Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-actionpack-6.0 for
openSUSE:Factory checked in at 2022-02-07 23:37:28
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-actionpack-6.0 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-actionpack-6.0.new.1898 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionpack-6.0"
Mon Feb 7 23:37:28 2022 rev:12 rq:949054 version:6.0.4.4
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-actionpack-6.0/rubygem-actionpack-6.0.changes
2021-07-02 13:28:14.364401041 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-actionpack-6.0.new.1898/rubygem-actionpack-6.0.changes
2022-02-07 23:38:19.538347871 +0100
@@ -1,0 +2,29 @@
+Tue Jan 25 06:19:15 UTC 2022 - Stephan Kulow <[email protected]>
+
+updated to version 6.0.4.4
+ see installed CHANGELOG.md
+
+ ## Rails 6.0.4.4 (December 15, 2021) ##
+
+ * Fix issue with host protection not allowing host with port in
development.
+
+
+ ## Rails 6.0.4.3 (December 14, 2021) ##
+
+ * Fix issue with host protection not allowing localhost in development.
+
+
+ ## Rails 6.0.4.2 (December 14, 2021) ##
+
+ * Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
+
+ ## Rails 6.1.4.1 (August 19, 2021) ##
+
+ * [CVE-2021-22942] Fix possible open redirect in Host Authorization
middleware.
+
+ Specially crafted "X-Forwarded-Host" headers in combination with certain
+ "allowed host" formats can cause the Host Authorization middleware in
Action
+ Pack to redirect users to a malicious website.
+
+
+-------------------------------------------------------------------
Old:
----
actionpack-6.0.4.gem
New:
----
actionpack-6.0.4.4.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-actionpack-6.0.spec ++++++
--- /var/tmp/diff_new_pack.BT2fhs/_old 2022-02-07 23:38:19.958344998 +0100
+++ /var/tmp/diff_new_pack.BT2fhs/_new 2022-02-07 23:38:19.966344943 +0100
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-actionpack-6.0
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
#
Name: rubygem-actionpack-6.0
-Version: 6.0.4
+Version: 6.0.4.4
Release: 0
%define mod_name actionpack
%define mod_full_name %{mod_name}-%{version}
++++++ actionpack-6.0.4.gem -> actionpack-6.0.4.4.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2021-06-15 22:17:34.000000000 +0200
+++ new/CHANGELOG.md 2021-12-15 23:44:50.000000000 +0100
@@ -1,3 +1,25 @@
+## Rails 6.0.4.4 (December 15, 2021) ##
+
+* Fix issue with host protection not allowing host with port in development.
+
+
+## Rails 6.0.4.3 (December 14, 2021) ##
+
+* Fix issue with host protection not allowing localhost in development.
+
+
+## Rails 6.0.4.2 (December 14, 2021) ##
+
+* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
+
+## Rails 6.1.4.1 (August 19, 2021) ##
+
+* [CVE-2021-22942] Fix possible open redirect in Host Authorization
middleware.
+
+ Specially crafted "X-Forwarded-Host" headers in combination with certain
+ "allowed host" formats can cause the Host Authorization middleware in
Action
+ Pack to redirect users to a malicious website.
+
## Rails 6.0.4 (June 15, 2021) ##
* Accept base64_urlsafe CSRF tokens to make forward compatible.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/middleware/host_authorization.rb
new/lib/action_dispatch/middleware/host_authorization.rb
--- old/lib/action_dispatch/middleware/host_authorization.rb 2021-06-15
22:17:34.000000000 +0200
+++ new/lib/action_dispatch/middleware/host_authorization.rb 2021-12-15
23:44:50.000000000 +0100
@@ -10,6 +10,17 @@
# application will be executed and rendered. If no +response_app+ is given, a
# default one will run, which responds with +403 Forbidden+.
class HostAuthorization
+ ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new("0.0.0.0/0"),
IPAddr.new("::/0")]
+ PORT_REGEX = /(?::\d+)/ # :nodoc:
+ IPV4_HOSTNAME = /(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/ # :nodoc:
+ IPV6_HOSTNAME = /(?<host>[a-f0-9]*:[a-f0-9.:]+)/i # :nodoc:
+ IPV6_HOSTNAME_WITH_PORT = /\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i # :nodoc:
+ VALID_IP_HOSTNAME = Regexp.union( # :nodoc:
+ /\A#{IPV4_HOSTNAME}\z/,
+ /\A#{IPV6_HOSTNAME}\z/,
+ /\A#{IPV6_HOSTNAME_WITH_PORT}\z/,
+ )
+
class Permissions # :nodoc:
def initialize(hosts)
@hosts = sanitize_hosts(hosts)
@@ -21,11 +32,17 @@
def allows?(host)
@hosts.any? do |allowed|
- allowed === host
- rescue
- # IPAddr#=== raises an error if you give it a hostname instead of
- # IP. Treat similar errors as blocked access.
