Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-actionpack-5.2 for
openSUSE:Factory checked in at 2021-07-02 13:27:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-actionpack-5.2 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-actionpack-5.2.new.2625 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionpack-5.2"
Fri Jul 2 13:27:25 2021 rev:11 rq:903479 version:5.2.6
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-actionpack-5.2/rubygem-actionpack-5.2.changes
2020-10-05 19:29:16.656493745 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-actionpack-5.2.new.2625/rubygem-actionpack-5.2.changes
2021-07-02 13:28:18.832366374 +0200
@@ -1,0 +2,63 @@
+Thu Jun 24 16:48:01 UTC 2021 - Stephan Kulow <[email protected]>
+
+updated to version 5.2.6
+ see installed CHANGELOG.md
+
+ ## Rails 5.2.6 (May 05, 2021) ##
+
+ * Accept base64_urlsafe CSRF tokens to make forward compatible.
+
+ Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
+ them difficult to deal with. For example, the common practice of sending
+ the CSRF token to a browser in a client-readable cookie does not work
properly
+ out of the box: the value has to be url-encoded and decoded to survive
transport.
+
+ In this version, we generate Base64 urlsafe-encoded CSRF tokens, which
are inherently
+ safe to transport. Validation accepts both urlsafe tokens, and
strict-encoded
+ tokens for backwards compatibility.
+
+ How the tokes are encoded is controllr by the
`action_controller.urlsafe_csrf_tokens`
+ config.
+
+ In Rails 5.2.5, the CSRF token format was accidentally changed to
urlsafe-encoded.
+
+ **Atention**: If you already upgraded your application to 5.2.5, set the
config
+ `urlsafe_csrf_tokens` to `true`, otherwise your form submission will
start to fail
+ during the deploy of this new version.
+
+ ```ruby
+ Rails.application.config.action_controller.urlsafe_csrf_tokens = true
+ ```
+
+ If you are upgrading from 5.2.4.x, you don't need to change this
configuration.
+
+ *Scott Blum*, *??tienne Barri??*
+
+
+ ## Rails 5.2.5 (March 26, 2021) ##
+
+ * No changes.
+
+
+ ## Rails 5.2.4.6 (May 05, 2021) ##
+
+ * Prevent regex DoS in HTTP token authentication
+ CVE-2021-22904
+
+ * Prevent string polymorphic route arguments.
+
+ `url_for` supports building polymorphic URLs via an array
+ of arguments (usually symbols and records). If a developer passes a
+ user input array, strings can result in unwanted route helper calls.
+
+ CVE-2021-22885
+
+ *Gannon McGibbon*
+
+ ## Rails 5.2.4.5 (February 10, 2021) ##
+
+ * No changes.
+
+
+
+-------------------------------------------------------------------
Old:
----
actionpack-5.2.4.4.gem
New:
----
actionpack-5.2.6.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-actionpack-5.2.spec ++++++
--- /var/tmp/diff_new_pack.67Z1Wn/_old 2021-07-02 13:28:19.232363271 +0200
+++ /var/tmp/diff_new_pack.67Z1Wn/_new 2021-07-02 13:28:19.232363271 +0200
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-actionpack-5.2
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
#
Name: rubygem-actionpack-5.2
-Version: 5.2.4.4
+Version: 5.2.6
Release: 0
%define mod_name actionpack
%define mod_full_name %{mod_name}-%{version}
++++++ actionpack-5.2.4.4.gem -> actionpack-5.2.6.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2020-09-09 20:34:59.000000000 +0200
+++ new/CHANGELOG.md 2021-05-05 19:08:41.000000000 +0200
@@ -1,3 +1,59 @@
+## Rails 5.2.6 (May 05, 2021) ##
+
+* Accept base64_urlsafe CSRF tokens to make forward compatible.
+
+ Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
+ them difficult to deal with. For example, the common practice of sending
+ the CSRF token to a browser in a client-readable cookie does not work
properly
+ out of the box: the value has to be url-encoded and decoded to survive
transport.
