Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: rails/rails
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v7.0.8
Choose a base ref
...
head repository: rails/rails
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v7.0.8.1
Choose a head ref
  • 4 commits
  • 38 files changed
  • 3 contributors

Commits on Feb 21, 2024

  1. Merge pull request #48869 from brunoprietog/disable-session-active-st…

    …orage-proxy-controllers
    
    Disable session in ActiveStorage blobs and representations proxy controllers
    
    [CVE-2024-26144]
    rafaelfranca authored and tenderlove committed Feb 21, 2024
    Copy the full SHA
    723f545 View commit details
  2. Copy the full SHA
    4c83b33 View commit details
  3. update changelog

    tenderlove committed Feb 21, 2024
    Copy the full SHA
    030cd01 View commit details
  4. Preparing for 7.0.8.1 release

    tenderlove committed Feb 21, 2024
    Copy the full SHA
    506462a View commit details
Showing with 5,574 additions and 5,482 deletions.
  1. +53 −63 Gemfile.lock
  2. +1 −1 RAILS_VERSION
  3. +5 −0 actioncable/CHANGELOG.md
  4. +1 −1 actioncable/lib/action_cable/gem_version.rb
  5. +1 −1 actioncable/package.json
  6. +5 −0 actionmailbox/CHANGELOG.md
  7. +1 −1 actionmailbox/lib/action_mailbox/gem_version.rb
  8. +5 −0 actionmailer/CHANGELOG.md
  9. +1 −1 actionmailer/lib/action_mailer/gem_version.rb
  10. +6 −0 actionpack/CHANGELOG.md
  11. +23 −1 actionpack/lib/abstract_controller/translation.rb
  12. +1 −1 actionpack/lib/action_pack/gem_version.rb
  13. +31 −0 actionpack/test/abstract/translation_test.rb
  14. +5 −0 actiontext/CHANGELOG.md
  15. +1 −1 actiontext/lib/action_text/gem_version.rb
  16. +1 −1 actiontext/package.json
  17. +5 −0 actionview/CHANGELOG.md
  18. +1 −1 actionview/lib/action_view/gem_version.rb
  19. +1 −1 actionview/package.json
  20. +5 −0 activejob/CHANGELOG.md
  21. +1 −1 activejob/lib/active_job/gem_version.rb
  22. +5 −0 activemodel/CHANGELOG.md
  23. +1 −1 activemodel/lib/active_model/gem_version.rb
  24. +5 −0 activerecord/CHANGELOG.md
  25. +1 −1 activerecord/lib/active_record/gem_version.rb
  26. +10 −0 activestorage/CHANGELOG.md
  27. +1 −0 activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
  28. +1 −0 activestorage/app/controllers/active_storage/representations/proxy_controller.rb
  29. +12 −0 activestorage/app/controllers/concerns/active_storage/disable_session.rb
  30. +1 −1 activestorage/lib/active_storage/gem_version.rb
  31. +1 −1 activestorage/package.json
  32. +5 −0 activesupport/CHANGELOG.md
  33. +1 −1 activesupport/lib/active_support/gem_version.rb
  34. +5 −0 guides/CHANGELOG.md
  35. +5 −0 railties/CHANGELOG.md
  36. +1 −1 railties/lib/rails/gem_version.rb
  37. +1 −1 version.rb
  38. +5,364 −5,400 yarn.lock
116 changes: 53 additions & 63 deletions Gemfile.lock
Original file line number Diff line number Diff line change
@@ -31,88 +31,88 @@ GIT
PATH
remote: .
specs:
actioncable (7.0.8)
actionpack (= 7.0.8)
activesupport (= 7.0.8)
actioncable (7.0.8.1)
actionpack (= 7.0.8.1)
activesupport (= 7.0.8.1)
nio4r (~> 2.0)
websocket-driver (>= 0.6.1)
actionmailbox (7.0.8)
actionpack (= 7.0.8)
activejob (= 7.0.8)
activerecord (= 7.0.8)
activestorage (= 7.0.8)
activesupport (= 7.0.8)
actionmailbox (7.0.8.1)
actionpack (= 7.0.8.1)
activejob (= 7.0.8.1)
activerecord (= 7.0.8.1)
activestorage (= 7.0.8.1)
activesupport (= 7.0.8.1)
mail (>= 2.7.1)
net-imap
net-pop
net-smtp
actionmailer (7.0.8)