- false
+ if allowed.is_a?(IPAddr)
+ begin
+ allowed === extract_hostname(host)
+ rescue
+ # IPAddr#=== raises an error if you give it a hostname instead of
+ # IP. Treat similar errors as blocked access.
+ false
+ end
+ else
+ allowed === host
+ end
end
end
@@ -41,16 +58,20 @@
end
def sanitize_regexp(host)
- /\A#{host}\z/
+ /\A#{host}#{PORT_REGEX}?\z/
end
def sanitize_string(host)
if host.start_with?(".")
- /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
+ /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
else
- /\A#{Regexp.escape host}\z/i
+ /\A#{Regexp.escape host}#{PORT_REGEX}?\z/i
end
end
+
+ def extract_hostname(host)
+ host.slice(VALID_IP_HOSTNAME, "host") || host
+ end
end
DEFAULT_RESPONSE_APP = -> env do
@@ -87,20 +108,10 @@
private
def authorized?(request)
- valid_host = /
- \A
- (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])
- (:\d+)?
- \z
- /x
-
- origin_host = valid_host.match(
- request.get_header("HTTP_HOST").to_s.downcase)
- forwarded_host = valid_host.match(
- request.x_forwarded_host.to_s.split(/,\s?/).last)
+ origin_host = request.get_header("HTTP_HOST")
+ forwarded_host = request.x_forwarded_host&.split(/,\s?/)&.last
- origin_host && @permissions.allows?(origin_host[:host]) && (
- forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
+ @permissions.allows?(origin_host) && (forwarded_host.blank? ||
@permissions.allows?(forwarded_host))
end
def mark_as_authorized(request)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_pack/gem_version.rb
new/lib/action_pack/gem_version.rb
--- old/lib/action_pack/gem_version.rb 2021-06-15 22:17:34.000000000 +0200
+++ new/lib/action_pack/gem_version.rb 2021-12-15 23:44:50.000000000 +0100
@@ -10,7 +10,7 @@
MAJOR = 6
MINOR = 0
TINY = 4
- PRE = nil
+ PRE = "4"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2021-06-15 22:17:34.000000000 +0200
+++ new/metadata 2021-12-15 23:44:50.000000000 +0100
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: actionpack
version: !ruby/object:Gem::Version
- version: 6.0.4
+ version: 6.0.4.4
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2021-06-15 00:00:00.000000000 Z
+date: 2021-12-15 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -16,14 +16,14 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.4
+ version: 6.0.4.4
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.4
+ version: 6.0.4.4
- !ruby/object:Gem::Dependency
name: rack
requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.4
+ version: 6.0.4.4
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.4
+ version: 6.0.4.4
- !ruby/object:Gem::Dependency
name: activemodel
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.4
+ version: 6.0.4.4
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.4
+ version: 6.0.4.4
description: Web apps on Rails. Simple, battle-tested conventions for building
and
testing MVC web applications. Works with any Rack-compatible server.
email: [email protected]
@@ -310,10 +310,10 @@
- MIT
metadata:
bug_tracker_uri: https://github.com/rails/rails/issues
- changelog_uri:
https://github.com/rails/rails/blob/v6.0.4/actionpack/CHANGELOG.md
- documentation_uri: https://api.rubyonrails.org/v6.0.4/
+ changelog_uri:
https://github.com/rails/rails/blob/v6.0.4.4/actionpack/CHANGELOG.md
+ documentation_uri: https://api.rubyonrails.org/v6.0.4.4/
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
- source_code_uri: https://github.com/rails/rails/tree/v6.0.4/actionpack
+ source_code_uri: https://github.com/rails/rails/tree/v6.0.4.4/actionpack
post_install_message:
rdoc_options: []
require_paths:
@@ -330,7 +330,7 @@
version: '0'
requirements:
- none
-rubygems_version: 3.1.2
+rubygems_version: 3.2.32
signing_key:
specification_version: 4
summary: Web-flow and rendering framework putting the VC in MVC (part of
Rails).
