🚨 [security] Upgrade rails: 5.2.4.4 → 5.2.8.1 (patch)

[depfu]

👉 This PR is queued up to get rebased by Depfu

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (5.2.4.4 → 5.2.8.1) · Repo

Release Notes

5.2.7

Active Support

• Restore support to Ruby 2.2.

  ojab

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Fix ActiveStorage.supported_image_processing_methods and
  ActiveStorage.unsupported_image_processing_arguments that were not being applied.

  Rafael Mendonça França

Railties

• No changes.

5.2.6.3

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Added image transformation validation via configurable allow-list.

  Variant now offers a configurable allow-list for
  transformation methods in addition to a configurable deny-list for arguments.

  [CVE-2022-21831]

Railties

• No changes.

5.2.6

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Accept base64_urlsafe CSRF tokens to make forward compatible.

  Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
  them difficult to deal with. For example, the common practice of sending
  the CSRF token to a browser in a client-readable cookie does not work properly
  out of the box: the value has to be url-encoded and decoded to survive transport.

  In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
  safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
  tokens for backwards compatibility.

  How the tokes are encoded is controllr by the action_controller.urlsafe_csrf_tokens
  config.

  In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.

  Atention: If you already upgraded your application to 5.2.5, set the config
  urlsafe_csrf_tokens to true, otherwise your form submission will start to fail
  during the deploy of this new version.

  Rails.application.config.action_controller.urlsafe_csrf_tokens = true

  If you are upgrading from 5.2.4.x, you don't need to change this configuration.

  Scott Blum, Étienne Barrié

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• No changes.

5.2.5

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed mime types data.

  George Claghorn

Railties

• No changes.

5.2.4.6

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Prevent regex DoS in HTTP token authentication
  CVE-2021-22904

• Prevent string polymorphic route arguments.

  url_for supports building polymorphic URLs via an array
  of arguments (usually symbols and records). If a developer passes a
  user input array, strings can result in unwanted route helper calls.

  CVE-2021-22885

  Gannon McGibbon

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• No changes.

5.2.4.5

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Fix possible DoS vector in PostgreSQL money type

  Carefully crafted input can cause a DoS via the regular expressions used
  for validating the money format in the PostgreSQL adapter. This patch
  fixes the regexp.

  Thanks to @dee-see from Hackerone for this patch!

  [CVE-2021-22880]

  Aaron Patterson

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actioncable (indirect, 5.2.4.4 → 5.2.8.1) · Repo · Changelog

Release Notes

5.2.8.1 (from changelog)

• No changes.

5.2.8 (from changelog)

• No changes.

5.2.7.1 (from changelog)

• No changes.

5.2.7 (from changelog)

• No changes.

5.2.6.3 (from changelog)

• No changes.

5.2.6.2 (from changelog)

• No changes.

5.2.6.1 (from changelog)

• No changes.

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionmailer (indirect, 5.2.4.4 → 5.2.8.1) · Repo · Changelog

Release Notes

5.2.8.1 (from changelog)

• No changes.

5.2.8 (from changelog)

• No changes.

5.2.7.1 (from changelog)

• No changes.

5.2.7 (from changelog)

• No changes.

5.2.6.3 (from changelog)

• No changes.

5.2.6.2 (from changelog)

• No changes.

5.2.6.1 (from changelog)

• No changes.

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionpack (indirect, 5.2.4.4 → 5.2.8.1) · Repo · Changelog

Security Advisories 🚨

🚨 Possible XSS Vulnerability in Action Pack

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been
assigned the CVE identifier CVE-2022-22577.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Impact

CSP headers were only sent along with responses that Rails considered as
"HTML" responses. This left API requests without CSP headers, which could
possibly expose users to XSS attacks.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Set a CSP for your API responses manually.

🚨 Possible exposure of information vulnerability in Action Pack

Impact

Under certain circumstances response bodies will not be closed, for example a
bug in a webserver (puma/puma#2812) or a bug in a Rack
middleware. In the event a response is not notified of a close,
ActionDispatch::Executor will not know to reset thread local state for the
next request. This can lead to data being leaked to subsequent requests,
especially when interacting with ActiveSupport::CurrentAttributes.

