Merge branch '7-0-sec' into 7-0-stable

* 7-0-sec:
  Preparing for 7.0.5.1 release
  update changelog
  Added check for illegal HTTP header value in redirect_to

Gemfile.lock

@@ -31,88 +31,88 @@ GIT
 PATH
   remote: .
   specs:
-    actioncable (7.0.5)
-      actionpack (= 7.0.5)
-      activesupport (= 7.0.5)
+    actioncable (7.0.5.1)
+      actionpack (= 7.0.5.1)
+      activesupport (= 7.0.5.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (7.0.5)
-      actionpack (= 7.0.5)
-      activejob (= 7.0.5)
-      activerecord (= 7.0.5)
-      activestorage (= 7.0.5)
-      activesupport (= 7.0.5)
+    actionmailbox (7.0.5.1)
+      actionpack (= 7.0.5.1)
+      activejob (= 7.0.5.1)
+      activerecord (= 7.0.5.1)
+      activestorage (= 7.0.5.1)
+      activesupport (= 7.0.5.1)
       mail (>= 2.7.1)
       net-imap
       net-pop
       net-smtp
-    actionmailer (7.0.5)
-      actionpack (= 7.0.5)
-      actionview (= 7.0.5)
-      activejob (= 7.0.5)
-      activesupport (= 7.0.5)
+    actionmailer (7.0.5.1)
+      actionpack (= 7.0.5.1)
+      actionview (= 7.0.5.1)
+      activejob (= 7.0.5.1)
+      activesupport (= 7.0.5.1)
       mail (~> 2.5, >= 2.5.4)
       net-imap
       net-pop
       net-smtp
       rails-dom-testing (~> 2.0)
-    actionpack (7.0.5)
-      actionview (= 7.0.5)
-      activesupport (= 7.0.5)
+    actionpack (7.0.5.1)
+      actionview (= 7.0.5.1)
+      activesupport (= 7.0.5.1)
       rack (~> 2.0, >= 2.2.4)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (7.0.5)
-      actionpack (= 7.0.5)
-      activerecord (= 7.0.5)
-      activestorage (= 7.0.5)
-      activesupport (= 7.0.5)
+    actiontext (7.0.5.1)
+      actionpack (= 7.0.5.1)
+      activerecord (= 7.0.5.1)
+      activestorage (= 7.0.5.1)
+      activesupport (= 7.0.5.1)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.0.5)
-      activesupport (= 7.0.5)
+    actionview (7.0.5.1)
+      activesupport (= 7.0.5.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (7.0.5)
-      activesupport (= 7.0.5)
+    activejob (7.0.5.1)
+      activesupport (= 7.0.5.1)
       globalid (>= 0.3.6)
-    activemodel (7.0.5)
-      activesupport (= 7.0.5)
-    activerecord (7.0.5)
-      activemodel (= 7.0.5)
-      activesupport (= 7.0.5)
-    activestorage (7.0.5)
-      actionpack (= 7.0.5)
-      activejob (= 7.0.5)
-      activerecord (= 7.0.5)
-      activesupport (= 7.0.5)
+    activemodel (7.0.5.1)
+      activesupport (= 7.0.5.1)
+    activerecord (7.0.5.1)
+      activemodel (= 7.0.5.1)
+      activesupport (= 7.0.5.1)
+    activestorage (7.0.5.1)
+      actionpack (= 7.0.5.1)
+      activejob (= 7.0.5.1)
+      activerecord (= 7.0.5.1)
+      activesupport (= 7.0.5.1)
       marcel (~> 1.0)
       mini_mime (>= 1.1.0)
-    activesupport (7.0.5)
+    activesupport (7.0.5.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
-    rails (7.0.5)
-      actioncable (= 7.0.5)
-      actionmailbox (= 7.0.5)
-      actionmailer (= 7.0.5)
-      actionpack (= 7.0.5)
-      actiontext (= 7.0.5)
-      actionview (= 7.0.5)
-      activejob (= 7.0.5)
-      activemodel (= 7.0.5)
-      activerecord (= 7.0.5)
-      activestorage (= 7.0.5)
-      activesupport (= 7.0.5)
+    rails (7.0.5.1)
+      actioncable (= 7.0.5.1)
+      actionmailbox (= 7.0.5.1)
+      actionmailer (= 7.0.5.1)
+      actionpack (= 7.0.5.1)
+      actiontext (= 7.0.5.1)
+      actionview (= 7.0.5.1)
+      activejob (= 7.0.5.1)
+      activemodel (= 7.0.5.1)
+      activerecord (= 7.0.5.1)
+      activestorage (= 7.0.5.1)
+      activesupport (= 7.0.5.1)
       bundler (>= 1.15.0)
-      railties (= 7.0.5)
-    railties (7.0.5)
-      actionpack (= 7.0.5)
-      activesupport (= 7.0.5)
+      railties (= 7.0.5.1)
+    railties (7.0.5.1)
+      actionpack (= 7.0.5.1)
+      activesupport (= 7.0.5.1)
       method_source
       rake (>= 12.2)
       thor (~> 1.0)
@@ -362,7 +362,7 @@ GEM
       ruby2_keywords (~> 0.0.1)
     net-http-persistent (4.0.1)
       connection_pool (~> 2.2)
-    net-imap (0.3.4)
+    net-imap (0.3.6)
       date
       net-protocol
     net-pop (0.1.2)
@@ -407,8 +407,9 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.5.0)
-      loofah (~> 2.19, >= 2.19.1)
+    rails-html-sanitizer (1.6.0)
+      loofah (~> 2.21)
+      nokogiri (~> 1.14)
     rainbow (3.1.1)
     rake (13.0.6)
     rb-fsevent (0.11.2)
@@ -539,7 +540,7 @@ GEM
       rack (>= 1, < 3)
     thor (1.2.1)
     tilt (2.0.11)
-    timeout (0.3.2)
+    timeout (0.4.0)
     trailblazer-option (0.1.2)
     turbo-rails (1.3.2)
       actionpack (>= 6.0.0)

