Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
7.2.3→7.2.3.1Release Notes
rails/rails (rails)
v7.2.3.1: 7.2.3.1Compare Source
Active Support
Reject scientific notation in NumberConverter
[CVE-2026-33176]
Jean Boussier
Fix
SafeBuffer#%to preserve unsafe status[CVE-2026-33170]
Jean Boussier
Improve performance of NumberToDelimitedConverter
[CVE-2026-33169]
Jean Boussier
Active Model
Active Record
Action View
Skip blank attribute names in tag helpers to avoid generating invalid HTML.
[CVE-2026-33168]
Mike Dalessio
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Filter user supplied metadata in DirectUploadController
[CVE-2026-33173]
Jean Boussier
Configurable maxmimum streaming chunk size
Makes sure that byte ranges for blobs don't exceed 100mb by default.
Content ranges that are too big can result in denial of service.
[CVE-2026-33174]
Gannon McGibbon
Limit range requests to a single range
[CVE-2026-33658]
Jean Boussier
Prevent path traversal in
DiskService.DiskService#path_fornow raises anInvalidKeyErrorwhen passed keys with dot segments (".",".."), or if the resolved path is outside the storage root directory.
#path_foralso now consistently raisesInvalidKeyErrorif the key is invalid in any way, forexample containing null bytes or having an incompatible encoding. Previously, the exception
raised may have been
ArgumentErrororEncoding::CompatibilityError.DiskControllernow explicitly rescuesInvalidKeyErrorwith appropriate HTTP status codes.[CVE-2026-33195]
Mike Dalessio
Prevent glob injection in
DiskService#delete_prefixed.Escape glob metacharacters in the resolved path before passing to
Dir.glob.Note that this change breaks any existing code that is relying on
delete_prefixedto expandglob metacharacters. This change presumes that is unintended behavior (as other storage services
do not respect these metacharacters).
[CVE-2026-33202]
Mike Dalessio
Action Mailbox
Action Text
Railties
Guides
Configuration
📅 Schedule: Branch creation - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday ( * 0-4,22-23 * * 1-5 ), Only on Sunday and Saturday ( * * * * 0,6 ) (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.