Update dependency rails to v6.1.7.9 #115
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/ruby-on-rails-packages
branch
from
3b5df8e
to
1cc517a
Compare
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
6.1.4.1->6.1.7.9Release Notes
rails/rails (rails)
v6.1.7.9: 6.1.7.9Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Avoid regex backtracking in HTTP Token authentication
[CVE-2024-47887]
Avoid regex backtracking in query parameter filtering
[CVE-2024-41128]
Active Job
Action Mailer
Avoid regex backtracking in
block_formathelper[CVE-2024-47889]
Action Cable
Active Storage
Action Mailbox
Action Text
Avoid backtracing in plain_text_for_blockquote_node
[CVE-2024-47888]
Railties
Guides
v6.1.7.8: 6.1.7.8Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
[CVE-2024-28103]
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.7: 6.1.7.7Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Disables the session in
ActiveStorage::Blobs::ProxyControllerand
ActiveStorage::Representations::ProxyControllerin order to allow caching by default in some CDNs as CloudFlare
Fixes #44136
Bruno Prieto
Action Mailbox
Action Text
Railties
v6.1.7.6Compare Source
No changes between this and 6.1.7.5. This release was just to fix file permissions in the previous release.
v6.1.7.5: 6.1.7.5 ReleaseCompare Source
Active Support
Use a temporary file for storing unencrypted files while editing
[CVE-2023-38037]
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.4Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Raise an exception if illegal characters are provide to redirect_to
[CVE-2023-28362]
Zack Deveau
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.3Compare Source
Active Support
Implement SafeBuffer#bytesplice
[CVE-2023-28120]
Active Model
Active Record
Action View
Ignore certain data-* attributes in rails-ujs when element is contenteditable
[CVE-2023-23913]
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.2Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Fix
domain: :allfor two letter TLDThis fixes a compatibility issue introduced in our previous security
release when using
domain: :allwith a two letter but single level toplevel domain domain (like
.ca, rather than.co.uk).Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.1Compare Source
Active Support
Avoid regex backtracking in Inflector.underscore
[CVE-2023-22796]
Active Model
Active Record
Make sanitize_as_sql_comment more strict
Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/" or "/" with "/ " or " /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
[CVE-2023-22794]
Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
[CVE-2022-44566]
Action View
Action Pack
Avoid regex backtracking on If-None-Match header
[CVE-2023-22795]
Use string#split instead of regex for domain parts
[CVE-2023-22792]
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7Compare Source
Active Support
Active Model
Active Record
Symbol is allowed by default for YAML columns
Étienne Barrié
Fix
ActiveRecord::Storeto serialize as a regular HashPreviously it would serialize as an
ActiveSupport::HashWithIndifferentAccesswhich is wasteful and cause problem with YAML safe_load.
Jean Boussier
Fix PG.connect keyword arguments deprecation warning on ruby 2.7
Fixes #44307.
Nikita Vasilevsky
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0.
fatkodima
Action Mailbox
Action Text
Railties
v6.1.6.1: 6.1.6.1Compare Source
Active Support
Active Model
Active Record
Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:
config.active_storage.use_yaml_unsafe_loadWhen set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.
config.active_record.yaml_column_permitted_classesThe "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:
[CVE-2022-32224]
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.6: 6.1.6Compare Source
Active Support
Fix and add protections for XSS in
ActionView::HelpersandERB::Util.Add the method
ERB::Util.xml_name_escapeto escape dangerous charactersin names of tags and names of attributes, following the specification of XML.
Álvaro Martín Fraguas
Active Model
Active Record
Action View
Fix and add protections for XSS in
ActionView::HelpersandERB::Util.Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
:escape_attributesto:escape, to simplify by applying the option to thewhole tag.
Álvaro Martín Fraguas
Action Pack
Allow Content Security Policy DSL to generate for API responses.
Tim Wade
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.5.1: 6.1.5.1Compare Source
Active Support
Fix and add protections for XSS in
ActionView::HelpersandERB::Util.Add the method
ERB::Util.xml_name_escapeto escape dangerous charactersin names of tags and names of attributes, following the specification of XML.
Álvaro Martín Fraguas
Active Model
Active Record
Action View
Fix and add protections for XSS in
ActionView::HelpersandERB::Util.Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
:escape_attributesto:escape, to simplify by applying the option to thewhole tag.
Álvaro Martín Fraguas
Action Pack
Allow Content Security Policy DSL to generate for API responses.
Tim Wade
Active Job
Action Mailer
Action Cable
Active Storage
Railties
v6.1.5: 6.1.5Compare Source
Active Support
Fix
ActiveSupport::Duration.buildto support negative values.The algorithm to collect the
partsof theActiveSupport::Durationignored the sign of the
valueand accumulated incorrect part values. Thisimpacted
ActiveSupport::Duration#sum(which is dependent onparts) butnot
ActiveSupport::Duration#eql?(which is dependent onvalue).Caleb Buxton, Braden Staudacher
Time#changeand methods that call it (eg.Time#advance) will nowreturn a
Timewith the timezone argument provided, if the caller wasinitialized with a timezone argument.
Fixes #42467.
Alex Ghiculescu
Clone to keep extended Logger methods for tagged logger.
