activesupport 6.1.4.7 → 6.1.6

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of activesupport might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 00d1ffb5327d8d92613eaeca552453b2a69570ab5c0ee13c9120ea36e644aa2b
4
- data.tar.gz: 8fd8459bab73cb896daaf55836752bb1ca1470692e946a7aca27b8a546725c92
3
+ metadata.gz: fb4b2777f833f66213c96712362d080e55bd168920300a541b91785364378852
4
+ data.tar.gz: 55c79503e212f3bc963c92bf59a244498752811ee523217117e7807d7117ebde
5
5
  SHA512:
6
- metadata.gz: 717067e7bc66727dccde373d9be15b57a73c1168a668e1e684ffd919c6d6ac6add32bd620110a3a7fc9e621e0bea13fc4dcfbaacb54b4a57b30e4eec55ede433
7
- data.tar.gz: 1365f5d7aa1a4d5dc15d63d77b5dceb198d222d515de5959cbe88c63e0f112a82766c6a391a64dc06013ae2e8dd433d24ee7fcaa7bcc128e6ecde695f5c7ce54
6
+ metadata.gz: 538e584f718934a337fd4d6c2946f8db3281b7a8bc5f377479e19d5c2a6d05527ad4197db4ecb6a9bba1e88af98bbf734731e50b31e407e7af9e40a175ddad3e
7
+ data.tar.gz: fe3fc8e41b06d7f15fd72ccd5affd2a375f50fb19dd56130e704e22b12b07471bf245d66bd67dd36e60dcd36ccbc8e8454407929c63a71b3b2ad436ad50d5e64
data/CHANGELOG.md CHANGED
@@ -1,3 +1,40 @@
1
+ ## Rails 6.1.5.1 (April 26, 2022) ##
2
+
3
+ * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
4
+
5
+ Add the method `ERB::Util.xml_name_escape` to escape dangerous characters
6
+ in names of tags and names of attributes, following the specification of XML.
7
+
8
+ *Álvaro Martín Fraguas*
9
+
10
+ ## Rails 6.1.5 (March 09, 2022) ##
11
+
12
+ * Fix `ActiveSupport::Duration.build` to support negative values.
13
+
14
+ The algorithm to collect the `parts` of the `ActiveSupport::Duration`
15
+ ignored the sign of the `value` and accumulated incorrect part values. This
16
+ impacted `ActiveSupport::Duration#sum` (which is dependent on `parts`) but
17
+ not `ActiveSupport::Duration#eql?` (which is dependent on `value`).
18
+
19
+ *Caleb Buxton*, *Braden Staudacher*
20
+
21
+ * `Time#change` and methods that call it (eg. `Time#advance`) will now
22
+ return a `Time` with the timezone argument provided, if the caller was
23
+ initialized with a timezone argument.
24
+
25
+ Fixes [#42467](https://github.com/rails/rails/issues/42467).
26
+
27
+ *Alex Ghiculescu*
28
+
29
+ * Clone to keep extended Logger methods for tagged logger.
30
+
31
+ *Orhan Toy*
32
+
33
+ * `assert_changes` works on including `ActiveSupport::Assertions` module.
34
+
35
+ *Pedro Medeiros*
36
+
37
+
1
38
  ## Rails 6.1.4.7 (March 08, 2022) ##
2
39
 
3
40
  * No changes.
@@ -308,7 +345,7 @@
308
345
 
309
346
  *Max Gurewitz*
310
347
 
311
- * `URI.parser` is deprecated and will be removed in Rails 6.2. Use
348
+ * `URI.parser` is deprecated and will be removed in Rails 7.0. Use
312
349
  `URI::DEFAULT_PARSER` instead.
313
350
 
314
351
  *Jean Boussier*
data/MIT-LICENSE CHANGED
@@ -1,4 +1,4 @@
1
- Copyright (c) 2005-2020 David Heinemeier Hansson
1
+ Copyright (c) 2005-2022 David Heinemeier Hansson
2
2
 
3
3
  Permission is hereby granted, free of charge, to any person obtaining
4
4
  a copy of this software and associated documentation files (the
@@ -1,6 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require "securerandom"
4
+ require "digest"
4
5
 
5
6
  module Digest
6
7
  module UUID
@@ -11,6 +11,14 @@ class ERB
11
11
  HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
12
12
  JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
13
13
 
