Update dependency rails to v6.1.7.8 - autoclosed #108
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
6.1.4.1
->6.1.7.8
Release Notes
rails/rails (rails)
v6.1.7.8
Compare Source
v6.1.7.7
: 6.1.7.7Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Disables the session in
ActiveStorage::Blobs::ProxyController
and
ActiveStorage::Representations::ProxyController
in order to allow caching by default in some CDNs as CloudFlare
Fixes #44136
Bruno Prieto
Action Mailbox
Action Text
Railties
v6.1.7.6
Compare Source
No changes between this and 6.1.7.5. This release was just to fix file permissions in the previous release.
v6.1.7.5
: 6.1.7.5 ReleaseCompare Source
Active Support
Use a temporary file for storing unencrypted files while editing
[CVE-2023-38037]
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.4
Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Raise an exception if illegal characters are provide to redirect_to
[CVE-2023-28362]
Zack Deveau
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.3
Compare Source
Active Support
Implement SafeBuffer#bytesplice
[CVE-2023-28120]
Active Model
Active Record
Action View
Ignore certain data-* attributes in rails-ujs when element is contenteditable
[CVE-2023-23913]
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.2
Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Fix
domain: :all
for two letter TLDThis fixes a compatibility issue introduced in our previous security
release when using
domain: :all
with a two letter but single level toplevel domain domain (like
.ca
, rather than.co.uk
).Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.1
Compare Source
Active Support
Avoid regex backtracking in Inflector.underscore
[CVE-2023-22796]
Active Model
Active Record
Make sanitize_as_sql_comment more strict
Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/" or "/" with "/ " or " /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
[CVE-2023-22794]
Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
[CVE-2022-44566]
Action View
Action Pack
Avoid regex backtracking on If-None-Match header
[CVE-2023-22795]
Use string#split instead of regex for domain parts
[CVE-2023-22792]
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7
Compare Source
Active Support
Active Model
Active Record
Symbol is allowed by default for YAML columns
Étienne Barrié
Fix
ActiveRecord::Store
to serialize as a regular HashPreviously it would serialize as an
ActiveSupport::HashWithIndifferentAccess
which is wasteful and cause problem with YAML safe_load.
Jean Boussier
Fix PG.connect keyword arguments deprecation warning on ruby 2.7
Fixes #44307.
Nikita Vasilevsky
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0.
fatkodima
Action Mailbox
Action Text
Railties
v6.1.6.1
: 6.1.6.1Compare Source
Active Support
Active Model
Active Record
Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:
config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.
config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:
[CVE-2022-32224]
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.6
: 6.1.6Compare Source
Active Support
Fix and add protections for XSS in
ActionView::Helpers
andERB::Util
.Add the method
ERB::Util.xml_name_escape
to escape dangerous charactersin names of tags and names of attributes, following the specification of XML.
Álvaro Martín Fraguas
Active Model
Active Record
Action View
Fix and add protections for XSS in
ActionView::Helpers
andERB::Util
.Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
:escape_attributes
to:escape
, to simplify by applying the option to thewhole tag.
Álvaro Martín Fraguas
Action Pack
Allow Content Security Policy DSL to generate for API responses.
Tim Wade
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.5.1
: 6.1.5.1Compare Source
Active Support
Fix and add protections for XSS in
ActionView::Helpers
andERB::Util
.Add the method
ERB::Util.xml_name_escape
to escape dangerous charactersin names of tags and names of attributes, following the specification of XML.
Álvaro Martín Fraguas
Active Model
Active Record
Action View
Fix and add protections for XSS in
ActionView::Helpers
andERB::Util
.Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
:escape_attributes
to:escape
, to simplify by applying the option to thewhole tag.
Álvaro Martín Fraguas
Action Pack
Allow Content Security Policy DSL to generate for API responses.
Tim Wade
Active Job
Action Mailer
Action Cable
Active Storage
Railties
v6.1.5
: 6.1.5Compare Source
Active Support
Fix
ActiveSupport::Duration.build
to support negative values.The algorithm to collect the
parts
of theActiveSupport::Duration
ignored the sign of the
value
and accumulated incorrect part values. Thisimpacted
ActiveSupport::Duration#sum
(which is dependent onparts
) butnot
ActiveSupport::Duration#eql?
(which is dependent onvalue
).Caleb Buxton, Braden Staudacher
Time#change
and methods that call it (eg.Time#advance
) will nowreturn a
Time
with the timezone argument provided, if the caller wasinitialized with a timezone argument.
Fixes #42467.
Alex Ghiculescu
Clone to keep extended Logger methods for tagged logger.
Orhan Toy
assert_changes
works on includingActiveSupport::Assertions
module.Pedro Medeiros
Active Model
Clear secure password cache if password is set to
nil
Before:
user.password = 'something'
user.password = nil
user.password # => 'something'
Now:
user.password = 'something'
user.password = nil
user.password # => nil
Markus Doits
Fix delegation in
ActiveModel::Type::Registry#lookup
andActiveModel::Type.lookup
Passing a last positional argument
{}
would be incorrectly considered as keyword argument.Benoit Daloze
Fix
to_json
afterchanges_applied
forActiveModel::Dirty
object.Ryuta Kamizono
Active Record
Fix
ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate
for Ruby 2.6.Ruby 2.6 and 2.7 have slightly different implementations of the
String#@​-
method.In Ruby 2.6, the receiver of the
String#@​-
method is modified under certain circumstances.This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only
fixed in Ruby 2.7.