Upgrading to the FIXED versions of Rails will ensure mitigation if this issue
even in the context of a buggy webserver or middleware implementation.

Patches

This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

Workarounds

Upgrading is highly recommended, but to work around this problem the following
middleware can be used:

class GuardedExecutor < ActionDispatch::Executor
  def call(env)
    ensure_completed!
    super
  end
private
def ensure_completed!
  @executor.new.complete! if @executor.active?
end

end
Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do

config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor

end

🚨 Possible Information Disclosure / Unintended Method Execution in Action Pack

There is a possible information disclosure / unintended method execution
vulnerability in Action Pack which has been assigned the CVE identifier
CVE-2021-22885.

Versions Affected: >= 2.0.0.
Not affected: < 2.0.0.
Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

There is a possible information disclosure / unintended method execution
vulnerability in Action Pack when using the redirect_to or polymorphic_url
helper with untrusted user input.

Vulnerable code will look like this:

redirect_to(params[:some_param])

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Workarounds

To work around this problem, it is recommended to use an allow list for valid
parameters passed from the user. For example:

private def check(param)
  case param
  when "valid"
    param
  else
    "/"
  end
end
def index

redirect_to(check(params[:some_param]))

end

Or force the user input to be cast to a string like this:

def index
  redirect_to(params[:some_param].to_s)
end

🚨 Possible DoS Vulnerability in Action Controller Token Authentication

There is a possible DoS vulnerability in the Token Authentication logic in
Action Controller. This vulnerability has been assigned the CVE identifier
CVE-2021-22904.

Versions Affected: >= 4.0.0
Not affected: < 4.0.0
Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

Impacted code uses authenticate_or_request_with_http_token or
authenticate_with_http_token for request authentication. Impacted code will
look something like this:

class PostsController < ApplicationController
  before_action :authenticate
private
def authenticate

authenticate_or_request_with_http_token do |token, options|

# ...

end

end

end

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

The following monkey patch placed in an initializer can be used to work around
the issue:

module ActionController::HttpAuthentication::Token
  AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end

🚨 Possible Information Disclosure / Unintended Method Execution in Action Pack

There is a possible information disclosure / unintended method execution
vulnerability in Action Pack which has been assigned the CVE identifier
CVE-2021-22885.

Versions Affected: >= 2.0.0.
Not affected: < 2.0.0.
Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

There is a possible information disclosure / unintended method execution
vulnerability in Action Pack when using the redirect_to or polymorphic_url
helper with untrusted user input.

Vulnerable code will look like this:

redirect_to(params[:some_param])

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Workarounds

To work around this problem, it is recommended to use an allow list for valid
parameters passed from the user. For example:

private def check(param)
  case param
  when "valid"
    param
  else
    "/"
  end
end
def index

redirect_to(check(params[:some_param]))

end

Or force the user input to be cast to a string like this:

def index
  redirect_to(params[:some_param].to_s)
end

🚨 Possible DoS Vulnerability in Action Controller Token Authentication

There is a possible DoS vulnerability in the Token Authentication logic in
Action Controller. This vulnerability has been assigned the CVE identifier
CVE-2021-22904.

Versions Affected: >= 4.0.0
Not affected: < 4.0.0
Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

Impacted code uses authenticate_or_request_with_http_token or
authenticate_with_http_token for request authentication. Impacted code will
look something like this:

class PostsController < ApplicationController
  before_action :authenticate
private
def authenticate

authenticate_or_request_with_http_token do |token, options|

# ...

end

end

end

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

The following monkey patch placed in an initializer can be used to work around
the issue:

module ActionController::HttpAuthentication::Token
  AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end

Release Notes

5.2.8.1 (from changelog)

• No changes.

5.2.8 (from changelog)

• No changes.

5.2.7.1 (from changelog)

• Allow Content Security Policy DSL to generate for API responses.

  Tim Wade

5.2.7 (from changelog)

• No changes.

5.2.6.3 (from changelog)

• No changes.

5.2.6.2 (from changelog)

• No changes.