actionpack (= 7.0.8)
actionview (= 7.0.8)
activejob (= 7.0.8)
activesupport (= 7.0.8)
actionmailer (7.0.8.1)
actionpack (= 7.0.8.1)
actionview (= 7.0.8.1)
activejob (= 7.0.8.1)
activesupport (= 7.0.8.1)
mail (~> 2.5, >= 2.5.4)
net-imap
net-pop
net-smtp
rails-dom-testing (~> 2.0)
actionpack (7.0.8)
actionview (= 7.0.8)
activesupport (= 7.0.8)
actionpack (7.0.8.1)
actionview (= 7.0.8.1)
activesupport (= 7.0.8.1)
rack (~> 2.0, >= 2.2.4)
rack-test (>= 0.6.3)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.2.0)
actiontext (7.0.8)
actionpack (= 7.0.8)
activerecord (= 7.0.8)
activestorage (= 7.0.8)
activesupport (= 7.0.8)
actiontext (7.0.8.1)
actionpack (= 7.0.8.1)
activerecord (= 7.0.8.1)
activestorage (= 7.0.8.1)
activesupport (= 7.0.8.1)
globalid (>= 0.6.0)
nokogiri (>= 1.8.5)
actionview (7.0.8)
activesupport (= 7.0.8)
actionview (7.0.8.1)
activesupport (= 7.0.8.1)
builder (~> 3.1)
erubi (~> 1.4)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.1, >= 1.2.0)
activejob (7.0.8)
activesupport (= 7.0.8)
activejob (7.0.8.1)
activesupport (= 7.0.8.1)
globalid (>= 0.3.6)
activemodel (7.0.8)
activesupport (= 7.0.8)
activerecord (7.0.8)
activemodel (= 7.0.8)
activesupport (= 7.0.8)
activestorage (7.0.8)
actionpack (= 7.0.8)
activejob (= 7.0.8)
activerecord (= 7.0.8)
activesupport (= 7.0.8)
activemodel (7.0.8.1)
activesupport (= 7.0.8.1)
activerecord (7.0.8.1)
activemodel (= 7.0.8.1)
activesupport (= 7.0.8.1)
activestorage (7.0.8.1)
actionpack (= 7.0.8.1)
activejob (= 7.0.8.1)
activerecord (= 7.0.8.1)
activesupport (= 7.0.8.1)
marcel (~> 1.0)
mini_mime (>= 1.1.0)
activesupport (7.0.8)
activesupport (7.0.8.1)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 1.6, < 2)
minitest (>= 5.1)
tzinfo (~> 2.0)
rails (7.0.8)
actioncable (= 7.0.8)
actionmailbox (= 7.0.8)
actionmailer (= 7.0.8)
actionpack (= 7.0.8)
actiontext (= 7.0.8)
actionview (= 7.0.8)
activejob (= 7.0.8)
activemodel (= 7.0.8)
activerecord (= 7.0.8)
activestorage (= 7.0.8)
activesupport (= 7.0.8)
rails (7.0.8.1)
actioncable (= 7.0.8.1)
actionmailbox (= 7.0.8.1)
actionmailer (= 7.0.8.1)
actionpack (= 7.0.8.1)
actiontext (= 7.0.8.1)
actionview (= 7.0.8.1)
activejob (= 7.0.8.1)
activemodel (= 7.0.8.1)
activerecord (= 7.0.8.1)
activestorage (= 7.0.8.1)
activesupport (= 7.0.8.1)
bundler (>= 1.15.0)
railties (= 7.0.8)
railties (7.0.8)
actionpack (= 7.0.8)
activesupport (= 7.0.8)
railties (= 7.0.8.1)
railties (7.0.8.1)
actionpack (= 7.0.8.1)
activesupport (= 7.0.8.1)
method_source
rake (>= 12.2)
thor (~> 1.0)
@@ -375,10 +375,6 @@ GEM
nokogiri (1.14.0)
mini_portile2 (~> 2.8.0)
racc (~> 1.4)
nokogiri (1.14.0-x86_64-darwin)
racc (~> 1.4)
nokogiri (1.14.0-x86_64-linux)
racc (~> 1.4)
os (1.1.4)
parallel (1.22.1)
parser (3.2.0.0)
@@ -522,8 +518,6 @@ GEM
sprockets (>= 3.0.0)
sqlite3 (1.6.3)
mini_portile2 (~> 2.8.0)
sqlite3 (1.6.3-x86_64-darwin)
sqlite3 (1.6.3-x86_64-linux)
stackprof (0.2.23)
stimulus-rails (1.2.1)
railties (>= 6.0.0)
@@ -532,10 +526,6 @@ GEM
concurrent-ruby (~> 1.0)
tailwindcss-rails (2.0.21)
railties (>= 6.0.0)
tailwindcss-rails (2.0.21-x86_64-darwin)
railties (>= 6.0.0)
tailwindcss-rails (2.0.21-x86_64-linux)
railties (>= 6.0.0)
terser (1.1.13)
execjs (>= 0.3.0, < 3)
thin (1.8.1)
2 changes: 1 addition & 1 deletion RAILS_VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
7.0.8
7.0.8.1
5 changes: 5 additions & 0 deletions actioncable/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## Rails 7.0.8.1 (February 21, 2024) ##