RAILS_VERSION

@@ -1 +1 @@
-7.0.5
+7.0.5.1

actioncable/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 7.0.5.1 (June 26, 2023) ##
+
+*   No changes.
+
+
 ## Rails 7.0.5 (May 24, 2023) ##
 
 *   Restore Action Cable Redis pub/sub listener on connection failure.

actioncable/lib/action_cable/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 5
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actioncable/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rails/actioncable",
-  "version": "7.0.5",
+  "version": "7.0.5-1",
   "description": "WebSocket framework for Ruby on Rails.",
   "module": "app/assets/javascripts/actioncable.esm.js",
   "main": "app/assets/javascripts/actioncable.js",

actionmailbox/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 7.0.5.1 (June 26, 2023) ##
+
+*   No changes.
+
+
 ## Rails 7.0.5 (May 24, 2023) ##
 
 *   No changes.

actionmailbox/lib/action_mailbox/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 5
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actionmailer/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 7.0.5.1 (June 26, 2023) ##
+
+*   No changes.
+
+
 ## Rails 7.0.5 (May 24, 2023) ##
 
 *   No changes.

actionmailer/lib/action_mailer/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 5
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actionpack/CHANGELOG.md

@@ -1,3 +1,10 @@
+## Rails 7.0.5.1 (June 26, 2023) ##
+
+*   Raise an exception if illegal characters are provide to redirect_to
+    [CVE-2023-28362]
+
+    *Zack Deveau*
+
 ## Rails 7.0.5 (May 24, 2023) ##
 
 *   Do not return CSP headers for 304 Not Modified responses.

actionpack/lib/action_controller/metal/redirecting.rb

@@ -4,6 +4,8 @@ module ActionController
   module Redirecting
     extend ActiveSupport::Concern
 
+    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
+
     include AbstractController::Logger
     include ActionController::UrlFor
 
@@ -86,7 +88,11 @@ def redirect_to(options = {}, response_options = {})
       allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
 
       self.status        = _extract_redirect_to_status(options, response_options)
-      self.location      = _enforce_open_redirect_protection(_compute_redirect_to_location(request, options), allow_other_host: allow_other_host)
+
+      redirect_to_location = _compute_redirect_to_location(request, options)
+      _ensure_url_is_http_header_safe(redirect_to_location)
+
+      self.location      = _enforce_open_redirect_protection(redirect_to_location, allow_other_host: allow_other_host)
       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
     end
 
@@ -204,5 +210,16 @@ def _url_host_allowed?(url)
       rescue ArgumentError, URI::Error
         false
       end
+
+      def _ensure_url_is_http_header_safe(url)
+        # Attempt to comply with the set of valid token characters
+        # defined for an HTTP header value in
+        # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+        if url.match(ILLEGAL_HEADER_VALUE_REGEX)
+          msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
+            "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
+          raise UnsafeRedirectError, msg
+        end
+      end
   end
 end

actionpack/lib/action_pack/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 5
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actionpack/test/controller/redirect_test.rb

@@ -104,6 +104,10 @@ def unsafe_redirect_protocol_relative_triple_slash
     redirect_to "///www.rubyonrails.org/"
   end
 
+  def unsafe_redirect_with_illegal_http_header_value_character
+    redirect_to "javascript:alert(document.domain)\b", allow_other_host: true
+  end
+
   def only_path_redirect
     redirect_to action: "other_host", only_path: true
   end
@@ -556,6 +560,19 @@ def test_unsafe_redirect_with_protocol_relative_triple_slash_url
     end
   end
 
+  def test_unsafe_redirect_with_illegal_http_header_value_character
+    with_raise_on_open_redirects do
+      error = assert_raise(ActionController::Redirecting::UnsafeRedirectError) do
+        get :unsafe_redirect_with_illegal_http_header_value_character
+      end
+
+      msg = "The redirect URL javascript:alert(document.domain)\b contains one or more illegal HTTP header field character. " \
+        "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
+
+      assert_equal msg, error.message
+    end
+  end
+
   def test_only_path_redirect
     with_raise_on_open_redirects do
       get :only_path_redirect

actiontext/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 7.0.5.1 (June 26, 2023) ##
+
+*   No changes.
+
+
 ## Rails 7.0.5 (May 24, 2023) ##
 
 *   Fix `ActionText::Attachable#as_json`.

actiontext/lib/action_text/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 5
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actiontext/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rails/actiontext",
-  "version": "7.0.5",
+  "version": "7.0.5-1",
   "description": "Edit and display rich text in Rails applications",
   "main": "app/assets/javascripts/actiontext.js",
   "type": "module",

actionview/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 7.0.5.1 (June 26, 2023) ##
+
+*   No changes.
+
+
 ## Rails 7.0.5 (May 24, 2023) ##
 
 *   `FormBuilder#id` finds id set by `form_for` and `form_with`.

actionview/lib/action_view/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 5
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actionview/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rails/ujs",
-  "version": "7.0.5",
+  "version": "7.0.5-1",
   "description": "Ruby on Rails unobtrusive scripting adapter",
   "main": "lib/assets/compiled/rails-ujs.js",
   "files": [

activejob/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 7.0.5.1 (June 26, 2023) ##
+
+*   No changes.
+
+
 ## Rails 7.0.5 (May 24, 2023) ##
 
 *   Make delayed job `display_name` failsafe.

activejob/lib/active_job/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 5
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end