Merge branch '6-0-sec' into 6-0-stable

* 6-0-sec: Preparing for 6.0.4.3 release bump version update changelog Merge pull request #43868 from rails/fix-default-hosts Merge pull request #43863 from rails/yubikey-support
rails · Dec 14, 2021 · bf9be16 · bf9be16
2 parents f8ef5c2 + 0cc179f
commit bf9be16
Show file tree

Hide file tree

Showing 36 changed files with 165 additions and 71 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -32,79 +32,79 @@ GIT
 PATH
   remote: .
   specs:
-    actioncable (6.0.4.2)
-      actionpack (= 6.0.4.2)
+    actioncable (6.0.4.3)
+      actionpack (= 6.0.4.3)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.0.4.2)
-      actionpack (= 6.0.4.2)
-      activejob (= 6.0.4.2)
-      activerecord (= 6.0.4.2)
-      activestorage (= 6.0.4.2)
-      activesupport (= 6.0.4.2)
+    actionmailbox (6.0.4.3)
+      actionpack (= 6.0.4.3)
+      activejob (= 6.0.4.3)
+      activerecord (= 6.0.4.3)
+      activestorage (= 6.0.4.3)
+      activesupport (= 6.0.4.3)
       mail (>= 2.7.1)
-    actionmailer (6.0.4.2)
-      actionpack (= 6.0.4.2)
-      actionview (= 6.0.4.2)
-      activejob (= 6.0.4.2)
+    actionmailer (6.0.4.3)
+      actionpack (= 6.0.4.3)
+      actionview (= 6.0.4.3)
+      activejob (= 6.0.4.3)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.4.2)
-      actionview (= 6.0.4.2)
-      activesupport (= 6.0.4.2)
+    actionpack (6.0.4.3)
+      actionview (= 6.0.4.3)
+      activesupport (= 6.0.4.3)
       rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.0.4.2)
-      actionpack (= 6.0.4.2)
-      activerecord (= 6.0.4.2)
-      activestorage (= 6.0.4.2)
-      activesupport (= 6.0.4.2)
+    actiontext (6.0.4.3)
+      actionpack (= 6.0.4.3)
+      activerecord (= 6.0.4.3)
+      activestorage (= 6.0.4.3)
+      activesupport (= 6.0.4.3)
       nokogiri (>= 1.8.5)
-    actionview (6.0.4.2)
-      activesupport (= 6.0.4.2)
+    actionview (6.0.4.3)
+      activesupport (= 6.0.4.3)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.0.4.2)
-      activesupport (= 6.0.4.2)
+    activejob (6.0.4.3)
+      activesupport (= 6.0.4.3)
       globalid (>= 0.3.6)
-    activemodel (6.0.4.2)
-      activesupport (= 6.0.4.2)
-    activerecord (6.0.4.2)
-      activemodel (= 6.0.4.2)
-      activesupport (= 6.0.4.2)
-    activestorage (6.0.4.2)
-      actionpack (= 6.0.4.2)
-      activejob (= 6.0.4.2)
-      activerecord (= 6.0.4.2)
+    activemodel (6.0.4.3)
+      activesupport (= 6.0.4.3)
+    activerecord (6.0.4.3)
+      activemodel (= 6.0.4.3)
+      activesupport (= 6.0.4.3)
+    activestorage (6.0.4.3)
+      actionpack (= 6.0.4.3)
+      activejob (= 6.0.4.3)
+      activerecord (= 6.0.4.3)
       marcel (~> 1.0.0)
-    activesupport (6.0.4.2)
+    activesupport (6.0.4.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
       zeitwerk (~> 2.2, >= 2.2.2)
-    rails (6.0.4.2)
-      actioncable (= 6.0.4.2)
-      actionmailbox (= 6.0.4.2)
-      actionmailer (= 6.0.4.2)
-      actionpack (= 6.0.4.2)
-      actiontext (= 6.0.4.2)
-      actionview (= 6.0.4.2)
-      activejob (= 6.0.4.2)
-      activemodel (= 6.0.4.2)
-      activerecord (= 6.0.4.2)
-      activestorage (= 6.0.4.2)
-      activesupport (= 6.0.4.2)
+    rails (6.0.4.3)
+      actioncable (= 6.0.4.3)
+      actionmailbox (= 6.0.4.3)
+      actionmailer (= 6.0.4.3)
+      actionpack (= 6.0.4.3)
+      actiontext (= 6.0.4.3)
+      actionview (= 6.0.4.3)
+      activejob (= 6.0.4.3)
+      activemodel (= 6.0.4.3)
+      activerecord (= 6.0.4.3)
+      activestorage (= 6.0.4.3)
+      activesupport (= 6.0.4.3)
       bundler (>= 1.3.0)
-      railties (= 6.0.4.2)
+      railties (= 6.0.4.3)
       sprockets-rails (>= 2.0.0)
-    railties (6.0.4.2)
-      actionpack (= 6.0.4.2)
-      activesupport (= 6.0.4.2)
+    railties (6.0.4.3)
+      actionpack (= 6.0.4.3)
+      activesupport (= 6.0.4.3)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)

diff --git a/RAILS_VERSION b/RAILS_VERSION
@@ -1 +1 @@
-6.0.4.2
+6.0.4.3
diff --git a/actioncable/CHANGELOG.md b/actioncable/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.0.4.3 (December 14, 2021) ##
+
+*   No changes.
+
+
 ## Rails 6.0.4.2 (December 14, 2021) ##
 
 *   No changes.