* No changes.


## Rails 7.0.8 (September 09, 2023) ##

* No changes.
2 changes: 1 addition & 1 deletion actioncable/lib/action_cable/gem_version.rb
Original file line number Diff line number Diff line change
@@ -10,7 +10,7 @@ module VERSION
MAJOR = 7
MINOR = 0
TINY = 8
PRE = nil
PRE = "1"

STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
2 changes: 1 addition & 1 deletion actioncable/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@rails/actioncable",
"version": "7.0.8",
"version": "7.0.8-1",
"description": "WebSocket framework for Ruby on Rails.",
"module": "app/assets/javascripts/actioncable.esm.js",
"main": "app/assets/javascripts/actioncable.js",
5 changes: 5 additions & 0 deletions actionmailbox/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## Rails 7.0.8.1 (February 21, 2024) ##

* No changes.


## Rails 7.0.8 (September 09, 2023) ##

* No changes.
2 changes: 1 addition & 1 deletion actionmailbox/lib/action_mailbox/gem_version.rb
Original file line number Diff line number Diff line change
@@ -10,7 +10,7 @@ module VERSION
MAJOR = 7
MINOR = 0
TINY = 8
PRE = nil
PRE = "1"

STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
5 changes: 5 additions & 0 deletions actionmailer/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## Rails 7.0.8.1 (February 21, 2024) ##

* No changes.


## Rails 7.0.8 (September 09, 2023) ##

* No changes.
2 changes: 1 addition & 1 deletion actionmailer/lib/action_mailer/gem_version.rb
Original file line number Diff line number Diff line change
@@ -10,7 +10,7 @@ module VERSION
MAJOR = 7
MINOR = 0
TINY = 8
PRE = nil
PRE = "1"

STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
6 changes: 6 additions & 0 deletions actionpack/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
## Rails 7.0.8.1 (February 21, 2024) ##

* Fix possible XSS vulnerability with the `translate` method in controllers

CVE-2024-26143

## Rails 7.0.8 (September 09, 2023) ##

* Fix `HostAuthorization` potentially displaying the value of the
24 changes: 23 additions & 1 deletion actionpack/lib/abstract_controller/translation.rb
Original file line number Diff line number Diff line change
@@ -25,7 +25,25 @@ def translate(key, **options)

i18n_raise = options.fetch(:raise, self.raise_on_missing_translations)

ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
if options[:default]
options[:default] = [options[:default]] unless options[:default].is_a?(Array)
options[:default] = options[:default].map do |value|
value.is_a?(String) ? ERB::Util.html_escape(value) : value
end
end

unless i18n_raise
options[:default] = [] unless options[:default]
options[:default] << MISSING_TRANSLATION
end

result = ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)

if result == MISSING_TRANSLATION
+"translation missing: #{key}"
else
result
end
end
alias :t :translate