+
+ In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are
inherently
+ safe to transport. Validation accepts both urlsafe tokens, and
strict-encoded
+ tokens for backwards compatibility.
+
+ How the tokes are encoded is controllr by the
`action_controller.urlsafe_csrf_tokens`
+ config.
+
+ In Rails 5.2.5, the CSRF token format was accidentally changed to
urlsafe-encoded.
+
+ **Atention**: If you already upgraded your application to 5.2.5, set the
config
+ `urlsafe_csrf_tokens` to `true`, otherwise your form submission will start
to fail
+ during the deploy of this new version.
+
+ ```ruby
+ Rails.application.config.action_controller.urlsafe_csrf_tokens = true
+ ```
+
+ If you are upgrading from 5.2.4.x, you don't need to change this
configuration.
+
+ *Scott Blum*, *??tienne Barri??*
+
+
+## Rails 5.2.5 (March 26, 2021) ##
+
+* No changes.
+
+
+## Rails 5.2.4.6 (May 05, 2021) ##
+
+* Prevent regex DoS in HTTP token authentication
+ CVE-2021-22904
+
+* Prevent string polymorphic route arguments.
+
+ `url_for` supports building polymorphic URLs via an array
+ of arguments (usually symbols and records). If a developer passes a
+ user input array, strings can result in unwanted route helper calls.
+
+ CVE-2021-22885
+
+ *Gannon McGibbon*
+
+## Rails 5.2.4.5 (February 10, 2021) ##
+
+* No changes.
+
+
## Rails 5.2.4.4 (September 09, 2020) ##
* No changes.
@@ -10,6 +66,11 @@
* [CVE-2020-8164] Return self when calling #each, #each_pair, and
#each_value instead of the raw @parameters hash
+## Rails 5.2.4.2 (March 19, 2020) ##
+
+* No changes.
+
+
## Rails 5.2.4.1 (December 18, 2019) ##
* Fix possible information leak / session hijacking vulnerability.
@@ -17,6 +78,11 @@
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it
requires the
gem dalli to be updated as well.
+ _Breaking changes:_
+ * `session.id` now returns an instance of `Rack::Session::SessionId` and
not a String (use `session.id.public_id` to restore the old behaviour, see
#38063)
+ * Accessing the session id using
`session[:session_id]`/`session['session_id']` no longer works with
+ ruby 2.2 (see
https://github.com/rails/rails/commit/2a52a38cb51b65d71cf91fc960777213cf96f962#commitcomment-37929811)
+
CVE-2019-16782.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/metal/http_authentication.rb
new/lib/action_controller/metal/http_authentication.rb
--- old/lib/action_controller/metal/http_authentication.rb 2020-09-09
20:34:59.000000000 +0200
+++ new/lib/action_controller/metal/http_authentication.rb 2021-05-05
19:08:41.000000000 +0200
@@ -406,7 +406,7 @@
module Token
TOKEN_KEY = "token="
TOKEN_REGEX = /^(Token|Bearer)\s+/
- AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
+ AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
extend self
module ControllerMethods
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lib/action_controller/metal/request_forgery_protection.rb
new/lib/action_controller/metal/request_forgery_protection.rb
--- old/lib/action_controller/metal/request_forgery_protection.rb
2020-09-09 20:34:59.000000000 +0200
+++ new/lib/action_controller/metal/request_forgery_protection.rb
2021-05-05 19:08:41.000000000 +0200
@@ -92,6 +92,10 @@
config_accessor :default_protect_from_forgery
self.default_protect_from_forgery = false
+ # Controls whether URL-safe CSRF tokens are generated.