5.2.6.1 (from changelog)

• Under certain circumstances, the middleware isn't informed that the response body has been fully closed which result in request state not being fully reset before the next request

  [CVE-2022-23633]

5.2.6 (from changelog)

• Accept base64_urlsafe CSRF tokens to make forward compatible.

  Base64 strict-encoded CSRF tokens are not inherently websafe, which makes them difficult to deal with. For example, the common practice of sending the CSRF token to a browser in a client-readable cookie does not work properly out of the box: the value has to be url-encoded and decoded to survive transport.

  In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens for backwards compatibility.

  How the tokes are encoded is controllr by the action_controller.urlsafe_csrf_tokens config.

  In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.

  Atention: If you already upgraded your application to 5.2.5, set the config urlsafe_csrf_tokens to true, otherwise your form submission will start to fail during the deploy of this new version.

  Rails.application.config.action_controller.urlsafe_csrf_tokens = true

  If you are upgrading from 5.2.4.x, you don't need to change this configuration.

  Scott Blum, Étienne Barrié

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• Prevent regex DoS in HTTP token authentication CVE-2021-22904

• Prevent string polymorphic route arguments.

  url_for supports building polymorphic URLs via an array of arguments (usually symbols and records). If a developer passes a user input array, strings can result in unwanted route helper calls.

  CVE-2021-22885

  Gannon McGibbon

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 5.2.4.4 → 5.2.8.1) · Repo · Changelog

Security Advisories 🚨

🚨 Possible XSS Vulnerability in Action View tag helpers

There is a possible XSS vulnerability in Action View tag helpers. Passing
untrusted input as hash keys can lead to a possible XSS vulnerability. This
vulnerability has been assigned the CVE identifier CVE-2022-27777.

Versions Affected: ALL
Not affected: NONE
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Impact

If untrusted data is passed as the hash key for tag attributes, there is a
possibility that the untrusted data may not be properly escaped which can
lead to an XSS vulnerability.

Impacted code will look something like this:

check_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' })

Where the "malicious_input" variable contains untrusted data.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Escape the untrusted data before using it as a key for tag helper methods.

Release Notes

5.2.8.1 (from changelog)

• No changes.

5.2.8 (from changelog)

• No changes.

5.2.7.1 (from changelog)

• Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

  Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option :escape_attributes to :escape, to simplify by applying the option to the whole tag.

  Álvaro Martín Fraguas

5.2.7 (from changelog)

• No changes.

5.2.6.3 (from changelog)

• No changes.

5.2.6.2 (from changelog)

• No changes.

5.2.6.1 (from changelog)

• No changes.

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activejob (indirect, 5.2.4.4 → 5.2.8.1) · Repo · Changelog

Release Notes

5.2.8.1 (from changelog)

• No changes.

5.2.8 (from changelog)

• No changes.

5.2.7.1 (from changelog)

• No changes.

5.2.7 (from changelog)

• No changes.

5.2.6.3 (from changelog)

• No changes.

5.2.6.2 (from changelog)

• No changes.

5.2.6.1 (from changelog)

• No changes.

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activemodel (indirect, 5.2.4.4 → 5.2.8.1) · Repo · Changelog

Release Notes

5.2.8.1 (from changelog)

• No changes.

5.2.8 (from changelog)

• No changes.

5.2.7.1 (from changelog)

• No changes.

5.2.7 (from changelog)

• No changes.

5.2.6.3 (from changelog)

• No changes.

5.2.6.2 (from changelog)

• No changes.

5.2.6.1 (from changelog)

• No changes.

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activerecord (indirect, 5.2.4.4 → 5.2.8.1) · Repo · Changelog

Security Advisories 🚨

🚨 Possible RCE escalation bug with Serialized Columns in Active Record

There is a possible escalation to RCE when using YAML serialized columns in
Active Record. This vulnerability has been assigned the CVE identifier
CVE-2022-32224.

Versions Affected: All.
Not affected: None
Fixed Versions: 7.0.3.1, 6.1.6.1, 6.0.5.1, 5.2.8.1

Impact

When serialized columns that use YAML (the default) are deserialized, Rails
uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an
attacker can manipulate data in the database (via means like SQL injection),
then it may be possible for the attacker to escalate to an RCE.

