Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-actionpack-6.0 for
openSUSE:Factory checked in at 2021-07-02 13:27:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-actionpack-6.0 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-actionpack-6.0.new.2625 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionpack-6.0"
Fri Jul 2 13:27:22 2021 rev:11 rq:902954 version:6.0.4
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-actionpack-6.0/rubygem-actionpack-6.0.changes
2020-10-18 16:34:56.192851737 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-actionpack-6.0.new.2625/rubygem-actionpack-6.0.changes
2021-07-02 13:28:14.364401041 +0200
@@ -1,0 +2,70 @@
+Thu Jun 24 16:48:15 UTC 2021 - Stephan Kulow <[email protected]>
+
+updated to version 6.0.4
+ see installed CHANGELOG.md
+
+ ## Rails 6.0.4 (June 15, 2021) ##
+
+ * Accept base64_urlsafe CSRF tokens to make forward compatible.
+
+ Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
+ them difficult to deal with. For example, the common practice of sending
+ the CSRF token to a browser in a client-readable cookie does not work
properly
+ out of the box: the value has to be url-encoded and decoded to survive
transport.
+
+ In Rails 6.1, we generate Base64 urlsafe-encoded CSRF tokens, which are
inherently
+ safe to transport. Validation accepts both urlsafe tokens, and
strict-encoded
+ tokens for backwards compatibility.
+
+ In Rails 5.2.5, the CSRF token format is accidentally changed to
urlsafe-encoded.
+ If you upgrade apps from 5.2.5, set the config `urlsafe_csrf_tokens =
true`.
+
+ ```ruby
+ Rails.application.config.action_controller.urlsafe_csrf_tokens = true
+ ```
+
+ *Scott Blum*, *??tienne Barri??*
+
+ * Signed and encrypted cookies can now store `false` as their value when
+ `action_dispatch.use_cookies_with_metadata` is enabled.
+
+ *Rolandas Barysas*
+
+
+ ## Rails 6.0.3.7 (May 05, 2021) ##
+
+ * Prevent catastrophic backtracking during mime parsing
+ CVE-2021-22902
+
+ * Prevent regex DoS in HTTP token authentication
+ CVE-2021-22904
+
+ * Prevent string polymorphic route arguments.
+
+ `url_for` supports building polymorphic URLs via an array
+ of arguments (usually symbols and records). If a developer passes a
+ user input array, strings can result in unwanted route helper calls.
+
+ CVE-2021-22885
+
+ *Gannon McGibbon*
+
+ ## Rails 6.0.3.6 (March 26, 2021) ##
+
+ * No changes.
+
+
+ ## Rails 6.0.3.5 (February 10, 2021) ##
+
+ * Prevent open redirect when allowed host starts with a dot
+
+ [CVE-2021-22881]
+
+ Thanks to @tktech (https://hackerone.com/tktech) for reporting this
+ issue and the patch!
+
+ *Aaron Patterson*
+
+
+
+-------------------------------------------------------------------
Old:
----
actionpack-6.0.3.4.gem
New:
----
actionpack-6.0.4.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-actionpack-6.0.spec ++++++
--- /var/tmp/diff_new_pack.tXAHdS/_old 2021-07-02 13:28:14.756397999 +0200
+++ /var/tmp/diff_new_pack.tXAHdS/_new 2021-07-02 13:28:14.756397999 +0200
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-actionpack-6.0
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
#
Name: rubygem-actionpack-6.0
-Version: 6.0.3.4
+Version: 6.0.4
Release: 0
%define mod_name actionpack
%define mod_full_name %{mod_name}-%{version}
++++++ actionpack-6.0.3.4.gem -> actionpack-6.0.4.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2020-10-07 18:48:22.000000000 +0200
+++ new/CHANGELOG.md 2021-06-15 22:17:34.000000000 +0200
@@ -1,3 +1,66 @@
+## Rails 6.0.4 (June 15, 2021) ##
+
+* Accept base64_urlsafe CSRF tokens to make forward compatible.