Orhan Toy
assert_changesworks on includingActiveSupport::Assertionsmodule.Pedro Medeiros
Active Model
Clear secure password cache if password is set to
nilBefore:
user.password = 'something'
user.password = nil
user.password # => 'something'
Now:
user.password = 'something'
user.password = nil
user.password # => nil
Markus Doits
Fix delegation in
ActiveModel::Type::Registry#lookupandActiveModel::Type.lookupPassing a last positional argument
{}would be incorrectly considered as keyword argument.Benoit Daloze
Fix
to_jsonafterchanges_appliedforActiveModel::Dirtyobject.Ryuta Kamizono
Active Record
Fix
ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicatefor Ruby 2.6.Ruby 2.6 and 2.7 have slightly different implementations of the
String#@​-method.In Ruby 2.6, the receiver of the
String#@​-method is modified under certain circumstances.This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only
fixed in Ruby 2.7.
Before the changes in this commit, the
ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicatemethod, which internallycalls the
String#@​-method, could also modify an input string argument in Ruby 2.6 --changing a tainted, unfrozen string into a tainted, frozen string.
Fixes #43056
Eric O'Hanlon
Fix migration compatibility to create SQLite references/belongs_to column as integer when
migration version is 6.0.
reference/belongs_toin migrations with version 6.0 were creating columns asbigint instead of integer for the SQLite Adapter.
Marcelo Lauxen
Fix dbconsole for 3-tier config.
Eileen M. Uchitelle
Better handle SQL queries with invalid encoding.
Would cause all adapters to fail in a non controlled way in the code
responsible to detect write queries.
The query is now properly passed to the database connection, which might or might
not be able to handle it, but will either succeed or failed in a more correct way.
Jean Boussier
Ignore persisted in-memory records when merging target lists.
Kevin Sjöberg
Fix regression bug that caused ignoring additional conditions for preloading
has_manythrough relations.Fixes #43132
Alexander Pauly
Fix
ActiveRecord::InternalMetadatato not be broken byconfig.active_record.record_timestamps = falseSince the model always create the timestamp columns, it has to set them, otherwise it breaks
various DB management tasks.
Fixes #42983
Jean Boussier
Fix duplicate active record objects on
inverse_of.Justin Carvalho
Fix duplicate objects stored in has many association after save.
Fixes #42549.
Alex Ghiculescu
Fix performance regression in
CollectionAssocation#build.Alex Ghiculescu
Fix retrieving default value for text column for MariaDB.
fatkodima
Action View
preload_link_tagproperly insertsasattributes for files withimageMIMEtypes, such as JPG or SVG.
Nate Berkopec
Add
autocomplete="off"to all generated hidden fields.Fixes #42610.
Ryan Baumann
Fix
current_page?when URL has trailing slash.This fixes the
current_page?helper when the given URL has a trailing slash,and is an absolute URL or also has query params.
Fixes #33956.
Jonathan Hefner
Action Pack
Fix
content_security_policyreturning invalid directives.Directives such as
self,unsafe-evaland few others were notsingle quoted when the directive was the result of calling a lambda
returning an array.
With this fix the policy generated from above will now be valid.
Edouard Chin
Update
HostAuthorizationmiddleware to render debug info onlywhen
config.consider_all_requests_localis set to true.Also, blocked host info is always logged with level
error.Fixes #42813.
Nikita Vyrko
Dup arrays that get "converted".
Fixes #43681.
Aaron Patterson
Don't show deprecation warning for equal paths.
Anton Rieder
Fix crash in
ActionController::Instrumentationwith invalid HTTP formats.Fixes #43094.
Alex Ghiculescu
Add fallback host for SystemTestCase driven by RackTest.
Fixes #42780.
Petrik de Heus
Add more detail about what hosts are allowed.
Alex Ghiculescu
Active Job
Action Mailer
Action Cable
The Action Cable client now ensures successful channel subscriptions:
the server confirms the subscription or the channel is torn down.
by a subscribe (on the same channel identifier) and the requests are
handled out of order by the ActionCable server, thereby ignoring the
subscribe command.
Daniel Spinosa
Truncate broadcast logging messages.
J Smith
Active Storage
Attachments can be deleted after their association is no longer defined.
Fixes #42514
Don Sisco
Action Mailbox
Add
attachmentsto the list of permitted parameters for inbound emails conductor.When using the conductor to test inbound emails with attachments, this prevents an
unpermitted parameter warning in default configurations, and prevents errors for
applications that set:
David Jones, Dana Henke
Action Text
Fix Action Text extra trix content wrapper.
Alexandre Ruban
Railties
In
zeitwerkmode, setup theonceautoloader first, and themainautoloader after it.This order plays better with shared namespaces.
Xavier Noria
Handle paths with spaces when editing credentials.
Alex Ghiculescu
Support Psych 4 when loading secrets.
Nat Morcos
v6.1.4.7: 6.1.4.7Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Added image transformation validation via configurable allow-list.
Variant now offers a configurable allow-list for
transformation methods in addition to a configurable deny-list for arguments.
[CVE-2022-21831]
Action Mailbox
Action Text
Railties
v6.1.4.6: 6.1.4.6Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.4.5: 6.1.4.5Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state not
being fully reset before the next request
[CVE-2022-23633]
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.4.4: 6.1.4.4Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.4.3: 6.1.4.3Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
Allow localhost with a port by default in development
[Fixes: #43864]
v6.1.4.2: 6.1.4.2Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.