Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: rails/rails
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v7.0.8
Choose a base ref
...
head repository: rails/rails
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v7.0.8.1
Choose a head ref
  • 4 commits
  • 38 files changed
  • 3 contributors

Commits on Feb 21, 2024

  1. Merge pull request #48869 from brunoprietog/disable-session-active-st… 

    …orage-proxy-controllers

Disable session in ActiveStorage blobs and representations proxy controllers

[CVE-2024-26144]
    @rafaelfranca @tenderlove
    rafaelfranca authored and tenderlove committed Feb 21, 2024
    Copy the full SHA
    723f545 View commit details

  2. fix XSS vulnerability when using translation 

    [CVE-2024-26143]
    @ooooooo-q @tenderlove
    ooooooo-q authored and tenderlove committed Feb 21, 2024
    Copy the full SHA
    4c83b33 View commit details

  3. update changelog

    @tenderlove
    tenderlove committed Feb 21, 2024
    Copy the full SHA
    030cd01 View commit details

  4. Preparing for 7.0.8.1 release

    @tenderlove
    tenderlove committed Feb 21, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    506462a View commit details
Showing with 5,574 additions and 5,482 deletions.
  1. +53 −63 Gemfile.lock
  2. +1 −1 RAILS_VERSION
  3. +5 −0 actioncable/CHANGELOG.md
  4. +1 −1 actioncable/lib/action_cable/gem_version.rb
  5. +1 −1 actioncable/package.json
  6. +5 −0 actionmailbox/CHANGELOG.md
  7. +1 −1 actionmailbox/lib/action_mailbox/gem_version.rb
  8. +5 −0 actionmailer/CHANGELOG.md
  9. +1 −1 actionmailer/lib/action_mailer/gem_version.rb
  10. +6 −0 actionpack/CHANGELOG.md
  11. +23 −1 actionpack/lib/abstract_controller/translation.rb
  12. +1 −1 actionpack/lib/action_pack/gem_version.rb
  13. +31 −0 actionpack/test/abstract/translation_test.rb
  14. +5 −0 actiontext/CHANGELOG.md
  15. +1 −1 actiontext/lib/action_text/gem_version.rb
  16. +1 −1 actiontext/package.json
  17. +5 −0 actionview/CHANGELOG.md
  18. +1 −1 actionview/lib/action_view/gem_version.rb
  19. +1 −1 actionview/package.json
  20. +5 −0 activejob/CHANGELOG.md
  21. +1 −1 activejob/lib/active_job/gem_version.rb
  22. +5 −0 activemodel/CHANGELOG.md
  23. +1 −1 activemodel/lib/active_model/gem_version.rb
  24. +5 −0 activerecord/CHANGELOG.md
  25. +1 −1 activerecord/lib/active_record/gem_version.rb
  26. +10 −0 activestorage/CHANGELOG.md
  27. +1 −0 activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
  28. +1 −0 activestorage/app/controllers/active_storage/representations/proxy_controller.rb
  29. +12 −0 activestorage/app/controllers/concerns/active_storage/disable_session.rb
  30. +1 −1 activestorage/lib/active_storage/gem_version.rb
  31. +1 −1 activestorage/package.json
  32. +5 −0 activesupport/CHANGELOG.md
  33. +1 −1 activesupport/lib/active_support/gem_version.rb
  34. +5 −0 guides/CHANGELOG.md
  35. +5 −0 railties/CHANGELOG.md
  36. +1 −1 railties/lib/rails/gem_version.rb
  37. +1 −1 version.rb
  38. +5,364 −5,400 yarn.lock
116 changes: 53 additions & 63 deletions Gemfile.lock
View file
Original file line number Diff line number Diff line change
@@ -31,88 +31,88 @@ GIT
PATH
remote: .
specs:
actioncable (7.0.8)
actionpack (= 7.0.8)
activesupport (= 7.0.8)
actioncable (7.0.8.1)
actionpack (= 7.0.8.1)
activesupport (= 7.0.8.1)
nio4r (~> 2.0)
websocket-driver (>= 0.6.1)
actionmailbox (7.0.8)
actionpack (= 7.0.8)
activejob (= 7.0.8)
activerecord (= 7.0.8)
activestorage (= 7.0.8)
activesupport (= 7.0.8)
actionmailbox (7.0.8.1)
actionpack (= 7.0.8.1)
activejob (= 7.0.8.1)
activerecord (= 7.0.8.1)