+
+ Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
+ them difficult to deal with. For example, the common practice of sending
+ the CSRF token to a browser in a client-readable cookie does not work
properly
+ out of the box: the value has to be url-encoded and decoded to survive
transport.
+
+ In Rails 6.1, we generate Base64 urlsafe-encoded CSRF tokens, which are
inherently
+ safe to transport. Validation accepts both urlsafe tokens, and
strict-encoded
+ tokens for backwards compatibility.
+
+ In Rails 5.2.5, the CSRF token format is accidentally changed to
urlsafe-encoded.
+ If you upgrade apps from 5.2.5, set the config `urlsafe_csrf_tokens =
true`.
+
+ ```ruby
+ Rails.application.config.action_controller.urlsafe_csrf_tokens = true
+ ```
+
+ *Scott Blum*, *??tienne Barri??*
+
+* Signed and encrypted cookies can now store `false` as their value when
+ `action_dispatch.use_cookies_with_metadata` is enabled.
+
+ *Rolandas Barysas*
+
+
+## Rails 6.0.3.7 (May 05, 2021) ##
+
+* Prevent catastrophic backtracking during mime parsing
+ CVE-2021-22902
+
+* Prevent regex DoS in HTTP token authentication
+ CVE-2021-22904
+
+* Prevent string polymorphic route arguments.
+
+ `url_for` supports building polymorphic URLs via an array
+ of arguments (usually symbols and records). If a developer passes a
+ user input array, strings can result in unwanted route helper calls.
+
+ CVE-2021-22885
+
+ *Gannon McGibbon*
+
+## Rails 6.0.3.6 (March 26, 2021) ##
+
+* No changes.
+
+
+## Rails 6.0.3.5 (February 10, 2021) ##
+
+* Prevent open redirect when allowed host starts with a dot
+
+ [CVE-2021-22881]
+
+ Thanks to @tktech (https://hackerone.com/tktech) for reporting this
+ issue and the patch!
+
+ *Aaron Patterson*
+
+
## Rails 6.0.3.4 (October 07, 2020) ##
* [CVE-2020-8264] Prevent XSS in Actionable Exceptions
@@ -18,6 +81,7 @@
* [CVE-2020-8164] Return self when calling #each, #each_pair, and
#each_value instead of the raw @parameters hash
+
## Rails 6.0.3 (May 06, 2020) ##
* Include child session assertion count in ActionDispatch::IntegrationTest
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/README.rdoc new/README.rdoc
--- old/README.rdoc 2020-10-07 18:48:22.000000000 +0200
+++ new/README.rdoc 2021-06-15 22:17:34.000000000 +0200
@@ -33,7 +33,7 @@
Source code can be downloaded as part of the Rails project on GitHub:
-* https://github.com/rails/rails/tree/master/actionpack
+* https://github.com/rails/rails/tree/main/actionpack
== License
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/metal/http_authentication.rb
new/lib/action_controller/metal/http_authentication.rb
--- old/lib/action_controller/metal/http_authentication.rb 2020-10-07
18:48:22.000000000 +0200
+++ new/lib/action_controller/metal/http_authentication.rb 2021-06-15
22:17:34.000000000 +0200
@@ -405,7 +405,7 @@
module Token
TOKEN_KEY = "token="
TOKEN_REGEX = /^(Token|Bearer)\s+/
- AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
+ AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
extend self
module ControllerMethods
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/metal/params_wrapper.rb
new/lib/action_controller/metal/params_wrapper.rb
--- old/lib/action_controller/metal/params_wrapper.rb 2020-10-07
18:48:22.000000000 +0200
+++ new/lib/action_controller/metal/params_wrapper.rb 2021-06-15
22:17:34.000000000 +0200
@@ -275,7 +275,10 @@
return false unless request.has_content_type?