Before the changes in this commit, the
ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate
method, which internallycalls the
String#@​-
method, could also modify an input string argument in Ruby 2.6 --changing a tainted, unfrozen string into a tainted, frozen string.
Fixes #43056
Eric O'Hanlon
Fix migration compatibility to create SQLite references/belongs_to column as integer when
migration version is 6.0.
reference
/belongs_to
in migrations with version 6.0 were creating columns asbigint instead of integer for the SQLite Adapter.
Marcelo Lauxen
Fix dbconsole for 3-tier config.
Eileen M. Uchitelle
Better handle SQL queries with invalid encoding.
Would cause all adapters to fail in a non controlled way in the code
responsible to detect write queries.
The query is now properly passed to the database connection, which might or might
not be able to handle it, but will either succeed or failed in a more correct way.
Jean Boussier
Ignore persisted in-memory records when merging target lists.
Kevin Sjöberg
Fix regression bug that caused ignoring additional conditions for preloading
has_many
through relations.Fixes #43132
Alexander Pauly
Fix
ActiveRecord::InternalMetadata
to not be broken byconfig.active_record.record_timestamps = false
Since the model always create the timestamp columns, it has to set them, otherwise it breaks
various DB management tasks.
Fixes #42983
Jean Boussier
Fix duplicate active record objects on
inverse_of
.Justin Carvalho
Fix duplicate objects stored in has many association after save.
Fixes #42549.
Alex Ghiculescu
Fix performance regression in
CollectionAssocation#build
.Alex Ghiculescu
Fix retrieving default value for text column for MariaDB.
fatkodima
Action View
preload_link_tag
properly insertsas
attributes for files withimage
MIMEtypes, such as JPG or SVG.
Nate Berkopec
Add
autocomplete="off"
to all generated hidden fields.Fixes #42610.
Ryan Baumann
Fix
current_page?
when URL has trailing slash.This fixes the
current_page?
helper when the given URL has a trailing slash,and is an absolute URL or also has query params.
Fixes #33956.
Jonathan Hefner
Action Pack
Fix
content_security_policy
returning invalid directives.Directives such as
self
,unsafe-eval
and few others were notsingle quoted when the directive was the result of calling a lambda
returning an array.
With this fix the policy generated from above will now be valid.
Edouard Chin
Update
HostAuthorization
middleware to render debug info onlywhen
config.consider_all_requests_local
is set to true.Also, blocked host info is always logged with level
error
.Fixes #42813.
Nikita Vyrko
Dup arrays that get "converted".
Fixes #43681.
Aaron Patterson
Don't show deprecation warning for equal paths.
Anton Rieder
Fix crash in
ActionController::Instrumentation
with invalid HTTP formats.Fixes #43094.
Alex Ghiculescu
Add fallback host for SystemTestCase driven by RackTest.
Fixes #42780.
Petrik de Heus
Add more detail about what hosts are allowed.
Alex Ghiculescu
Active Job
Action Mailer
Action Cable
The Action Cable client now ensures successful channel subscriptions:
the server confirms the subscription or the channel is torn down.
by a subscribe (on the same channel identifier) and the requests are
handled out of order by the ActionCable server, thereby ignoring the
subscribe command.
Daniel Spinosa
Truncate broadcast logging messages.
J Smith
Active Storage
Attachments can be deleted after their association is no longer defined.
Fixes #42514
Don Sisco
Action Mailbox
Add
attachments
to the list of permitted parameters for inbound emails conductor.When using the conductor to test inbound emails with attachments, this prevents an
unpermitted parameter warning in default configurations, and prevents errors for
applications that set:
David Jones, Dana Henke
Action Text
Fix Action Text extra trix content wrapper.
Alexandre Ruban
Railties
In
zeitwerk
mode, setup theonce
autoloader first, and themain
autoloader after it.This order plays better with shared namespaces.
Xavier Noria
Handle paths with spaces when editing credentials.
Alex Ghiculescu
Support Psych 4 when loading secrets.
Nat Morcos
v6.1.4.7
: 6.1.4.7Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Added image transformation validation via configurable allow-list.
Variant now offers a configurable allow-list for
transformation methods in addition to a configurable deny-list for arguments.
[CVE-2022-21831]
Action Mailbox
Action Text
Railties
v6.1.4.6
: 6.1.4.6Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.4.5
: 6.1.4.5Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state not
being fully reset before the next request
[CVE-2022-23633]
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.4.4
: 6.1.4.4Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.4.3
: 6.1.4.3Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
Allow localhost with a port by default in development
[Fixes: #43864]
v6.1.4.2
: 6.1.4.2Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.