activestorage (= 7.0.8.1)
activesupport (= 7.0.8.1)
mail (>= 2.7.1)
net-imap
net-pop
net-smtp
actionmailer (7.0.8)
actionpack (= 7.0.8)
actionview (= 7.0.8)
activejob (= 7.0.8)
activesupport (= 7.0.8)
actionmailer (7.0.8.1)
actionpack (= 7.0.8.1)
actionview (= 7.0.8.1)
activejob (= 7.0.8.1)
activesupport (= 7.0.8.1)
mail (~> 2.5, >= 2.5.4)
net-imap
net-pop
net-smtp
rails-dom-testing (~> 2.0)
actionpack (7.0.8)
actionview (= 7.0.8)
activesupport (= 7.0.8)
actionpack (7.0.8.1)
actionview (= 7.0.8.1)
activesupport (= 7.0.8.1)
rack (~> 2.0, >= 2.2.4)
rack-test (>= 0.6.3)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.2.0)
actiontext (7.0.8)
actionpack (= 7.0.8)
activerecord (= 7.0.8)
activestorage (= 7.0.8)
activesupport (= 7.0.8)
actiontext (7.0.8.1)
actionpack (= 7.0.8.1)
activerecord (= 7.0.8.1)
activestorage (= 7.0.8.1)
activesupport (= 7.0.8.1)
globalid (>= 0.6.0)
nokogiri (>= 1.8.5)
actionview (7.0.8)
activesupport (= 7.0.8)
actionview (7.0.8.1)
activesupport (= 7.0.8.1)
builder (~> 3.1)
erubi (~> 1.4)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.1, >= 1.2.0)
activejob (7.0.8)
activesupport (= 7.0.8)
activejob (7.0.8.1)
activesupport (= 7.0.8.1)
globalid (>= 0.3.6)
activemodel (7.0.8)
activesupport (= 7.0.8)
activerecord (7.0.8)
activemodel (= 7.0.8)
activesupport (= 7.0.8)
activestorage (7.0.8)
actionpack (= 7.0.8)
activejob (= 7.0.8)
activerecord (= 7.0.8)
activesupport (= 7.0.8)
activemodel (7.0.8.1)
activesupport (= 7.0.8.1)
activerecord (7.0.8.1)
activemodel (= 7.0.8.1)
activesupport (= 7.0.8.1)
activestorage (7.0.8.1)
actionpack (= 7.0.8.1)
activejob (= 7.0.8.1)
activerecord (= 7.0.8.1)
activesupport (= 7.0.8.1)
marcel (~> 1.0)
mini_mime (>= 1.1.0)
activesupport (7.0.8)
activesupport (7.0.8.1)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 1.6, < 2)
minitest (>= 5.1)
tzinfo (~> 2.0)
rails (7.0.8)
actioncable (= 7.0.8)
actionmailbox (= 7.0.8)
actionmailer (= 7.0.8)
actionpack (= 7.0.8)
actiontext (= 7.0.8)
actionview (= 7.0.8)
activejob (= 7.0.8)
activemodel (= 7.0.8)
activerecord (= 7.0.8)
activestorage (= 7.0.8)
activesupport (= 7.0.8)
rails (7.0.8.1)
actioncable (= 7.0.8.1)
actionmailbox (= 7.0.8.1)
actionmailer (= 7.0.8.1)
actionpack (= 7.0.8.1)
actiontext (= 7.0.8.1)
actionview (= 7.0.8.1)
activejob (= 7.0.8.1)
activemodel (= 7.0.8.1)
activerecord (= 7.0.8.1)
activestorage (= 7.0.8.1)
activesupport (= 7.0.8.1)
bundler (>= 1.15.0)
railties (= 7.0.8)
railties (7.0.8)
actionpack (= 7.0.8)
activesupport (= 7.0.8)
railties (= 7.0.8.1)
railties (7.0.8.1)
actionpack (= 7.0.8.1)
activesupport (= 7.0.8.1)
method_source
rake (>= 12.2)
thor (~> 1.0)
@@ -375,10 +375,6 @@ GEM
nokogiri (1.14.0)
mini_portile2 (~> 2.8.0)
racc (~> 1.4)
nokogiri (1.14.0-x86_64-darwin)
racc (~> 1.4)
nokogiri (1.14.0-x86_64-linux)
racc (~> 1.4)
os (1.1.4)
parallel (1.22.1)
parser (3.2.0.0)
@@ -522,8 +518,6 @@ GEM
sprockets (>= 3.0.0)
sqlite3 (1.6.3)
mini_portile2 (~> 2.8.0)
sqlite3 (1.6.3-x86_64-darwin)
sqlite3 (1.6.3-x86_64-linux)
stackprof (0.2.23)
stimulus-rails (1.2.1)
railties (>= 6.0.0)
@@ -532,10 +526,6 @@ GEM
concurrent-ruby (~> 1.0)
tailwindcss-rails (2.0.21)
railties (>= 6.0.0)
tailwindcss-rails (2.0.21-x86_64-darwin)
railties (>= 6.0.0)
tailwindcss-rails (2.0.21-x86_64-linux)
railties (>= 6.0.0)
terser (1.1.13)
execjs (>= 0.3.0, < 3)
thin (1.8.1)
2 changes: 1 addition & 1 deletion RAILS_VERSION
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
7.0.8
7.0.8.1
5 changes: 5 additions & 0 deletions actioncable/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## Rails 7.0.8.1 (February 21, 2024) ##