ref = request.content_mime_type.ref
+
_wrapper_formats.include?(ref) && _wrapper_key &&
!request.parameters.key?(_wrapper_key)
+ rescue ActionDispatch::Http::Parameters::ParseError
+ false
end
def _perform_parameter_wrapping
@@ -289,8 +292,6 @@
# This will display the wrapped hash in the log file.
request.filtered_parameters.merge! wrapped_filtered_hash
- rescue ActionDispatch::Http::Parameters::ParseError
- # swallow parse error exception
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lib/action_controller/metal/request_forgery_protection.rb
new/lib/action_controller/metal/request_forgery_protection.rb
--- old/lib/action_controller/metal/request_forgery_protection.rb
2020-10-07 18:48:22.000000000 +0200
+++ new/lib/action_controller/metal/request_forgery_protection.rb
2021-06-15 22:17:34.000000000 +0200
@@ -32,29 +32,21 @@
# response may be extracted. To prevent this, only XmlHttpRequest (known as
XHR or
# Ajax) requests are allowed to make requests for JavaScript responses.
#
- # It's important to remember that XML or JSON requests are also checked by
default. If
- # you're building an API or an SPA you could change forgery protection
method in
- # <tt>ApplicationController</tt> (by default: <tt>:exception</tt>):
+ # Subclasses of <tt>ActionController::Base</tt> are protected by default
with the
+ # <tt>:exception</tt> strategy, which raises an
+ # <tt>ActionController::InvalidAuthenticityToken</tt> error on unverified
requests.
+ #
+ # APIs may want to disable this behavior since they are typically designed
to be
+ # state-less: that is, the request API client handles the session instead of
Rails.
+ # One way to achieve this is to use the <tt>:null_session</tt> strategy
instead,
+ # which allows unverified requests to be handled, but with an empty session:
#
# class ApplicationController < ActionController::Base
- # protect_from_forgery unless: -> { request.format.json? }
+ # protect_from_forgery with: :null_session
# end
#
- # It is generally safe to exclude XHR requests from CSRF protection
- # (like the code snippet above does), because XHR requests can only be made
from
- # the same origin. Note however that any cross-origin third party domain
- # allowed via
{CORS}[https://en.wikipedia.org/wiki/Cross-origin_resource_sharing]
- # will also be able to create XHR requests. Be sure to check your
- # CORS configuration before disabling forgery protection for XHR.
- #
- # CSRF protection is turned on with the <tt>protect_from_forgery</tt> method.
- # By default <tt>protect_from_forgery</tt> protects your session with
- # <tt>:null_session</tt> method, which provides an empty session
- # during request.
- #
- # We may want to disable CSRF protection for APIs since they are typically
- # designed to be state-less. That is, the request API client will handle
- # the session for you instead of Rails.
+ # Note that API only applications don't include this module or a session
middleware
+ # by default, and so don't require CSRF protection to be configured.
#
# The token parameter is named <tt>authenticity_token</tt> by default. The
name and
# value of this token must be added to every layout that renders forms by
including
@@ -98,6 +90,10 @@
config_accessor :default_protect_from_forgery
self.default_protect_from_forgery = false
+ # Controls whether URL-safe CSRF tokens are generated.
+ config_accessor :urlsafe_csrf_tokens, instance_writer: false
+ self.urlsafe_csrf_tokens = false
+
helper_method :form_authenticity_token
helper_method :protect_against_forgery?