Impacted Active Record models will look something like this:

class User < ApplicationRecord
  serialize :options       # Vulnerable: Uses YAML for serialization
  serialize :values, Array # Vulnerable: Uses YAML for serialization
  serialize :values, JSON  # Not vulnerable
end

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

The released versions change the default YAML deserializer to use
YAML.safe_load, which prevents deserialization of possibly dangerous
objects. This may introduce backwards compatibility issues with existing
data.

In order to cope with that situation, the released version also contains two
new Active Record configuration options. The configuration options are as
follows:

• config.active_storage.use_yaml_unsafe_load

When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.

• config.active_record.yaml_column_permitted_classes

The "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:

config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]

Workarounds

There are no feasible workarounds for this issue, but other coders (such as
JSON) are not impacted.

🚨 Possible DoS Vulnerability in Active Record PostgreSQL adapter

There is a possible DoS vulnerability in the PostgreSQL adapter in Active
Record. This vulnerability has been assigned the CVE identifier CVE-2021-22880.

Versions Affected: >= 4.2.0
Not affected: < 4.2.0
Fixed Versions: 6.1.2.1, 6.0.3.5, 5.2.4.5

Impact

Carefully crafted input can cause the input validation in the "money" type of
the PostgreSQL adapter in Active Record to spend too much time in a regular
expression, resulting in the potential for a DoS attack.

This only impacts Rails applications that are using PostgreSQL along with
money type columns that take user input.

Workarounds

In the case a patch can't be applied, the following monkey patch can be used
in an initializer:

module ActiveRecord
  module ConnectionAdapters
    module PostgreSQL
      module OID # :nodoc:
        class Money < Type::Decimal # :nodoc:
          def cast_value(value)
            return value unless ::String === value
        value = value.sub(/^\((.+)\)$/, '-\1') # (4)
        case value
        when /^-?\D*+[\d,]+\.\d{2}$/  # (1)
          value.gsub!(/[^-\d.]/, "")
        when /^-?\D*+[\d.]+,\d{2}$/  # (2)
          value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
        end

        super(value)
      end
    end
  end
end

end

end

Release Notes

5.2.8.1 (from changelog)

• Change ActiveRecord::Coders::YAMLColumn default to safe_load

  This adds two new configuration options The configuration options are as follows:

  • config.active_storage.use_yaml_unsafe_load

  When set to true, this configuration option tells Rails to use the old "unsafe" YAML loading strategy, maintaining the existing behavior but leaving the possible escalation vulnerability in place. Setting this option to true is not recommended, but can aid in upgrading.

  • config.active_record.yaml_column_permitted_classes

  The "safe YAML" loading method does not allow all classes to be deserialized by default. This option allows you to specify classes deemed "safe" in your application. For example, if your application uses Symbol and Time in serialized data, you can add Symbol and Time to the allowed list as follows:

  config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
  

  [CVE-2022-32224]

5.2.8 (from changelog)

• No changes.

5.2.7.1 (from changelog)

• No changes.

5.2.7 (from changelog)

• No changes.

5.2.6.3 (from changelog)

• No changes.

5.2.6.2 (from changelog)

• No changes.

5.2.6.1 (from changelog)

• No changes.

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• Fix possible DoS vector in PostgreSQL money type

  Carefully crafted input can cause a DoS via the regular expressions used for validating the money format in the PostgreSQL adapter. This patch fixes the regexp.

  Thanks to @dee-see from Hackerone for this patch!

  [CVE-2021-22880]

  Aaron Patterson

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activestorage (indirect, 5.2.4.4 → 5.2.8.1) · Repo · Changelog

Security Advisories 🚨

🚨 Possible code injection vulnerability in Rails / Active Storage

There is a possible code injection vulnerability in the Active Storage module
of Rails. This vulnerability has been assigned the CVE identifier
CVE-2022-21831.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.2.3, 6.1.4.7, 6.0.4.7, 5.2.6.3

Impact

There is a possible code injection vulnerability in the Active Storage module
of Rails. This vulnerability impacts applications that use Active Storage
with the image_processing processing in addition to the mini_magick back end
for image_processing.