* No changes.


## Rails 7.0.8 (September 09, 2023) ##

* No changes.
2 changes: 1 addition & 1 deletion actioncable/lib/action_cable/gem_version.rb
View file
Original file line number Diff line number Diff line change
@@ -10,7 +10,7 @@ module VERSION
MAJOR = 7
MINOR = 0
TINY = 8
PRE = nil
PRE = "1"

STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
2 changes: 1 addition & 1 deletion actioncable/package.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@rails/actioncable",
"version": "7.0.8",
"version": "7.0.8-1",
"description": "WebSocket framework for Ruby on Rails.",
"module": "app/assets/javascripts/actioncable.esm.js",
"main": "app/assets/javascripts/actioncable.js",
5 changes: 5 additions & 0 deletions actionmailbox/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## Rails 7.0.8.1 (February 21, 2024) ##

* No changes.


## Rails 7.0.8 (September 09, 2023) ##

* No changes.
2 changes: 1 addition & 1 deletion actionmailbox/lib/action_mailbox/gem_version.rb
View file
Original file line number Diff line number Diff line change
@@ -10,7 +10,7 @@ module VERSION
MAJOR = 7
MINOR = 0
TINY = 8
PRE = nil
PRE = "1"

STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
5 changes: 5 additions & 0 deletions actionmailer/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## Rails 7.0.8.1 (February 21, 2024) ##

* No changes.


## Rails 7.0.8 (September 09, 2023) ##

* No changes.
2 changes: 1 addition & 1 deletion actionmailer/lib/action_mailer/gem_version.rb
View file
Original file line number Diff line number Diff line change
@@ -10,7 +10,7 @@ module VERSION
MAJOR = 7
MINOR = 0
TINY = 8
PRE = nil
PRE = "1"

STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
6 changes: 6 additions & 0 deletions actionpack/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
## Rails 7.0.8.1 (February 21, 2024) ##

* Fix possible XSS vulnerability with the `translate` method in controllers

CVE-2024-26143

## Rails 7.0.8 (September 09, 2023) ##

* Fix `HostAuthorization` potentially displaying the value of the
24 changes: 23 additions & 1 deletion actionpack/lib/abstract_controller/translation.rb
View file
Original file line number Diff line number Diff line change
@@ -25,7 +25,25 @@ def translate(key, **options)

i18n_raise = options.fetch(:raise, self.raise_on_missing_translations)

ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
if options[:default]
options[:default] = [options[:default]] unless options[:default].is_a?(Array)
options[:default] = options[:default].map do |value|
value.is_a?(String) ? ERB::Util.html_escape(value) : value
end
end

unless i18n_raise
options[:default] = [] unless options[:default]
options[:default] << MISSING_TRANSLATION
end

result = ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)

if result == MISSING_TRANSLATION
+"translation missing: #{key}"
else
result
end
end
alias :t :translate