end
@@ -337,7 +333,7 @@
end
begin
- masked_token = Base64.strict_decode64(encoded_masked_token)
+ masked_token = decode_csrf_token(encoded_masked_token)
rescue ArgumentError # encoded_masked_token is invalid Base64
return false
end
@@ -375,7 +371,7 @@
one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
masked_token = one_time_pad + encrypted_csrf_token
- Base64.strict_encode64(masked_token)
+ encode_csrf_token(masked_token)
end
def compare_with_real_token(token, session) # :doc:
@@ -401,8 +397,8 @@
end
def real_csrf_token(session) # :doc:
- session[:_csrf_token] ||=
SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
- Base64.strict_decode64(session[:_csrf_token])
+ session[:_csrf_token] ||= generate_csrf_token
+ decode_csrf_token(session[:_csrf_token])
end
def per_form_csrf_token(session, action_path, method) # :doc:
@@ -470,5 +466,33 @@
uri = URI.parse(action_path)
uri.path.chomp("/")
end
+
+ def generate_csrf_token # :nodoc:
+ if urlsafe_csrf_tokens
+ SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH, padding:
false)
+ else
+ SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
+ end
+ end
+
+ def encode_csrf_token(csrf_token) # :nodoc:
+ if urlsafe_csrf_tokens
+ Base64.urlsafe_encode64(csrf_token, padding: false)
+ else
+ Base64.strict_encode64(csrf_token)
+ end
+ end
+
+ def decode_csrf_token(encoded_csrf_token) # :nodoc:
+ if urlsafe_csrf_tokens
+ Base64.urlsafe_decode64(encoded_csrf_token)
+ else
+ begin
+ Base64.strict_decode64(encoded_csrf_token)
+ rescue ArgumentError
+ Base64.urlsafe_decode64(encoded_csrf_token)
+ end
+ end
+ end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/http/content_disposition.rb
new/lib/action_dispatch/http/content_disposition.rb
--- old/lib/action_dispatch/http/content_disposition.rb 2020-10-07
18:48:22.000000000 +0200
+++ new/lib/action_dispatch/http/content_disposition.rb 2021-06-15
22:17:34.000000000 +0200
@@ -14,13 +14,13 @@
@filename = filename
end
- TRADITIONAL_ESCAPED_CHAR = /[^ A-Za-z0-9!#$+.^_`|~-]/
+ TRADITIONAL_ESCAPED_CHAR = /[^ A-Za-z0-9!\#$+.^_`|~-]/
def ascii_filename
'filename="' + percent_escape(I18n.transliterate(filename),
TRADITIONAL_ESCAPED_CHAR) + '"'
end
- RFC_5987_ESCAPED_CHAR = /[^A-Za-z0-9!#$&+.^_`|~-]/
+ RFC_5987_ESCAPED_CHAR = /[^A-Za-z0-9!\#$&+.^_`|~-]/
def utf8_filename
"filename*=UTF-8''" + percent_escape(filename, RFC_5987_ESCAPED_CHAR)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/http/mime_negotiation.rb
new/lib/action_dispatch/http/mime_negotiation.rb
--- old/lib/action_dispatch/http/mime_negotiation.rb 2020-10-07
18:48:22.000000000 +0200
+++ new/lib/action_dispatch/http/mime_negotiation.rb 2021-06-15
22:17:34.000000000 +0200
@@ -7,6 +7,8 @@
module MimeNegotiation
extend ActiveSupport::Concern
+ class InvalidType < ::Mime::Type::InvalidMimeType; end
+
RESCUABLE_MIME_FORMAT_ERRORS = [
ActionController::BadRequest,
ActionDispatch::Http::Parameters::ParseError,
@@ -25,6 +27,8 @@
nil
end
set_header k, v
+ rescue ::Mime::Type::InvalidMimeType => e
+ raise InvalidType, e.message
end
end
@@ -47,6 +51,8 @@
Mime::Type.parse(header)
end
set_header k, v
+ rescue ::Mime::Type::InvalidMimeType => e
+ raise InvalidType, e.message
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/http/mime_type.rb
new/lib/action_dispatch/http/mime_type.rb
--- old/lib/action_dispatch/http/mime_type.rb 2020-10-07 18:48:22.000000000
+0200
+++ new/lib/action_dispatch/http/mime_type.rb 2021-06-15 22:17:34.000000000
+0200
@@ -226,7 +226,7 @@
MIME_PARAMETER_KEY =
"[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
MIME_PARAMETER_VALUE =
"#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
MIME_PARAMETER =
"\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
- MIME_REGEXP =
/\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?:\s*#{MIME_PARAMETER}\s*)*)\z/
+ MIME_REGEXP =
/\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
class InvalidMimeType < StandardError; end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/http/parameters.rb
new/lib/action_dispatch/http/parameters.rb
--- old/lib/action_dispatch/http/parameters.rb 2020-10-07 18:48:22.000000000
+0200
+++ new/lib/action_dispatch/http/parameters.rb 2021-06-15 22:17:34.000000000
+0200
@@ -89,7 +89,7 @@
return params unless controller && controller.valid_encoding?