diff --git a/actioncable/lib/action_cable/gem_version.rb b/actioncable/lib/action_cable/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actioncable/package.json b/actioncable/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@rails/actioncable",
-  "version": "6.0.4-2",
+  "version": "6.0.4-3",
   "description": "WebSocket framework for Ruby on Rails.",
   "main": "app/assets/javascripts/action_cable.js",
   "files": [

diff --git a/actionmailbox/CHANGELOG.md b/actionmailbox/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.0.4.3 (December 14, 2021) ##
+
+*   No changes.
+
+
 ## Rails 6.0.4.2 (December 14, 2021) ##
 
 *   No changes.

diff --git a/actionmailbox/lib/action_mailbox/gem_version.rb b/actionmailbox/lib/action_mailbox/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.0.4.3 (December 14, 2021) ##
+
+*   No changes.
+
+
 ## Rails 6.0.4.2 (December 14, 2021) ##
 
 *   No changes.

diff --git a/actionmailer/lib/action_mailer/gem_version.rb b/actionmailer/lib/action_mailer/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.0.4.3 (December 14, 2021) ##
+
+*   No changes.
+
+
 ## Rails 6.0.4.2 (December 14, 2021) ##
 
 *   Fix X_FORWARDED_HOST protection.  [CVE-2021-44528]

diff --git a/actionpack/lib/action_dispatch/middleware/host_authorization.rb b/actionpack/lib/action_dispatch/middleware/host_authorization.rb
@@ -10,6 +10,8 @@ module ActionDispatch
   # application will be executed and rendered. If no +response_app+ is given, a
   # default one will run, which responds with +403 Forbidden+.
   class HostAuthorization
+    ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", /\A([a-z0-9-]+\.)?localhost:\d+\z/, IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
+
     class Permissions # :nodoc:
       def initialize(hosts)
         @hosts = sanitize_hosts(hosts)

diff --git a/actionpack/lib/action_pack/gem_version.rb b/actionpack/lib/action_pack/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actionpack/test/dispatch/host_authorization_test.rb b/actionpack/test/dispatch/host_authorization_test.rb
@@ -143,6 +143,18 @@ class HostAuthorizationTest < ActionDispatch::IntegrationTest
     assert_equal "Custom", body
   end
 
+  test "localhost works in dev" do
+    @app = ActionDispatch::HostAuthorization.new(App, ActionDispatch::HostAuthorization::ALLOWED_HOSTS_IN_DEVELOPMENT)
+
+    get "/", env: {
+      "HOST" => "localhost:3000",
+      "action_dispatch.show_detailed_exceptions" => true
+    }
+
+    assert_response :ok
+    assert_match "Success", response.body
+  end
+
   test "blocks requests with spoofed X-FORWARDED-HOST" do
     @app = ActionDispatch::HostAuthorization.new(App, [IPAddr.new("127.0.0.1")])
 

diff --git a/actiontext/CHANGELOG.md b/actiontext/CHANGELOG.md
@@ -9,6 +9,11 @@
 
     *Jonathan Hefner*
 
+## Rails 6.0.4.3 (December 14, 2021) ##
+
+*   No changes.
+
+
 ## Rails 6.0.4.2 (December 14, 2021) ##
 
 *   No changes.

diff --git a/actiontext/lib/action_text/gem_version.rb b/actiontext/lib/action_text/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actiontext/package.json b/actiontext/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@rails/actiontext",
-  "version": "6.0.4-2",
+  "version": "6.0.4-3",
   "description": "Edit and display rich text in Rails applications",
   "main": "app/javascript/actiontext/index.js",
   "files": [

diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.0.4.3 (December 14, 2021) ##
+
+*   No changes.
+
+
 ## Rails 6.0.4.2 (December 14, 2021) ##
 
 *   No changes.

diff --git a/actionview/lib/action_view/gem_version.rb b/actionview/lib/action_view/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actionview/package.json b/actionview/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@rails/ujs",
-  "version": "6.0.4-2",
+  "version": "6.0.4-3",
   "description": "Ruby on Rails unobtrusive scripting adapter",
   "main": "lib/assets/compiled/rails-ujs.js",
   "files": [

diff --git a/activejob/CHANGELOG.md b/activejob/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.0.4.3 (December 14, 2021) ##
+
+*   No changes.
+
+
 ## Rails 6.0.4.2 (December 14, 2021) ##
 
 *   No changes.

diff --git a/activejob/lib/active_job/gem_version.rb b/activejob/lib/active_job/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.0.4.3 (December 14, 2021) ##
+
+*   No changes.
+
+
 ## Rails 6.0.4.2 (December 14, 2021) ##
 
 *   No changes.

diff --git a/activemodel/lib/active_model/gem_version.rb b/activemodel/lib/active_model/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.0.4.3 (December 14, 2021) ##
+
+*   No changes.
+
+
 ## Rails 6.0.4.2 (December 14, 2021) ##
 
 *   No changes.

diff --git a/activerecord/lib/active_record/gem_version.rb b/activerecord/lib/active_record/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/activestorage/CHANGELOG.md b/activestorage/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.0.4.3 (December 14, 2021) ##
+
+*   No changes.
+
+
 ## Rails 6.0.4.2 (December 14, 2021) ##
 
 *   No changes.

diff --git a/activestorage/lib/active_storage/gem_version.rb b/activestorage/lib/active_storage/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/activestorage/package.json b/activestorage/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@rails/activestorage",
-  "version": "6.0.4-2",
+  "version": "6.0.4-3",
   "description": "Attach cloud and local files in Rails applications",
   "main": "app/assets/javascripts/activestorage.js",
   "files": [

diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.0.4.3 (December 14, 2021) ##
+
+*   No changes.
+
+
 ## Rails 6.0.4.2 (December 14, 2021) ##
 
 *   No changes.

diff --git a/activesupport/lib/active_support/gem_version.rb b/activesupport/lib/active_support/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end