Vulnerable code will look something similar to this:

<%= image_tag blob.variant(params[:t] => params[:v]) %>

Where the transformation method or its arguments are untrusted arbitrary
input.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Workarounds

To work around this issue, applications should implement a strict allow-list
on accepted transformation methods or arguments. Additionally, a strict image
magick security policy will help mitigate this issue.

https://imagemagick.org/script/security-policy.php

Release Notes

5.2.8.1 (from changelog)

• No changes.

5.2.8 (from changelog)

• No changes.

5.2.7.1 (from changelog)

• No changes.

5.2.7 (from changelog)

• Fix ActiveStorage.supported_image_processing_methods and ActiveStorage.unsupported_image_processing_arguments that were not being applied.

  Rafael Mendonça França

5.2.6.3 (from changelog)

• Added image transformation validation via configurable allow-list.

  Variant now offers a configurable allow-list for transformation methods in addition to a configurable deny-list for arguments.

  [CVE-2022-21831]

5.2.6.2 (from changelog)

• No changes.

5.2.6.1 (from changelog)

• No changes.

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed mime types data.

  George Claghorn

• The Poppler PDF previewer renders a preview image using the original document's crop box rather than its media box, hiding print margins. This matches the behavior of the MuPDF previewer.

  Vincent Robert

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activesupport (indirect, 5.2.4.4 → 5.2.8.1) · Repo · Changelog

Release Notes

5.2.8.1 (from changelog)

• No changes.

5.2.8 (from changelog)

• No changes.

5.2.7.1 (from changelog)

• Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

  Add the method ERB::Util.xml_name_escape to escape dangerous characters in names of tags and names of attributes, following the specification of XML.

  Álvaro Martín Fraguas

5.2.7 (from changelog)

• Restore support to Ruby 2.2.

  ojab

5.2.6.3 (from changelog)

• No changes.

5.2.6.2 (from changelog)

• Fix Reloader method signature to work with the new Executor signature

5.2.6.1 (from changelog)

• No changes.

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ marcel (indirect, 0.3.3 → 1.0.2) · Repo

Release Notes

1.0.2

• Include Apache license in gem release. (a525d5b)
• Prefer audio/x-wav for WAV audio files. (#45)
• Prefer application/x-x509-ca-cert for Privacy-Enhanced Mail certificates. (#46)
• Prefer audio/flac for FLAC audio files. (#47)
• Prefer audio/aac for Advanced Audio Coding audio files. (#49)
• Prefer application/vnd.ms-access for Microsodt Access DB files. (#50)
• Support text/x-scss and text/x-sass stylesheets. (#52)
• Support encrypted Microsoft Access DB files. (#53)
• Prefer application/x-ole-storage for Microsoft Office files. (#54)
• Prefer text/markdown for Markdown files. (#55)
• Prefer audio/mpc for Musepack audio files. (#56)
• Support audio/webm audio files. (#58)
• Support image/avif images files. (#63)

1.0.1

• Fixes identifying OpenDocument files by magic. 1.0.0 imprecisely identified them as application/zip. (Setup Newrelic #38)
• Fixes identifying .docx, .pptx, and .xlsx files exported from Google Sheets by magic. (Sorcery log in #36)
• Identifies vCard files as text/vcard rather than text/x-vcard. (27fac74bd69663495410339bfd40ea8581ba669b)
• Identifies .otf, .woff, and .woff2 files aș font/otf, font/woff, and font/woff2, respectively. (Setup rollbar #37)

1.0.0

The mimemagic dependency—which relies on GPL-licensed mime type data from freedesktop.org’s shared-mime-info project—is removed. Marcel now directly uses mime type data adapted from the Apache Tika project, distributed under the Apache License.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ railties (indirect, 5.2.4.4 → 5.2.8.1) · Repo · Changelog

Release Notes

5.2.8.1 (from changelog)

• No changes.

5.2.8 (from changelog)

• No changes.

5.2.7.1 (from changelog)

• No changes.

5.2.7 (from changelog)

• No changes.

5.2.6.3 (from changelog)

• No changes.

5.2.6.2 (from changelog)

• No changes.

5.2.6.1 (from changelog)

• No changes.

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🗑️ mimemagic (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)