if binary_params_for?(controller, action)
- ActionDispatch::Request::Utils.each_param_value(params) do |param|
+
ActionDispatch::Request::Utils.each_param_value(params.except(:controller,
:action)) do |param|
param.force_encoding ::Encoding::ASCII_8BIT
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/http/request.rb
new/lib/action_dispatch/http/request.rb
--- old/lib/action_dispatch/http/request.rb 2020-10-07 18:48:22.000000000
+0200
+++ new/lib/action_dispatch/http/request.rb 2021-06-15 22:17:34.000000000
+0200
@@ -133,6 +133,8 @@
HTTP_METHOD_LOOKUP[method] = method.underscore.to_sym
}
+ alias raw_request_method request_method # :nodoc:
+
# Returns the HTTP \method that the application should see.
# In the case where the \method was overridden by a middleware
# (for instance, if a HEAD request was converted to a GET,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lib/action_dispatch/middleware/actionable_exceptions.rb
new/lib/action_dispatch/middleware/actionable_exceptions.rb
--- old/lib/action_dispatch/middleware/actionable_exceptions.rb 2020-10-07
18:48:22.000000000 +0200
+++ new/lib/action_dispatch/middleware/actionable_exceptions.rb 2021-06-15
22:17:34.000000000 +0200
@@ -33,7 +33,7 @@
if uri.relative? || uri.scheme == "http" || uri.scheme == "https"
body = "<html><body>You are being <a
href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>"
else
- return [400, {"Content-Type" => "text/plain"}, ["Invalid redirection
URI"]]
+ return [400, { "Content-Type" => "text/plain" }, ["Invalid
redirection URI"]]
end
[302, {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/middleware/cookies.rb
new/lib/action_dispatch/middleware/cookies.rb
--- old/lib/action_dispatch/middleware/cookies.rb 2020-10-07
18:48:22.000000000 +0200
+++ new/lib/action_dispatch/middleware/cookies.rb 2021-06-15
22:17:34.000000000 +0200
@@ -458,7 +458,13 @@
def [](name)
if data = @parent_jar[name.to_s]
- parse(name, data, purpose: "cookie.#{name}") || parse(name, data)
+ result = parse(name, data, purpose: "cookie.#{name}")
+
+ if result.nil?
+ parse(name, data)
+ else
+ result
+ end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/middleware/debug_exceptions.rb
new/lib/action_dispatch/middleware/debug_exceptions.rb
--- old/lib/action_dispatch/middleware/debug_exceptions.rb 2020-10-07
18:48:22.000000000 +0200
+++ new/lib/action_dispatch/middleware/debug_exceptions.rb 2021-06-15
22:17:34.000000000 +0200
@@ -63,8 +63,8 @@
if request.get_header("action_dispatch.show_detailed_exceptions")
begin
content_type = request.formats.first
- rescue Mime::Type::InvalidMimeType
- render_for_api_request(Mime[:text], wrapper)
+ rescue ActionDispatch::Http::MimeNegotiation::InvalidType
+ content_type = Mime[:text]
end
if api_request?(content_type)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/middleware/exception_wrapper.rb
new/lib/action_dispatch/middleware/exception_wrapper.rb
--- old/lib/action_dispatch/middleware/exception_wrapper.rb 2020-10-07
18:48:22.000000000 +0200
+++ new/lib/action_dispatch/middleware/exception_wrapper.rb 2021-06-15
22:17:34.000000000 +0200
@@ -12,7 +12,7 @@
"ActionController::UnknownHttpMethod" => :method_not_allowed,
"ActionController::NotImplemented" => :not_implemented,
"ActionController::UnknownFormat" => :not_acceptable,
- "Mime::Type::InvalidMimeType" => :not_acceptable,
+ "ActionDispatch::Http::MimeNegotiation::InvalidType" => :not_acceptable,
"ActionController::MissingExactTemplate" => :not_acceptable,
"ActionController::InvalidAuthenticityToken" => :unprocessable_entity,
"ActionController::InvalidCrossOriginRequest" => :unprocessable_entity,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/middleware/host_authorization.rb
new/lib/action_dispatch/middleware/host_authorization.rb
--- old/lib/action_dispatch/middleware/host_authorization.rb 2020-10-07
18:48:22.000000000 +0200
+++ new/lib/action_dispatch/middleware/host_authorization.rb 2021-06-15
22:17:34.000000000 +0200
@@ -46,9 +46,9 @@
def sanitize_string(host)
if host.start_with?(".")