@@ -34,5 +52,9 @@ def localize(object, **options)
I18n.localize(object, **options)
end
alias :l :localize

private
MISSING_TRANSLATION = -(2**60)
private_constant :MISSING_TRANSLATION
end
end
2 changes: 1 addition & 1 deletion actionpack/lib/action_pack/gem_version.rb
View file
Original file line number Diff line number Diff line change
@@ -10,7 +10,7 @@ module VERSION
MAJOR = 7
MINOR = 0
TINY = 8
PRE = nil
PRE = "1"

STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
31 changes: 31 additions & 0 deletions actionpack/test/abstract/translation_test.rb
View file
Original file line number Diff line number Diff line change
@@ -93,6 +93,22 @@ def test_default_translation
end
end

def test_default_translation_as_safe_html
@controller.stub :action_name, :index do
translation = @controller.t(".twoz", default: ["<tag>"])
assert_equal "&lt;tag&gt;", translation
assert_equal true, translation.html_safe?
end
end

def test_default_translation_with_raise_as_safe_html
@controller.stub :action_name, :index do
translation = @controller.t(".twoz", raise: true, default: ["<tag>"])
assert_equal "&lt;tag&gt;", translation
assert_equal true, translation.html_safe?
end
end

def test_localize
time, expected = Time.gm(2000), "Sat, 01 Jan 2000 00:00:00 +0000"
I18n.stub :localize, expected do
@@ -136,6 +152,21 @@ def test_translate_escapes_interpolations_in_translations_with_a_html_suffix
assert_equal true, translation.html_safe?
end
end

def test_translate_marks_translation_with_missing_html_key_as_safe_html
@controller.stub :action_name, :index do
translation = @controller.t("<tag>.html")
assert_equal "translation missing: <tag>.html", translation
assert_equal false, translation.html_safe?
end
end
def test_translate_marks_translation_with_missing_nested_html_key_as_safe_html
@controller.stub :action_name, :index do
translation = @controller.t(".<tag>.html")
assert_equal "translation missing: abstract_controller.testing.translation.index.<tag>.html", translation
assert_equal false, translation.html_safe?
end
end
end
end
end
5 changes: 5 additions & 0 deletions actiontext/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## Rails 7.0.8.1 (February 21, 2024) ##

* No changes.


## Rails 7.0.8 (September 09, 2023) ##

* No changes.
2 changes: 1 addition & 1 deletion actiontext/lib/action_text/gem_version.rb
View file
Original file line number Diff line number Diff line change
@@ -10,7 +10,7 @@ module VERSION
MAJOR = 7
MINOR = 0
TINY = 8
PRE = nil
PRE = "1"

STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
2 changes: 1 addition & 1 deletion actiontext/package.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@rails/actiontext",
"version": "7.0.8",
"version": "7.0.8-1",
"description": "Edit and display rich text in Rails applications",
"main": "app/assets/javascripts/actiontext.js",
"type": "module",
5 changes: 5 additions & 0 deletions actionview/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## Rails 7.0.8.1 (February 21, 2024) ##

* No changes.


## Rails 7.0.8 (September 09, 2023) ##

* Fix `form_for` missing the hidden `_method` input for models with a
2 changes: 1 addition & 1 deletion actionview/lib/action_view/gem_version.rb
View file
Original file line number Diff line number Diff line change
@@ -10,7 +10,7 @@ module VERSION
MAJOR = 7
MINOR = 0
TINY = 8
PRE = nil
PRE = "1"

STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
2 changes: 1 addition & 1 deletion actionview/package.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@rails/ujs",
"version": "7.0.8",
"version": "7.0.8-1",
"description": "Ruby on Rails unobtrusive scripting adapter",
"main": "lib/assets/compiled/rails-ujs.js",
"files": [
5 changes: 5 additions & 0 deletions activejob/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## Rails 7.0.8.1 (February 21, 2024) ##

* No changes.


## Rails 7.0.8 (September 09, 2023) ##

* Fix Active Job log message to correctly report a job failed to enqueue
Loading