activesupport 5.2.7 → 5.2.8

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of activesupport might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9ca8c97dbd9b8c0060fa8fdc9fe0a265e52dade43f834a64d81be63a58631d52
4
- data.tar.gz: 718c11ac32f5ede2cf74701c236afae41cd9ad50d8eb3d138594c869cb543462
3
+ metadata.gz: 1d6eaa5e7c5e342b04aaca38462ee4f868b448c093a7a61c63a42db181d76309
4
+ data.tar.gz: 511031c0b3a3bfbbaae326bfd5db78b0699550f7e32cc47ebc72c0013d9b1b04
5
5
  SHA512:
6
- metadata.gz: 9390ba51ca2fec524ab28bf67f75ec75ef44c6599311c16c09b14a9a29cfe4d71732bd0a5fd31bea4b8d6e5bc5bfd5c12c06101aee7cc4f7cae3d203de9bb7a7
7
- data.tar.gz: 39569f88617d0c8bcae4f85b461ce38f355533d1eb9484848a3c38ceb553e365adf8b2a34788d4705b6ae7fd75ee315262b3f889dae919a9bbd28238f56732aa
6
+ metadata.gz: 7065b798f14de079d46164aca2e16f000ea2cf94c7583ae528173df31d458498def8dbe2326ace9c5a6300bb893e6733f3a83eb5ca78950bff932aa079d86c3d
7
+ data.tar.gz: c3589a3c955cba2775084df6a67b3c8fecbac5367ac0dd4badd3e4ef0cefbe3985ee38e893ec6667e04e59a935b9ab6486c372b4f81df80029f4976bc2b40ffc
data/CHANGELOG.md CHANGED
@@ -1,3 +1,18 @@
1
+ ## Rails 5.2.8 (May 09, 2022) ##
2
+
3
+ * No changes.
4
+
5
+
6
+ ## Rails 5.2.7.1 (April 26, 2022) ##
7
+
8
+ * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
9
+
10
+ Add the method `ERB::Util.xml_name_escape` to escape dangerous characters
11
+ in names of tags and names of attributes, following the specification of XML.
12
+
13
+ *Álvaro Martín Fraguas*
14
+
15
+
1
16
  ## Rails 5.2.7 (March 10, 2022) ##
2
17
 
3
18
  * Restore support to Ruby 2.2.
@@ -7,11 +7,29 @@ module ActiveSupport
7
7
  # A monitor that will permit dependency loading while blocked waiting for
8
8
  # the lock.
9
9
  class LoadInterlockAwareMonitor < Monitor
10
+ EXCEPTION_NEVER = { Exception => :never }.freeze
11
+ EXCEPTION_IMMEDIATE = { Exception => :immediate }.freeze
12
+ private_constant :EXCEPTION_NEVER, :EXCEPTION_IMMEDIATE
13
+
10
14
  # Enters an exclusive section, but allows dependency loading while blocked
11
15
  def mon_enter
12
16
  mon_try_enter ||
13
17
  ActiveSupport::Dependencies.interlock.permit_concurrent_loads { super }
14
18
  end
19
+
20
+ def synchronize
21
+ Thread.handle_interrupt(EXCEPTION_NEVER) do
22
+ mon_enter
23
+
24
+ begin
25
+ Thread.handle_interrupt(EXCEPTION_IMMEDIATE) do
26
+ yield
27
+ end
28
+ ensure
29
+ mon_exit
30
+ end
31
+ end
32
+ end
15
33
  end
16
34
  end
17
35
  end
@@ -12,6 +12,14 @@ class ERB
12
12
  HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
13
13
  JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
14
14
 
15
+ # Following XML requirements: https://www.w3.org/TR/REC-xml/#NT-Name
16
+ TAG_NAME_START_REGEXP_SET = "@:A-Z_a-z\u{C0}-\u{D6}\u{D8}-\u{F6}\u{F8}-\u{2FF}\u{370}-\u{37D}\u{37F}-\u{1FFF}" \
17
+ "\u{200C}-\u{200D}\u{2070}-\u{218F}\u{2C00}-\u{2FEF}\u{3001}-\u{D7FF}\u{F900}-\u{FDCF}" \
18
+ "\u{FDF0}-\u{FFFD}\u{10000}-\u{EFFFF}"
19
+ TAG_NAME_START_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}]/
20
+ TAG_NAME_FOLLOWING_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}\-.0-9\u{B7}\u{0300}-\u{036F}\u{203F}-\u{2040}]/
21
+ TAG_NAME_REPLACEMENT_CHAR = "_"
22
+
15
23
  # A utility method for escaping HTML tag characters.
16
24
  # This method is also aliased as <tt>h</tt>.
17
25
  #
@@ -116,6 +124,26 @@ class ERB
116
124
  end
117
125
 
118
126
  module_function :json_escape
127
+
128
+ # A utility method for escaping XML names of tags and names of attributes.
129
+ #
130
+ # xml_name_escape('1 < 2 & 3')
131
+ # # => "1___2___3"
132
+ #
133
+ # It follows the requirements of the specification: https://www.w3.org/TR/REC-xml/#NT-Name
134
+ def xml_name_escape(name)
135
+ name = name.to_s
136
+ return "" if name.blank?
137
+
138
+ starting_char = name[0].gsub(TAG_NAME_START_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
139
+
140
+ return starting_char if name.size == 1
141
+
142
+ following_chars = name[1..-1].gsub(TAG_NAME_FOLLOWING_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
143
+
144
+ starting_char + following_chars
145
+ end
146
+ module_function :xml_name_escape
119
147
  end
120
148
  end
121
149
 
@@ -9,7 +9,7 @@ module ActiveSupport
9
9
  module VERSION
10
10
  MAJOR = 5
11
11
  MINOR = 2
12
- TINY = 7
12
+ TINY = 8
13
13
  PRE = nil
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activesupport
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.2.7
4
+ version: 5.2.8
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-03-10 00:00:00.000000000 Z
11
+ date: 2022-05-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: i18n
@@ -333,8 +333,8 @@ homepage: http://rubyonrails.org
333
333
  licenses:
334
334
  - MIT
335
335
  metadata:
336
- source_code_uri: https://github.com/rails/rails/tree/v5.2.7/activesupport
337
- changelog_uri: https://github.com/rails/rails/blob/v5.2.7/activesupport/CHANGELOG.md
336
+ source_code_uri: https://github.com/rails/rails/tree/v5.2.8/activesupport
337
+ changelog_uri: https://github.com/rails/rails/blob/v5.2.8/activesupport/CHANGELOG.md
338
338
  post_install_message:
339
339
  rdoc_options:
340
340
  - "--encoding"