Update dependency rails to v6.1.7.7 (main) #138
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![mend-for-github-com[bot]](https://avatars.githubusercontent.com/in/30796?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
6.1.3.2->6.1.7.7By merging this PR, the issue #124 will be automatically resolved and closed:
Release Notes
rails/rails (rails)
v6.1.7.7: 6.1.7.7Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Disables the session in
ActiveStorage::Blobs::ProxyControllerand
ActiveStorage::Representations::ProxyControllerin order to allow caching by default in some CDNs as CloudFlare
Fixes #44136
Bruno Prieto
Action Mailbox
Action Text
Railties
v6.1.7.6Compare Source
No changes between this and 6.1.7.5. This release was just to fix file permissions in the previous release.
v6.1.7.5: 6.1.7.5 ReleaseCompare Source
Active Support
Use a temporary file for storing unencrypted files while editing
[CVE-2023-38037]
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.4Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Raise an exception if illegal characters are provide to redirect_to
[CVE-2023-28362]
Zack Deveau
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.3Compare Source
Active Support
Implement SafeBuffer#bytesplice
[CVE-2023-28120]
Active Model
Active Record
Action View
Ignore certain data-* attributes in rails-ujs when element is contenteditable
[CVE-2023-23913]
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.2Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Fix
domain: :allfor two letter TLDThis fixes a compatibility issue introduced in our previous security
release when using
domain: :allwith a two letter but single level toplevel domain domain (like
.ca, rather than.co.uk).Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.1Compare Source
Active Support
Avoid regex backtracking in Inflector.underscore
[CVE-2023-22796]
Active Model
Active Record
Make sanitize_as_sql_comment more strict
Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/" or "/" with "/ " or " /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
[CVE-2023-22794]
Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
[CVE-2022-44566]
Action View
Action Pack
Avoid regex backtracking on If-None-Match header
[CVE-2023-22795]
Use string#split instead of regex for domain parts
[CVE-2023-22792]
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7Compare Source
Active Support
Active Model
Active Record
Symbol is allowed by default for YAML columns
Étienne Barrié
Fix
ActiveRecord::Storeto serialize as a regular HashPreviously it would serialize as an
ActiveSupport::HashWithIndifferentAccesswhich is wasteful and cause problem with YAML safe_load.
Jean Boussier
Fix PG.connect keyword arguments deprecation warning on ruby 2.7
Fixes #44307.
Nikita Vasilevsky
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0.
fatkodima
Action Mailbox
Action Text
Railties
v6.1.6.1: 6.1.6.1Compare Source
Active Support
Active Model
Active Record
Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:
config.active_storage.use_yaml_unsafe_loadWhen set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.
config.active_record.yaml_column_permitted_classesThe "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:
[CVE-2022-32224]
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.6: 6.1.6Compare Source
Active Support
Fix and add protections for XSS in
ActionView::HelpersandERB::Util.Add the method
ERB::Util.xml_name_escapeto escape dangerous charactersin names of tags and names of attributes, following the specification of XML.
Álvaro Martín Fraguas
Active Model
Active Record
Action View
Fix and add protections for XSS in
ActionView::HelpersandERB::Util.Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
:escape_attributesto:escape, to simplify by applying the option to thewhole tag.
Álvaro Martín Fraguas
Action Pack
Allow Content Security Policy DSL to generate for API responses.
Tim Wade
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.5.1: 6.1.5.1Compare Source
Active Support
Fix and add protections for XSS in
ActionView::HelpersandERB::Util.Add the method
ERB::Util.xml_name_escapeto escape dangerous charactersin names of tags and names of attributes, following the specification of XML.
Álvaro Martín Fraguas
Active Model
Active Record
Action View
Fix and add protections for XSS in
ActionView::HelpersandERB::Util.Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
:escape_attributesto:escape, to simplify by applying the option to thewhole tag.
Álvaro Martín Fraguas
Action Pack
Allow Content Security Policy DSL to generate for API responses.
Tim Wade
Active Job
Action Mailer
Action Cable
Active Storage
Railties
v6.1.5: 6.1.5Compare Source
Active Support
Fix
ActiveSupport::Duration.buildto support negative values.The algorithm to collect the
partsof theActiveSupport::Durationignored the sign of the
valueand accumulated incorrect part values. Thisimpacted
ActiveSupport::Duration#sum(which is dependent onparts) butnot
ActiveSupport::Duration#eql?(which is dependent onvalue).Caleb Buxton, Braden Staudacher
Time#changeand methods that call it (eg.Time#advance) will nowreturn a
Timewith the timezone argument provided, if the caller wasinitialized with a timezone argument.
Fixes #42467.
Alex Ghiculescu
Clone to keep extended Logger methods for tagged logger.