- /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/
+ /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
else
- host
+ /\A#{Regexp.escape host}\z/i
end
end
end
@@ -87,11 +87,20 @@
private
def authorized?(request)
- origin_host = request.get_header("HTTP_HOST").to_s.sub(/:\d+\z/, "")
- forwarded_host =
request.x_forwarded_host.to_s.split(/,\s?/).last.to_s.sub(/:\d+\z/, "")
+ valid_host = /
+ \A
+ (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])
+ (:\d+)?
+ \z
+ /x
+
+ origin_host = valid_host.match(
+ request.get_header("HTTP_HOST").to_s.downcase)
+ forwarded_host = valid_host.match(
+ request.x_forwarded_host.to_s.split(/,\s?/).last)
- @permissions.allows?(origin_host) &&
- (forwarded_host.blank? || @permissions.allows?(forwarded_host))
+ origin_host && @permissions.allows?(origin_host[:host]) && (
+ forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
end
def mark_as_authorized(request)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/middleware/public_exceptions.rb
new/lib/action_dispatch/middleware/public_exceptions.rb
--- old/lib/action_dispatch/middleware/public_exceptions.rb 2020-10-07
18:48:22.000000000 +0200
+++ new/lib/action_dispatch/middleware/public_exceptions.rb 2021-06-15
22:17:34.000000000 +0200
@@ -23,7 +23,7 @@
status = request.path_info[1..-1].to_i
begin
content_type = request.formats.first
- rescue Mime::Type::InvalidMimeType
+ rescue ActionDispatch::Http::MimeNegotiation::InvalidType
content_type = Mime[:text]
end
body = { status: status, error:
Rack::Utils::HTTP_STATUS_CODES.fetch(status,
Rack::Utils::HTTP_STATUS_CODES[500]) }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb
new/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb
---
old/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb
2020-10-07 18:48:22.000000000 +0200
+++
new/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb
2021-06-15 22:17:34.000000000 +0200
@@ -6,6 +6,7 @@
<%= @exception.message %>
<% if defined?(ActiveStorage) &&
@exception.message.match?(%r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}})
%>
To resolve this issue run: rails active_storage:install
+<% end %>
<% if defined?(ActionMailbox) &&
@exception.message.match?(%r{#{ActionMailbox::InboundEmail.table_name}}) %>
To resolve this issue run: rails action_mailbox:install
<% end %>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/routing/polymorphic_routes.rb
new/lib/action_dispatch/routing/polymorphic_routes.rb
--- old/lib/action_dispatch/routing/polymorphic_routes.rb 2020-10-07
18:48:22.000000000 +0200
+++ new/lib/action_dispatch/routing/polymorphic_routes.rb 2021-06-15
22:17:34.000000000 +0200
@@ -286,10 +286,12 @@
args = []
- route = record_list.map { |parent|
+ route = record_list.map do |parent|
case parent
- when Symbol, String
+ when Symbol
parent.to_s
+ when String
+ raise(ArgumentError, "Please use symbols for polymorphic route
arguments.")
when Class
args << parent
parent.model_name.singular_route_key
@@ -297,12 +299,14 @@
args << parent.to_model
parent.to_model.model_name.singular_route_key
end
- }
+ end
route <<
case record
- when Symbol, String
+ when Symbol
record.to_s
+ when String
+ raise(ArgumentError, "Please use symbols for polymorphic route
arguments.")