14
+ # Following XML requirements: https://www.w3.org/TR/REC-xml/#NT-Name
15
+ TAG_NAME_START_REGEXP_SET = "@:A-Z_a-z\u{C0}-\u{D6}\u{D8}-\u{F6}\u{F8}-\u{2FF}\u{370}-\u{37D}\u{37F}-\u{1FFF}" \
16
+ "\u{200C}-\u{200D}\u{2070}-\u{218F}\u{2C00}-\u{2FEF}\u{3001}-\u{D7FF}\u{F900}-\u{FDCF}" \
17
+ "\u{FDF0}-\u{FFFD}\u{10000}-\u{EFFFF}"
18
+ TAG_NAME_START_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}]/
19
+ TAG_NAME_FOLLOWING_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}\-.0-9\u{B7}\u{0300}-\u{036F}\u{203F}-\u{2040}]/
20
+ TAG_NAME_REPLACEMENT_CHAR = "_"
21
+
14
22
  # A utility method for escaping HTML tag characters.
15
23
  # This method is also aliased as <tt>h</tt>.
16
24
  #
@@ -115,6 +123,26 @@ class ERB
115
123
  end
116
124
 
117
125
  module_function :json_escape
126
+
127
+ # A utility method for escaping XML names of tags and names of attributes.
128
+ #
129
+ # xml_name_escape('1 < 2 & 3')
130
+ # # => "1___2___3"
131
+ #
132
+ # It follows the requirements of the specification: https://www.w3.org/TR/REC-xml/#NT-Name
133
+ def xml_name_escape(name)
134
+ name = name.to_s
135
+ return "" if name.blank?
136
+
137
+ starting_char = name[0].gsub(TAG_NAME_START_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
138
+
139
+ return starting_char if name.size == 1
140
+
141
+ following_chars = name[1..-1].gsub(TAG_NAME_FOLLOWING_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
142
+
143
+ starting_char + following_chars
144
+ end
145
+ module_function :xml_name_escape
118
146
  end
119
147
  end
120
148
 
@@ -160,6 +160,8 @@ class Time
160
160
  ::Time.new(new_year, new_month, new_day, new_hour, new_min, new_sec, new_offset)
161
161
  elsif utc?
162
162
  ::Time.utc(new_year, new_month, new_day, new_hour, new_min, new_sec)
163
+ elsif zone&.respond_to?(:utc_to_local)
164
+ ::Time.new(new_year, new_month, new_day, new_hour, new_min, new_sec, zone)
163
165
  elsif zone
164
166
  ::Time.local(new_year, new_month, new_day, new_hour, new_min, new_sec)
165
167
  else
@@ -20,7 +20,7 @@ module URI
20
20
  class << self
21
21
  def parser
22
22
  ActiveSupport::Deprecation.warn(<<-MSG.squish)
23
- URI.parser is deprecated and will be removed in Rails 6.2.
23
+ URI.parser is deprecated and will be removed in Rails 7.0.
24
24
  Use `URI::DEFAULT_PARSER` instead.
25
25
  MSG
26
26
  URI::DEFAULT_PARSER
@@ -89,7 +89,10 @@ module ActiveSupport
89
89
  end
90
90
 
91
91
  Rails.autoloaders.main.enable_reloading if enable_reloading
92
- Rails.autoloaders.each(&:setup)
92
+
93
+ # Order matters.
94
+ Rails.autoloaders.once.setup
95
+ Rails.autoloaders.main.setup
93
96
  end
94
97
 
95
98
  def autoload_once?(autoload_path)
@@ -38,7 +38,7 @@ module ActiveSupport
38
38
  # and the second is a library name.
39
39
  #
40
40
  # ActiveSupport::Deprecation.new('2.0', 'MyLibrary')
41
- def initialize(deprecation_horizon = "6.2", gem_name = "Rails")
41
+ def initialize(deprecation_horizon = "7.0", gem_name = "Rails")
42
42
  self.gem_name = gem_name
43
43
  self.deprecation_horizon = deprecation_horizon
44
44
  # By default, warnings are not silenced and debugging is off.
@@ -1,5 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ require "digest"
4
+
3
5
  module ActiveSupport
4
6
  class Digest #:nodoc:
5
7
  class <<self
@@ -186,17 +186,18 @@ module ActiveSupport
186
186
  end
187
187
 
188
188
  parts = {}
189
- remainder = value.round(9)
189
+ remainder_sign = value <=> 0
190
+ remainder = value.round(9).abs
190
191
 
191
192
  PARTS.each do |part|
192
193
  unless part == :seconds
193
194
  part_in_seconds = PARTS_IN_SECONDS[part]
194
- parts[part] = remainder.div(part_in_seconds)
195
+ parts[part] = remainder.div(part_in_seconds) * remainder_sign
195
196
  remainder %= part_in_seconds
196
197
  end
197
198
  end unless value == 0
198
199
 
199
- parts[:seconds] = remainder
200
+ parts[:seconds] = remainder * remainder_sign
200
201
 