Orhan Toy
assert_changesworks on includingActiveSupport::Assertionsmodule.Pedro Medeiros
Active Model
Clear secure password cache if password is set to
nilBefore:
user.password = 'something'
user.password = nil
user.password # => 'something'
Now:
user.password = 'something'
user.password = nil
user.password # => nil
Markus Doits
Fix delegation in
ActiveModel::Type::Registry#lookupandActiveModel::Type.lookupPassing a last positional argument
{}would be incorrectly considered as keyword argument.Benoit Daloze
Fix
to_jsonafterchanges_appliedforActiveModel::Dirtyobject.Ryuta Kamizono
Active Record
Fix
ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicatefor Ruby 2.6.Ruby 2.6 and 2.7 have slightly different implementations of the
String#@​-method.In Ruby 2.6, the receiver of the
String#@​-method is modified under certain circumstances.This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only
fixed in Ruby 2.7.
Before the changes in this commit, the
ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicatemethod, which internallycalls the
String#@​-method, could also modify an input string argument in Ruby 2.6 --changing a tainted, unfrozen string into a tainted, frozen string.
Fixes #43056
Eric O'Hanlon
Fix migration compatibility to create SQLite references/belongs_to column as integer when
migration version is 6.0.
reference/belongs_toin migrations with version 6.0 were creating columns asbigint instead of integer for the SQLite Adapter.
Marcelo Lauxen
Fix dbconsole for 3-tier config.
Eileen M. Uchitelle
Better handle SQL queries with invalid encoding.
Would cause all adapters to fail in a non controlled way in the code
responsible to detect write queries.
The query is now properly passed to the database connection, which might or might
not be able to handle it, but will either succeed or failed in a more correct way.
Jean Boussier
Ignore persisted in-memory records when merging target lists.
Kevin Sjöberg
Fix regression bug that caused ignoring additional conditions for preloading
has_manythrough relations.Fixes #43132
Alexander Pauly
Fix
ActiveRecord::InternalMetadatato not be broken byconfig.active_record.record_timestamps = falseSince the model always create the timestamp columns, it has to set them, otherwise it breaks
various DB management tasks.
Fixes #42983
Jean Boussier
Fix duplicate active record objects on
inverse_of.Justin Carvalho
Fix duplicate objects stored in has many association after save.
Fixes #42549.
Alex Ghiculescu
Fix performance regression in
CollectionAssocation#build.Alex Ghiculescu
Fix retrieving default value for text column for MariaDB.
fatkodima
Action View
preload_link_tagproperly insertsasattributes for files withimageMIMEtypes, such as JPG or SVG.
Nate Berkopec
Add
autocomplete="off"to all generated hidden fields.Fixes #42610.
Ryan Baumann
Fix
current_page?when URL has trailing slash.This fixes the
current_page?helper when the given URL has a trailing slash,and is an absolute URL or also has query params.
Fixes #33956.
Jonathan Hefner
Action Pack
Fix
content_security_policyreturning invalid directives.Directives such as
self,unsafe-evaland few others were notsingle quoted when the directive was the result of calling a lambda
returning an array.
With this fix the policy generated from above will now be valid.
Edouard Chin
Update
HostAuthorizationmiddleware to render debug info onlywhen
config.consider_all_requests_localis set to true.Also, blocked host info is always logged with level
error.Fixes #42813.
Nikita Vyrko
Dup arrays that get "converted".
Fixes #43681.
Aaron Patterson
Don't show deprecation warning for equal paths.
Anton Rieder
Fix crash in
ActionController::Instrumentationwith invalid HTTP formats.Fixes #43094.
Alex Ghiculescu
Add fallback host for SystemTestCase driven by RackTest.
Fixes #42780.
Petrik de Heus
Add more detail about what hosts are allowed.
Alex Ghiculescu
Active Job
Action Mailer
Action Cable
The Action Cable client now ensures successful channel subscriptions:
the server confirms the subscription or the channel is torn down.
by a subscribe (on the same channel identifier) and the requests are
handled out of order by the ActionCable server, thereby ignoring the
subscribe command.
Daniel Spinosa
Truncate broadcast logging messages.
J Smith
Active Storage
Attachments can be deleted after their association is no longer defined.
Fixes #42514
Don Sisco
Action Mailbox
Add
attachmentsto the list of permitted parameters for inbound emails conductor.When using the conductor to test inbound emails with attachments, this prevents an
unpermitted parameter warning in default configurations, and prevents errors for
applications that set:
David Jones, Dana Henke
Action Text
Fix Action Text extra trix content wrapper.
Alexandre Ruban
Railties
In
zeitwerkmode, setup theonceautoloader first, and themainautoloader after it.This order plays better with shared namespaces.
Xavier Noria
Handle paths with spaces when editing credentials.
Alex Ghiculescu
Support Psych 4 when loading secrets.
Nat Morcos
v6.1.4.7: 6.1.4.7Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Added image transformation validation via configurable allow-list.
Variant now offers a configurable allow-list for
transformation methods in addition to a configurable deny-list for arguments.
[CVE-2022-21831]
Action Mailbox
Action Text
Railties
v6.1.4.6: 6.1.4.6Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.4.5: 6.1.4.5Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state not
being fully reset before the next request
[CVE-2022-23633]
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.4.4: 6.1.4.4Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.4.3: 6.1.4.3Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
Allow localhost with a port by default in development
[Fixes: #43864]
v6.1.4.2: 6.1.4.2Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.4.1Compare Source
v6.1.4: 6.1.4Compare Source
Active Support
MemCacheStore: convert any underlying value (including
false) to anEntry.See #42559.
