This fixes a compatibility issue introduced in our previous security
release when using domain: :all with a two letter but single level top
level domain domain (like .ca, rather than .co.uk).
This fixes a compatibility issue introduced in our previous security
release when using domain: :all with a two letter but single level top
level domain domain (like .ca, rather than .co.uk).
Rails 7.0.4.1 (January 17, 2023)
Fix sec issue with _url_host_allowed?
Disallow certain strings from _url_host_allowed? to avoid a redirect
to malicious sites.
[CVE-2023-22797]
Avoid regex backtracking on If-None-Match header
[CVE-2023-22795]
Use string#split instead of regex for domain parts
[CVE-2023-22792]
Rails 7.0.4 (September 09, 2022)
Prevent ActionDispatch::ServerTiming from overwriting existing values in Server-Timing.
Previously, if another middleware down the chain set Server-Timing header,
it would overwritten by ActionDispatch::ServerTiming.
Jakub Malinowski
Rails 7.0.3.1 (July 12, 2022)
No changes.
Rails 7.0.3 (May 09, 2022)
Allow relative redirects when raise_on_open_redirects is enabled.
Tom Hughes
Fix authenticate_with_http_basic to allow for missing password.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/CultivateLabs/storytime/network/alerts).
Bumps actionpack from 5.2.7 to 7.0.4.2.
Release notes
Sourced from actionpack's releases.
... (truncated)
Changelog
Sourced from actionpack's changelog.
... (truncated)
Commits
7c70791Version 7.0.4.21d6de16Merge pull request #47087 from jhawthorn/cookie_domain23e0345Version 7.0.4.18d82687Avoid regex backtracking on If-None-Match headercd46b0eUse string#split instead of regex for domain partse50e26dFix sec issue with _url_host_allowed?8015c2cVersion 7.0.4f3c345eMerge pull request #45964 from jhawthorn/server_timing_safety4d25c64Merge pull request #45221 from jhawthorn/ac_params_eql_fix47cff40Format inline code [ci-skip]Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/CultivateLabs/storytime/network/alerts).