201
202
  new(value, parts)
202
203
  end
@@ -9,8 +9,8 @@ module ActiveSupport
9
9
  module VERSION
10
10
  MAJOR = 6
11
11
  MINOR = 1
12
- TINY = 4
13
- PRE = "7"
12
+ TINY = 6
13
+ PRE = nil
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -10,13 +10,13 @@ module ActiveSupport
10
10
 
11
11
  def default_normalization_form
12
12
  ActiveSupport::Deprecation.warn(
13
- "ActiveSupport::Multibyte::Unicode.default_normalization_form is deprecated and will be removed in Rails 6.2."
13
+ "ActiveSupport::Multibyte::Unicode.default_normalization_form is deprecated and will be removed in Rails 7.0."
14
14
  )
15
15
  end
16
16
 
17
17
  def default_normalization_form=(_)
18
18
  ActiveSupport::Deprecation.warn(
19
- "ActiveSupport::Multibyte::Unicode.default_normalization_form= is deprecated and will be removed in Rails 6.2."
19
+ "ActiveSupport::Multibyte::Unicode.default_normalization_form= is deprecated and will be removed in Rails 7.0."
20
20
  )
21
21
  end
22
22
 
@@ -56,5 +56,6 @@ module ActiveSupport
56
56
 
57
57
  send(name, *args, &block)
58
58
  end
59
+ ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
59
60
  end
60
61
  end
@@ -87,7 +87,7 @@ module ActiveSupport
87
87
  if app.config.active_support.use_sha1_digests
88
88
  ActiveSupport::Deprecation.warn(<<-MSG.squish)
89
89
  config.active_support.use_sha1_digests is deprecated and will
90
- be removed from Rails 6.2. Use
90
+ be removed from Rails 7.0. Use
91
91
  config.active_support.hash_digest_class = ::Digest::SHA1 instead.
92
92
  MSG
93
93
  ActiveSupport::Digest.hash_digest_class = ::Digest::SHA1
@@ -79,7 +79,7 @@ module ActiveSupport
79
79
  end
80
80
 
81
81
  def self.new(logger)
82
- logger = logger.dup
82
+ logger = logger.clone
83
83
 
84
84
  if logger.formatter
85
85
  logger.formatter = logger.formatter.dup
@@ -189,7 +189,7 @@ module ActiveSupport
189
189
  error = "#{expression.inspect} didn't change"
190
190
  error = "#{error}. It was already #{to}" if before == to
191
191
  error = "#{message}.\n#{error}" if message
192
- assert_not_equal before, after, error
192
+ refute_equal before, after, error
193
193
 
194
194
  unless to == UNTRACKED
195
195
  error = "Expected change to #{to}\n"
@@ -381,6 +381,8 @@ module ActiveSupport
381
381
  # If the string is invalid then an +ArgumentError+ will be raised unlike +parse+
382
382
  # which usually returns +nil+ when given an invalid date string.
383
383
  def iso8601(str)
384
+ raise ArgumentError, "invalid date" if str.nil?
385
+
384
386
  parts = Date._iso8601(str)
385
387
 
386
388
  raise ArgumentError, "invalid date" if parts.empty?
@@ -1,7 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  #--
4
- # Copyright (c) 2005-2020 David Heinemeier Hansson
4
+ # Copyright (c) 2005-2022 David Heinemeier Hansson
5
5
  #
6
6
  # Permission is hereby granted, free of charge, to any person obtaining
7
7
  # a copy of this software and associated documentation files (the
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activesupport
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.4.7
4
+ version: 6.1.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-03-08 00:00:00.000000000 Z
11
+ date: 2022-05-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: i18n
@@ -357,10 +357,11 @@ licenses:
357
357
  - MIT
358
358
  metadata:
359
359
  bug_tracker_uri: https://github.com/rails/rails/issues
360
- changelog_uri: https://github.com/rails/rails/blob/v6.1.4.7/activesupport/CHANGELOG.md
361
- documentation_uri: https://api.rubyonrails.org/v6.1.4.7/
360
+ changelog_uri: https://github.com/rails/rails/blob/v6.1.6/activesupport/CHANGELOG.md
361
+ documentation_uri: https://api.rubyonrails.org/v6.1.6/
362
362
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
363
- source_code_uri: https://github.com/rails/rails/tree/v6.1.4.7/activesupport
363
+ source_code_uri: https://github.com/rails/rails/tree/v6.1.6/activesupport
364
+ rubygems_mfa_required: 'true'
364
365
  post_install_message:
365
366
  rdoc_options:
366
367
  - "--encoding"
@@ -378,7 +379,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
378
379
  - !ruby/object:Gem::Version
379
380
  version: '0'
380
381
  requirements: []
381
- rubygems_version: 3.1.6
382
+ rubygems_version: 3.3.7
382
383
  signing_key:
383
384
  specification_version: 4
384
385
  summary: A toolkit of support libraries and Ruby core extensions extracted from the