Alex Ghiculescu
Fix bug in
number_with_precisionwhen using largeBigDecimalvalues.Fixes #42302.
Federico Aldunate, Zachary Scott
Check byte size instead of length on
secure_compare.Tietew
Fix
Time.atto not lose:inoption.Ryuta Kamizono
Require a path for
config.cache_store = :file_store.Alex Ghiculescu
Avoid having to store complex object in the default translation file.
Rafael Mendonça França
Active Model
Fix
to_jsonforActiveModel::Dirtyobject.Exclude +mutations_from_database+ attribute from json as it lead to recursion.
Anil Maurya
Active Record
Do not try to rollback transactions that failed due to a
ActiveRecord::TransactionRollbackError.Jamie McCarthy
Raise an error if
pool_configisnilinset_pool_config.Eileen M. Uchitelle
Fix compatibility with
psych >= 4.Starting in Psych 4.0.0
YAML.loadbehaves likeYAML.safe_load. To preserve compatibilityActive Record's schema cache loader and
YAMLColumnnow usesYAML.unsafe_loadif available.Jean Boussier
Support using replicas when using
rails dbconsole.Christopher Thornton
Restore connection pools after transactional tests.
Eugene Kenny
Change
upsert_allto fails cleanly for MySQL when:unique_byis used.Bastian Bartmann
Fix user-defined
self.default_scopeto respect table alias.Ryuta Kamizono
Clear
@cache_keyscache afterupdate_all,delete_all,destroy_all.Ryuta Kamizono
Changed Arel predications
containsandoverlapsto usequoted_nodeso that PostgreSQL arrays are quoted properly.Bradley Priest
Fix
mergewhen thewhereclauses have string contents.Ryuta Kamizono
Fix rollback of parent destruction with nested
dependent: :destroy.Jacopo Beschi
Fix binds logging for
"WHERE ... IN ..."statements.Ricardo Díaz
Handle
falsein relation strict loading checks.Previously when a model had strict loading set to true and then had a
relation set
strict_loadingto false the false wasn't considered whendeciding whether to raise/warn about strict loading.
In the example,
dog.treatswould still raise even thoughstrict_loadingwas set to false. This is a bug effecting more thanActive Storage which is why I made this PR superceeding #41461. We need
to fix this for all applications since the behavior is a little
surprising. I took the test from ##41461 and the code suggestion from #41453
with some additions.
Eileen M. Uchitelle, Radamés Roriz
Fix numericality validator without precision.
Ryuta Kamizono
Fix aggregate attribute on Enum types.
Ryuta Kamizono
Fix
CREATE INDEXstatement generation for PostgreSQL.eltongo
Fix where clause on enum attribute when providing array of strings.
Ryuta Kamizono
Fix
unprepared_statementto work it when nesting.Ryuta Kamizono
Action View
The
translatehelper now passesdefaultvalues that aren'ttranslation keys through
I18n.translatefor interpolation.Jonathan Hefner
Don't attach UJS form submission handlers to Turbo forms.
David Heinemeier Hansson
Allow both
current_page?(url_hash)andcurrent_page?(**url_hash)on Ruby 2.7.Ryuta Kamizono
Action Pack
Ignore file fixtures on
db:fixtures:loadKevin Sjöberg
Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
Dylan Thacker-Smith
Correctly place optional path parameter booleans.
Previously, if you specify a url parameter that is part of the path as false it would include that part
of the path as parameter for example:
After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
Adam Hess
Add support for 'private, no-store' Cache-Control headers.
Previously, 'no-store' was exclusive; no other directives could be specified.
Alex Smith
Active Job
Action Mailer
Action Cable
Fix
ArgumentErrorwith ruby 3.0 onRemoteConnection#disconnect.Vladislav
Active Storage
The parameters sent to
ffmpegfor generating a video preview image are nowconfigurable under
config.active_storage.video_preview_arguments.Brendon Muir
Fix Active Storage update task when running in an engine.
Justin Malčić*
Don't raise an error if the mime type is not recognized.
Fixes #41777.
Alex Ghiculescu
ActiveStorage::PreviewErroris raised when a previewer is unable to generate a preview image.Alex Robbin
respond with 404 given invalid variation key when asking for representations.
George Claghorn
Blobcreation shouldn't crash if no service selected.Alex Ghiculescu
Action Mailbox
Action Text
Always render attachment partials as HTML with
:htmlformat inside trix editor.James Brooks
Railties
Fix compatibility with
psych >= 4.Starting in Psych 4.0.0
YAML.loadbehaves likeYAML.safe_load. To preserve compatibilityRails.application.config_fornow usesYAML.unsafe_loadif available.Jean Boussier
Ensure
Rails.application.config_foralways cast hashes toActiveSupport::OrderedOptions.Jean Boussier
Fix create migration generator with
--pretendoption.euxx