activesupport 6.0.3 → 6.0.3.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2ecaab093a95934f616bf961543b5b996df6129688365994127affb9b0f7b18b
4
- data.tar.gz: 4e200bc745348e0a45f8e52a570376d3da4316f1d68751f109e09c19eaa963b8
3
+ metadata.gz: 27ca64902752919c07141c16dfbcdc8778c7ebe2d4ff731d08929496e5c361b6
4
+ data.tar.gz: 61da30389c58c0aada87afefa84c53aa7500cea25e7e275d1722356e88b151f1
5
5
  SHA512:
6
- metadata.gz: a5a2525304c76190c7b8bb5a00f4a1ac9b96ab896f867b3f6db26ffd6e05ae389348947fee02e6c8ba53568f5e85425e69de51cd6d022732952266d0670de3bf
7
- data.tar.gz: 92efcfa7ba82f282c64c42233de3e46aced59e113a4ec2f4d516e2f8cc104838f93cd2e7814a05b4088d600289b719ef4f518b38a93db43210e78667743173f3
6
+ metadata.gz: 8444e314fb626748d3d2350b9d91e634a3ddf1822858aef8c5d7c2eda762c1fb92416dfc5d326c2a112e3ef034be0cb79006d745c2aaae09a214ba02f1a639bc
7
+ data.tar.gz: 7de5b2431cfab0e6bc39fa3ccaa2234c8fb0b495fda4438cc371e0e27308855026894e5b1de400365f394994ac9567bf97efe9a9c3ed48aa1e8c9195d9c7c145
@@ -1,3 +1,9 @@
1
+ ## Rails 6.0.3.1 (May 18, 2020) ##
2
+
3
+ * [CVE-2020-8165] Deprecate Marshal.load on raw cache read in RedisCacheStore
4
+
5
+ * [CVE-2020-8165] Avoid Marshal.load on raw cache value in MemCacheStore
6
+
1
7
  ## Rails 6.0.3 (May 06, 2020) ##
2
8
 
3
9
  * `Array#to_sentence` no longer returns a frozen string.
@@ -7,7 +7,6 @@ rescue LoadError => e
7
7
  raise e
8
8
  end
9
9
 
10
- require "active_support/core_ext/marshal"
11
10
  require "active_support/core_ext/array/extract_options"
12
11
 
13
12
  module ActiveSupport
@@ -28,14 +27,6 @@ module ActiveSupport
28
27
  # Provide support for raw values in the local cache strategy.
29
28
  module LocalCacheWithRaw # :nodoc:
30
29
  private
31
- def read_entry(key, **options)
32
- entry = super
33
- if options[:raw] && local_cache && entry
34
- entry = deserialize_entry(entry.value)
35
- end
36
- entry
37
- end
38
-
39
30
  def write_entry(key, entry, **options)
40
31
  if options[:raw] && local_cache
41
32
  raw_entry = Entry.new(entry.value.to_s)
@@ -194,9 +185,8 @@ module ActiveSupport
194
185
  key
195
186
  end
196
187
 
197
- def deserialize_entry(raw_value)
198
- if raw_value
199
- entry = Marshal.load(raw_value) rescue raw_value
188
+ def deserialize_entry(entry)
189
+ if entry
200
190
  entry.is_a?(Entry) ? entry : Entry.new(entry)
201
191
  end
202
192
  end
@@ -74,14 +74,6 @@ module ActiveSupport
74
74
  # Support raw values in the local cache strategy.
75
75
  module LocalCacheWithRaw # :nodoc:
76
76
  private
77
- def read_entry(key, **options)
78
- entry = super
79
- if options[:raw] && local_cache && entry
80
- entry = deserialize_entry(entry.value)
81
- end
82
- entry
83
- end
84
-
85
77
  def write_entry(key, entry, **options)
86
78
  if options[:raw] && local_cache
87
79
  raw_entry = Entry.new(serialize_entry(entry, raw: true))
@@ -348,7 +340,8 @@ module ActiveSupport
348
340
  # Read an entry from the cache.
349
341
  def read_entry(key, **options)
350
342
  failsafe :read_entry do
351
- deserialize_entry redis.with { |c| c.get(key) }
343
+ raw = options&.fetch(:raw, false)
344
+ deserialize_entry(redis.with { |c| c.get(key) }, raw: raw)
352
345
  end
353
346
  end
354
347
 
@@ -364,6 +357,7 @@ module ActiveSupport
364
357
  options = names.extract_options!
365
358
  options = merged_options(options)
366
359
  return {} if names == []
360
+ raw = options&.fetch(:raw, false)
367
361
 
368
362
  keys = names.map { |name| normalize_key(name, options) }
369
363
 
@@ -373,7 +367,7 @@ module ActiveSupport
373
367
 
374
368
  names.zip(values).each_with_object({}) do |(name, value), results|
375
369
  if value
376
- entry = deserialize_entry(value)
370
+ entry = deserialize_entry(value, raw: raw)
377
371
  unless entry.nil? || entry.expired? || entry.mismatched?(normalize_version(name, options))
378
372
  results[name] = entry.value
379
373
  end
@@ -448,9 +442,20 @@ module ActiveSupport
448
442
  end
449
443
  end
450
444
 
451
- def deserialize_entry(serialized_entry)
445
+ def deserialize_entry(serialized_entry, raw:)
452
446
  if serialized_entry
453
447
  entry = Marshal.load(serialized_entry) rescue serialized_entry
448
+
449
+ written_raw = serialized_entry.equal?(entry)
450
+ if raw != written_raw
451
+ ActiveSupport::Deprecation.warn(<<-MSG.squish)
452
+ Using a different value for the raw option when reading and writing
453
+ to a cache key is deprecated for :redis_cache_store and Rails 6.0
454
+ will stop automatically detecting the format when reading to avoid
455
+ marshal loading untrusted raw strings.
456
+ MSG
457
+ end
458
+
454
459
  entry.is_a?(Entry) ? entry : Entry.new(entry)
455
460
  end
456
461
  end
@@ -10,7 +10,7 @@ module ActiveSupport
10
10
  MAJOR = 6
11
11
  MINOR = 0
12
12
  TINY = 3
13
- PRE = nil
13
+ PRE = "1"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activesupport
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.0.3
4
+ version: 6.0.3.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-05-06 00:00:00.000000000 Z
11
+ date: 2020-05-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: i18n
@@ -359,10 +359,10 @@ licenses:
359
359
  - MIT
360
360
  metadata:
361
361
  bug_tracker_uri: https://github.com/rails/rails/issues
362
- changelog_uri: https://github.com/rails/rails/blob/v6.0.3/activesupport/CHANGELOG.md
363
- documentation_uri: https://api.rubyonrails.org/v6.0.3/
362
+ changelog_uri: https://github.com/rails/rails/blob/v6.0.3.1/activesupport/CHANGELOG.md
363
+ documentation_uri: https://api.rubyonrails.org/v6.0.3.1/
364
364
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
365
- source_code_uri: https://github.com/rails/rails/tree/v6.0.3/activesupport
365
+ source_code_uri: https://github.com/rails/rails/tree/v6.0.3.1/activesupport
366
366
  post_install_message:
367
367
  rdoc_options:
368
368
  - "--encoding"