when Class
@key_strategy.call record.model_name
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/routing/url_for.rb
new/lib/action_dispatch/routing/url_for.rb
--- old/lib/action_dispatch/routing/url_for.rb 2020-10-07 18:48:22.000000000
+0200
+++ new/lib/action_dispatch/routing/url_for.rb 2021-06-15 22:17:34.000000000
+0200
@@ -107,6 +107,7 @@
@_routes = nil
super
end
+ ruby2_keywords(:initialize) if respond_to?(:ruby2_keywords, true)
# Hook overridden in controller to add request information
# with +default_url_options+. Application logic should not
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/system_testing/browser.rb
new/lib/action_dispatch/system_testing/browser.rb
--- old/lib/action_dispatch/system_testing/browser.rb 2020-10-07
18:48:22.000000000 +0200
+++ new/lib/action_dispatch/system_testing/browser.rb 2021-06-15
22:17:34.000000000 +0200
@@ -64,14 +64,14 @@
private
def headless_chrome_browser_options
- capabilities.args << "--headless"
- capabilities.args << "--disable-gpu" if Gem.win_platform?
+ capabilities.add_argument("--headless")
+ capabilities.add_argument("--disable-gpu") if Gem.win_platform?
capabilities
end
def headless_firefox_browser_options
- capabilities.args << "-headless"
+ capabilities.add_argument("-headless")
capabilities
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_pack/gem_version.rb
new/lib/action_pack/gem_version.rb
--- old/lib/action_pack/gem_version.rb 2020-10-07 18:48:22.000000000 +0200
+++ new/lib/action_pack/gem_version.rb 2021-06-15 22:17:34.000000000 +0200
@@ -9,8 +9,8 @@
module VERSION
MAJOR = 6
MINOR = 0
- TINY = 3
- PRE = "4"
+ TINY = 4
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2020-10-07 18:48:22.000000000 +0200
+++ new/metadata 2021-06-15 22:17:34.000000000 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: actionpack
version: !ruby/object:Gem::Version
- version: 6.0.3.4
+ version: 6.0.4
platform: ruby
authors:
- David Heinemeier Hansson
-autorequire:
+autorequire:
bindir: bin
cert_chain: []
-date: 2020-10-07 00:00:00.000000000 Z
+date: 2021-06-15 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -16,14 +16,14 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3.4
+ version: 6.0.4
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3.4
+ version: 6.0.4
- !ruby/object:Gem::Dependency
name: rack
requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3.4
+ version: 6.0.4
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3.4
+ version: 6.0.4
- !ruby/object:Gem::Dependency
name: activemodel
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3.4
+ version: 6.0.4
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3.4
+ version: 6.0.4
description: Web apps on Rails. Simple, battle-tested conventions for building
and
testing MVC web applications. Works with any Rack-compatible server.
email: [email protected]
@@ -310,11 +310,11 @@
- MIT
metadata:
bug_tracker_uri: https://github.com/rails/rails/issues
- changelog_uri:
https://github.com/rails/rails/blob/v6.0.3.4/actionpack/CHANGELOG.md
- documentation_uri: https://api.rubyonrails.org/v6.0.3.4/
+ changelog_uri:
https://github.com/rails/rails/blob/v6.0.4/actionpack/CHANGELOG.md
+ documentation_uri: https://api.rubyonrails.org/v6.0.4/
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
- source_code_uri: https://github.com/rails/rails/tree/v6.0.3.4/actionpack
-post_install_message:
+ source_code_uri: https://github.com/rails/rails/tree/v6.0.4/actionpack
+post_install_message:
rdoc_options: []
require_paths:
- lib
@@ -330,8 +330,8 @@
version: '0'
requirements:
- none
-rubygems_version: 3.1.4
-signing_key:
+rubygems_version: 3.1.2
+signing_key:
specification_version: 4
summary: Web-flow and rendering framework putting the VC in MVC (part of
Rails).
test_files: []