+ config_accessor :urlsafe_csrf_tokens, instance_writer: false
+ self.urlsafe_csrf_tokens = false
+
helper_method :form_authenticity_token
helper_method :protect_against_forgery?
end
@@ -321,11 +325,6 @@
global_csrf_token(session)
end
- one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
- encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
- masked_token = one_time_pad + encrypted_csrf_token
- Base64.urlsafe_encode64(masked_token, padding: false)
-
mask_token(raw_token)
end
@@ -338,7 +337,7 @@
end
begin
- masked_token = Base64.strict_decode64(encoded_masked_token)
+ masked_token = decode_csrf_token(encoded_masked_token)
rescue ArgumentError # encoded_masked_token is invalid Base64
return false
end
@@ -376,7 +375,7 @@
one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
masked_token = one_time_pad + encrypted_csrf_token
- Base64.strict_encode64(masked_token)
+ encode_csrf_token(masked_token)
end
def compare_with_real_token(token, session) # :doc:
@@ -402,8 +401,8 @@
end
def real_csrf_token(session) # :doc:
- session[:_csrf_token] ||=
SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
- Base64.strict_decode64(session[:_csrf_token])
+ session[:_csrf_token] ||= generate_csrf_token
+ decode_csrf_token(session[:_csrf_token])
end
def per_form_csrf_token(session, action_path, method) # :doc:
@@ -466,5 +465,57 @@
uri = URI.parse(action_path)
uri.path.chomp("/")
end
+
+ def generate_csrf_token # :nodoc:
+ if urlsafe_csrf_tokens
+ SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH, padding:
false)
+ else
+ SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
+ end
+ end
+
+ if RUBY_VERSION.start_with?("2.2")
+ # Backported
https://github.com/ruby/ruby/commit/6b6680945ed3274cddbc34fdfd410d74081a3e94
+ using Module.new {
+ refine Base64.singleton_class do
+ def urlsafe_encode64(bin, padding: true)
+ str = strict_encode64(bin).tr("+/", "-_")
+ str = str.delete("=") unless padding
+ str
+ end
+
+ def urlsafe_decode64(str)
+ # NOTE: RFC 4648 does say nothing about unpadded input, but says
that
+ # "the excess pad characters MAY also be ignored", so it is
inferred that
+ # unpadded input is also acceptable.
+ str = str.tr("-_", "+/")
+ if !str.end_with?("=") && str.length % 4 != 0
+ str = str.ljust((str.length + 3) & ~3, "=")
+ end
+ strict_decode64(str)
+ end
+ end
+ }
+ end
+
+ def encode_csrf_token(csrf_token) # :nodoc:
+ if urlsafe_csrf_tokens
+ Base64.urlsafe_encode64(csrf_token, padding: false)
+ else
+ Base64.strict_encode64(csrf_token)
+ end
+ end
+
+ def decode_csrf_token(encoded_csrf_token) # :nodoc:
+ if urlsafe_csrf_tokens
+ Base64.urlsafe_decode64(encoded_csrf_token)
+ else
+ begin
+ Base64.strict_decode64(encoded_csrf_token)
+ rescue ArgumentError
+ Base64.urlsafe_decode64(encoded_csrf_token)
