614bfa3020862e18ba32ed163597f4647202fdb792ab38a451dc04e5846072dc948e2a83505b2c7ccac4ee2d0
7
+ data.tar.gz: cfdf86850d1f2a9529d135756a23861b3bbb23c063b1446cbc994fb2372dfb2f79217eda99b0dc021d5cbfbd4f75f79a6e5385531f5dd48f1e78a1e55298459a
@@ -1,3 +1,9 @@
1
+ ## Rails 5.2.4.3 (May 18, 2020) ##
2
+
3
+ * [CVE-2020-8165] Deprecate Marshal.load on raw cache read in RedisCacheStore
4
+
5
+ * [CVE-2020-8165] Avoid Marshal.load on raw cache value in MemCacheStore
6
+
1
7
  ## Rails 5.2.4.1 (December 18, 2019) ##
2
8
 
3
9
  * No changes.
@@ -7,7 +7,6 @@ rescue LoadError => e
7
7
  raise e
8
8
  end
9
9
 
10
- require "active_support/core_ext/marshal"
11
10
  require "active_support/core_ext/array/extract_options"
12
11
 
13
12
  module ActiveSupport
@@ -28,14 +27,6 @@ module ActiveSupport
28
27
  # Provide support for raw values in the local cache strategy.
29
28
  module LocalCacheWithRaw # :nodoc:
30
29
  private
31
- def read_entry(key, options)
32
- entry = super
33
- if options[:raw] && local_cache && entry
34
- entry = deserialize_entry(entry.value)
35
- end
36
- entry
37
- end
38
-
39
30
  def write_entry(key, entry, options)
40
31
  if options[:raw] && local_cache
41
32
  raw_entry = Entry.new(entry.value.to_s)
@@ -189,9 +180,8 @@ module ActiveSupport
189
180
  key
190
181
  end
191
182
 
192
- def deserialize_entry(raw_value)
193
- if raw_value
194
- entry = Marshal.load(raw_value) rescue raw_value
183
+ def deserialize_entry(entry)
184
+ if entry
195
185
  entry.is_a?(Entry) ? entry : Entry.new(entry)
196
186
  end
197
187
  end
@@ -70,14 +70,6 @@ module ActiveSupport
70
70
  # Support raw values in the local cache strategy.
71
71
  module LocalCacheWithRaw # :nodoc:
72
72
  private
73
- def read_entry(key, options)
74
- entry = super
75
- if options[:raw] && local_cache && entry
76
- entry = deserialize_entry(entry.value)
77
- end
78
- entry
79
- end
80
-
81
73
  def write_entry(key, entry, options)
82
74
  if options[:raw] && local_cache
83
75
  raw_entry = Entry.new(serialize_entry(entry, raw: true))
@@ -328,7 +320,8 @@ module ActiveSupport
328
320
  # Read an entry from the cache.
329
321
  def read_entry(key, options = nil)
330
322
  failsafe :read_entry do
331
- deserialize_entry redis.with { |c| c.get(key) }
323
+ raw = options&.fetch(:raw, false)
324
+ deserialize_entry(redis.with { |c| c.get(key) }, raw: raw)
332
325
  end
333
326
  end
334
327
 
@@ -343,6 +336,7 @@ module ActiveSupport
343
336
  def read_multi_mget(*names)
344
337
  options = names.extract_options!
345
338
  options = merged_options(options)
339
+ raw = options&.fetch(:raw, false)
346
340
 
347
341
  keys = names.map { |name| normalize_key(name, options) }
348
342
 
@@ -352,7 +346,7 @@ module ActiveSupport
352
346
 
353
347
  names.zip(values).each_with_object({}) do |(name, value), results|
354
348
  if value
355
- entry = deserialize_entry(value)
349
+ entry = deserialize_entry(value, raw: raw)
356
350
  unless entry.nil? || entry.expired? || entry.mismatched?(normalize_version(name, options))
357
351
  results[name] = entry.value
358
352
  end
@@ -421,9 +415,20 @@ module ActiveSupport
421
415
  end
422
416
  end
423
417
 
424
- def deserialize_entry(serialized_entry)
418
+ def deserialize_entry(serialized_entry, raw:)
425
419
  if serialized_entry
426
420
  entry = Marshal.load(serialized_entry) rescue serialized_entry
421
+
422
+ written_raw = serialized_entry.equal?(entry)
423
+ if raw != written_raw
424
+ ActiveSupport::Deprecation.warn(<<-MSG.squish)
425
+ Using a different value for the raw option when reading and writing
426
+ to a cache key is deprecated for :redis_cache_store and Rails 6.0
427
+ will stop automatically detecting the format when reading to avoid
428
+ marshal loading untrusted raw strings.
429
+ MSG
430
+ end
431
+
427
432
  entry.is_a?(Entry) ? entry : Entry.new(entry)
428
433
  end
429
434
  end
@@ -10,7 +10,7 @@ module ActiveSupport
10
10
  MAJOR = 5
11
11
  MINOR = 2
12
12
  TINY = 4
13
- PRE = "2"
13
+ PRE = "3"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activesupport
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.2.4.2
4
+ version: 5.2.4.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-03-19 00:00:00.000000000 Z
11
+ date: 2020-05-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: i18n
@@ -333,8 +333,8 @@ homepage: http://rubyonrails.org
333
333
  licenses:
334
334
  - MIT
335
335
  metadata:
336
- source_code_uri: https://github.com/rails/rails/tree/v5.2.4.2/activesupport
337
- changelog_uri: https://github.com/rails/rails/blob/v5.2.4.2/activesupport/CHANGELOG.md
336
+ source_code_uri: https://github.com/rails/rails/tree/v5.2.4.3/activesupport
337
+ changelog_uri: https://github.com/rails/rails/blob/v5.2.4.3/activesupport/CHANGELOG.md
338
338
  post_install_message:
339
339
  rdoc_options:
340
340
  - "--encoding"
@@ -352,7 +352,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
352
352
  - !ruby/object:Gem::Version
353
353
  version: '0'
354
354
  requirements: []
355
- rubygems_version: 3.0.3
355
+ rubygems_version: 3.1.2
356
356
  signing_key:
357
357
  specification_version: 4
358
358
  summary: A toolkit of support libraries and Ruby core extensions extracted from the