@@ -34,5 +52,9 @@ def localize(object, **options)
I18n.localize(object, **options)
end
alias :l :localize

private
MISSING_TRANSLATION = -(2**60)
private_constant :MISSING_TRANSLATION
end
end
2 changes: 1 addition & 1 deletion actionpack/lib/action_pack/gem_version.rb
Original file line number Diff line number Diff line change
@@ -10,7 +10,7 @@ module VERSION
MAJOR = 7
MINOR = 0
TINY = 8
PRE = nil
PRE = "1"

STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
31 changes: 31 additions & 0 deletions actionpack/test/abstract/translation_test.rb
Original file line number Diff line number Diff line change
@@ -93,6 +93,22 @@ def test_default_translation
end
end

def test_default_translation_as_safe_html
@controller.stub :action_name, :index do
translation = @controller.t(".twoz", default: ["<tag>"])
assert_equal "&lt;tag&gt;", translation
assert_equal true, translation.html_safe?
end
end

def test_default_translation_with_raise_as_safe_html
@controller.stub :action_name, :index do
translation = @controller.t(".twoz", raise: true, default: ["<tag>"])
assert_equal "&lt;tag&gt;", translation
assert_equal true, translation.html_safe?
end
end

def test_localize
time, expected = Time.gm(2000), "Sat, 01 Jan 2000 00:00:00 +0000"
I18n.stub :localize, expected do
@@ -136,6 +152,21 @@ def test_translate_escapes_interpolations_in_translations_with_a_html_suffix
assert_equal true, translation.html_safe?
end
end

def test_translate_marks_translation_with_missing_html_key_as_safe_html
@controller.stub :action_name, :index do
translation = @controller.t("<tag>.html")
assert_equal "translation missing: <tag>.html", translation
assert_equal false, translation.html_safe?
end
end
def test_translate_marks_translation_with_missing_nested_html_key_as_safe_html
@controller.stub :action_name, :index do
translation = @controller.t(".<tag>.html")
assert_equal "translation missing: abstract_controller.testing.translation.index.<tag>.html", translation
assert_equal false, translation.html_safe?
end
end
end
end
end
5 changes: 5 additions & 0 deletions actiontext/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## Rails 7.0.8.1 (February 21, 2024) ##

* No changes.


## Rails 7.0.8 (September 09, 2023) ##

* No changes.
2 changes: 1 addition & 1 deletion actiontext/lib/action_text/gem_version.rb
Original file line number Diff line number Diff line change
@@ -10,7 +10,7 @@ module VERSION
MAJOR = 7
MINOR = 0
TINY = 8
PRE = nil
PRE = "1"

STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
2 changes: 1 addition & 1 deletion actiontext/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@rails/actiontext",
"version": "7.0.8",
"version": "7.0.8-1",
"description": "Edit and display rich text in Rails applications",
"main": "app/assets/javascripts/actiontext.js",
"type": "module",
5 changes: 5 additions & 0 deletions actionview/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## Rails 7.0.8.1 (February 21, 2024) ##

* No changes.


## Rails 7.0.8 (September 09, 2023) ##

* Fix `form_for` missing the hidden `_method` input for models with a
2 changes: 1 addition & 1 deletion actionview/lib/action_view/gem_version.rb
Original file line number Diff line number Diff line change
@@ -10,7 +10,7 @@ module VERSION
MAJOR = 7
MINOR = 0
TINY = 8
PRE = nil
PRE = "1"

STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
2 changes: 1 addition & 1 deletion actionview/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@rails/ujs",
"version": "7.0.8",
"version": "7.0.8-1",
"description": "Ruby on Rails unobtrusive scripting adapter",
"main": "lib/assets/compiled/rails-ujs.js",
"files": [
5 changes: 5 additions & 0 deletions activejob/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## Rails 7.0.8.1 (February 21, 2024) ##

* No changes.


## Rails 7.0.8 (September 09, 2023) ##

* Fix Active Job log message to correctly report a job failed to enqueue
Loading