+ end
+ end
+ end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/test_case.rb
new/lib/action_controller/test_case.rb
--- old/lib/action_controller/test_case.rb 2020-09-09 20:34:59.000000000
+0200
+++ new/lib/action_controller/test_case.rb 2021-05-05 19:08:41.000000000
+0200
@@ -177,12 +177,12 @@
# Methods #destroy and #load! are overridden to avoid calling methods on the
# @store object, which does not exist for the TestSession class.
- class TestSession < Rack::Session::Abstract::SessionHash #:nodoc:
+ class TestSession <
Rack::Session::Abstract::PersistedSecure::SecureSessionHash #:nodoc:
DEFAULT_OPTIONS = Rack::Session::Abstract::Persisted::DEFAULT_OPTIONS
def initialize(session = {})
super(nil, nil)
- @id = SecureRandom.hex(16)
+ @id = Rack::Session::SessionId.new(SecureRandom.hex(16))
@data = stringify_keys(session)
@loaded = true
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/request/session.rb
new/lib/action_dispatch/request/session.rb
--- old/lib/action_dispatch/request/session.rb 2020-09-09 20:34:59.000000000
+0200
+++ new/lib/action_dispatch/request/session.rb 2021-05-05 19:08:41.000000000
+0200
@@ -93,7 +93,7 @@
key = key.to_s
if key == "session_id"
- id&.public_id
+ id && id.public_id
else
@delegate[key]
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/routing/polymorphic_routes.rb
new/lib/action_dispatch/routing/polymorphic_routes.rb
--- old/lib/action_dispatch/routing/polymorphic_routes.rb 2020-09-09
20:34:59.000000000 +0200
+++ new/lib/action_dispatch/routing/polymorphic_routes.rb 2021-05-05
19:08:41.000000000 +0200
@@ -288,10 +288,12 @@
args = []
- route = record_list.map { |parent|
+ route = record_list.map do |parent|
case parent
- when Symbol, String
+ when Symbol
parent.to_s
+ when String
+ raise(ArgumentError, "Please use symbols for polymorphic route
arguments.")
when Class
args << parent
parent.model_name.singular_route_key
@@ -299,12 +301,14 @@
args << parent.to_model
parent.to_model.model_name.singular_route_key
end
- }
+ end
route <<
case record
- when Symbol, String
+ when Symbol
record.to_s
+ when String
+ raise(ArgumentError, "Please use symbols for polymorphic route
arguments.")
when Class
@key_strategy.call record.model_name
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/testing/integration.rb
new/lib/action_dispatch/testing/integration.rb
--- old/lib/action_dispatch/testing/integration.rb 2020-09-09
20:34:59.000000000 +0200
+++ new/lib/action_dispatch/testing/integration.rb 2021-05-05
19:08:41.000000000 +0200
@@ -401,6 +401,7 @@
super
end
end
+ ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_pack/gem_version.rb
new/lib/action_pack/gem_version.rb
--- old/lib/action_pack/gem_version.rb 2020-09-09 20:34:59.000000000 +0200
+++ new/lib/action_pack/gem_version.rb 2021-05-05 19:08:41.000000000 +0200
@@ -9,8 +9,8 @@
module VERSION
MAJOR = 5
MINOR = 2
- TINY = 4
- PRE = "4"
+ TINY = 6
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2020-09-09 20:34:59.000000000 +0200
+++ new/metadata 2021-05-05 19:08:41.000000000 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: actionpack
version: !ruby/object:Gem::Version
- version: 5.2.4.4
+ version: 5.2.6
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2020-09-09 00:00:00.000000000 Z
+date: 2021-05-05 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -16,14 +16,14 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4.4
+ version: 5.2.6
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4.4
+ version: 5.2.6
- !ruby/object:Gem::Dependency
name: rack
requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4.4
+ version: 5.2.6
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4.4
+ version: 5.2.6
- !ruby/object:Gem::Dependency
name: activemodel
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4.4
+ version: 5.2.6
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 5.2.4.4
+ version: 5.2.6
description: Web apps on Rails. Simple, battle-tested conventions for building
and
testing MVC web applications. Works with any Rack-compatible server.
email: [email protected]
@@ -299,8 +299,8 @@
licenses:
- MIT
metadata:
- source_code_uri: https://github.com/rails/rails/tree/v5.2.4.4/actionpack
- changelog_uri:
https://github.com/rails/rails/blob/v5.2.4.4/actionpack/CHANGELOG.md
+ source_code_uri: https://github.com/rails/rails/tree/v5.2.6/actionpack
+ changelog_uri:
https://github.com/rails/rails/blob/v5.2.6/actionpack/CHANGELOG.md
post_install_message:
rdoc_options: []
require_paths:
@@ -317,7 +317,7 @@
version: '0'
requirements:
- none
-rubygems_version: 3.1.2
+rubygems_version: 3.1.6
signing_key:
specification_version: 4
summary: Web-flow and rendering framework putting the VC in MVC (part of
Rails).
