Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a
time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts
within the Devise::Models::Lockable class not being concurrency safe.
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
#after_database_authentication callback was not called after authentication on password reset (by @kanmaniselvan)
Fix corner case when #confirmation_period_valid? was called at the same second as confirmation_sent_at was set. Mostly true for date types that only have second precisions. (by @stanhu)
Fix unclosed li tag in error_messages partial (by @mracos)
Fix Routes issue when devise engine is mounted in another engine on Rails versions lower than 5.1 (by @a-barbieri)
Make #increment_failed_attempts concurrency safe (by @tegon)
Apply Test Helper fix to Rails 6.0 as well as 5.x (by @matthewrudy)
deprecations
The second argument of DatabaseAuthenticatable's #update_with_password and #update_without_password is deprecated and will be removed in the next major version. It was added to support a feature deprecated in Rails 4, so you can safely remove it from your code. (by @ihatov08)
The DeviseHelper.devise_error_messages! is deprecated and will be removed in the next major version. Use the devise/shared/error_messages partial instead. (by @mracos)
Make public Loofah::HTML5::Scrub.force_correct_attribute_escaping!,
which was previously a private method. This is so that downstream gems
(like rails-html-sanitizer) can use this logic directly for their own
attribute scrubbers should they need to address CVE-2018-8048.
[MRI] During installation, handle Xcode 10's new library pathOS. [#1801, #1851] (Thanks, @mlj and @deepj!)
Avoid unnecessary creation of Procs in many methods. [#1776] (Thanks, @chopraanmol1!)
Bug fixes
CSS selector :has() now correctly matches against any descendant. Previously this selector matched against only direct children). [#350] (Thanks, @Phrogz!)
NodeSet#attr now returns nil if it's empty. Previously this raised a NoMethodError.
[MRI] XPath errors are no longer suppressed during XSLT::Stylesheet#transform. Previously these errors were suppressed which led to silent failures and a subsequent segfault. [#1802]
Fix a bug introduced in v1.9.0 where XML::DocumentFragment#dup no longer returned an instance of the callee's class, instead always returning an XML::DocumentFragment. This notably broke any subclass of XML::DocumentFragment including HTML::DocumentFragment as well as the Loofah gem's Loofah::HTML::DocumentFragment. [#1846]
The first release in the 1.0.0 series. 🎉 For the 1.x releases, we will follow Semantic Versioning very strictly; please keep this in mind when submitting fixes/suggesting changes.
Breaking changes:
Always set CONTENT_TYPE for non-GET requests
(Per Lundberg #223)
Minor enhancements / bug fixes:
Create tempfile using the basename without extension
(Edouard Chin #201)
Save session during follow_redirect!
(Alexander Popov #218)
Document how to use URL params with DELETE method
(Timur Platonov #220)
Support recursively (deep) freezing Country and Timezone instances. #80.
Allow negative daylight savings time offsets to be derived when reading from zoneinfo files. The utc_offset and std_offset are now derived correctly for Europe/Dublin in the 2018a and 2018b releases of the Time Zone Database.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
depfu[bot]
commented
5 years ago
🚨 Your version of devise has known security vulnerabilities 🚨
Advisory: CVE-2019-5421 Disclosed: February 07, 2019 URL: https://github.com/plataformatec/devise/issues/4981
Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ devise (4.4.1 → 4.6.1) · Repo · Changelog
Release Notes
4.6.1 (from changelog)
4.6.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ bcrypt (indirect, 3.1.11 → 3.1.12) · Repo · Changelog
Release Notes
3.1.12
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 20 commits:
Merge pull request #172 from codahale/gem_3-1-12-rc3.1.12 finalRC for 3.1.12 releaseMerge pull request #164 from besser82/libxcryptMerge pull request #171 from codahale/windows_ciUse AppVeyor for testing Windows gem installsMerge branch 'master' into libxcryptMerge pull request #167 from codahale/update-lockfileUse RBX 3Try updating Bundler tooMerge branch 'master' into update-lockfileMerge pull request #169 from codahale/travis_more_rubiesTest on more Rubies in CI; looser version definitionUpdate RG and see if that fixes the buildbcrypt_ext: Add compatibility with libxcryptUpdate lockfile so newer Ruby works with JSON gemMerge pull request #159 from cbrnrd/patch-1Add syntax highlighting where applicableMerge pull request #136 from remvee/fix/remove-forgot-password-exampleRemove Rails forgot password example↗️ concurrent-ruby (indirect, 1.0.5 → 1.1.5) · Repo · Changelog
Release Notes
1.1.5 (from changelog)
1.1.4 (from changelog)
1.1.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ crass (indirect, 1.0.3 → 1.0.4) · Repo · Changelog
Release Notes
1.0.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 5 commits:
chore: Release 1.0.4chore: Enable warnings when running testsAddress `warning: mismatched indentations at 'when' with 'case'`Merge pull request #6 from nicolasleger/patch-1[CI] Test against Ruby 2.5↗️ erubi (indirect, 1.7.0 → 1.8.0) · Repo · Changelog
Release Notes
1.8.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 18 commits:
Bump version to 1.8.0Fix and expand on documentation for :yield_returns_bufferRename return_buffer option to yield_returns_bufferModify test to work with new :return_buffer behaviorFlip `result` and `code` for :return_buffer optionDisable minitest plugins when testingModify spec to show how :return_buffer can be used when modifying buffersSimplify test in attempt to get 1.8.7 passingAdd return_buffer option to CaptureEndEngineUpdate the README with an example of how to write a method that works with capture_end (Fixes #15)Remove has_rdoc from gemspec, since it is deprecatedBump version to 1.7.1Remove one difference from READMEMinor tweak to READMEBump copyright yearMake whitespace handling for <%# %> tags more compatible with Erubis (Fixes #14)Test on ruby 2.5 on Travisremove unnecessary ternary operation↗️ i18n (indirect, 0.9.3 → 0.9.5) · Repo · Changelog
Release Notes
0.9.5
0.9.4
Does any of this look wrong? Please let us know.
↗️ loofah (indirect, 2.1.1 → 2.2.3) · Repo · Changelog
Release Notes
2.2.3
2.2.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 52 commits:
version bump to v2.2.3 and update CHANGELOGremove the svg animate attribute `from` from the allowlistadd formatting to CHANGELOGupdated mailing list to a new Google Groupextract msword html data into an asset fileversion bump to 2.2.2Make public `force_correct_attribute_escaping!`use VersionInfo.instanceversion bump to 2.2.1update Manifest.txt and CHANGELOG.mdMerge branch 'flavorjones-remediate-attribute-escaping'tests and fix for CVE-2018-8048SECURITY.md to publish vuln reporting processbump the fake gemspecfix remaining rdoc format in READMEfix Hoe config to use README.mdversion bump to v2.2.0finishes previous logical commitconvert README from rdoc to markdownremove travis configupdate CHANGELOGMerge pull request #142 from eventfuel/added_list_type_style_to_css_propswhitelist CSS function `rgb`Added list-type-style as a safe CSS property to whitelist by default (replacement for PR #137)Merge branch 'pr136-block-level'update CHANGELOGtidy elements.rb, cover html5 block elementsupdate CHANGELOGMerge pull request #123 from eventfuel/enable_whitelisting_css_functionsMerge pull request #141 from david-a-wheeler/doc-xxeMerge pull request #138 from rmacklin/fix-inaccurate-example-in-readmeconcourse: fix rubinius buildsDocument doesn't use dangerous Nokogiri configFix inaccurate example in READMEadd html5 block-level elementsfrozen-string-literal support in testsupdate CHANGELOGMerge branch '127-nested-script-tags'handle nested script tagsupdate CHANGELOGMerge pull request #131 from baopham/add-symbolupdate CHANGELOGMerge pull request #134 from MothOnMars/whitelist_mainwhitelist HTML5 <main> elementconcourse: remove serialness of PR buildsconcourse: run PRs on all MRIsnest non-spec tests to avoid duplicate test runsAdd symbol to list of SVG_ELEMENTSMerge pull request #126 from aried3r/patch-1Update CHANGELOG.mdconcourse: add windows testsjruby shouldn't be a blocker to PR success for now↗️ method_source (indirect, 0.9.0 → 0.9.2) · Repo
Commits
See the full diff on Github. The new version differs by 12 commits:
Merge pull request #55 from banister/release-0-9-2Release v0.9.2Merge pull request #54 from banister/52-jruby-patch-removalRevert "method_source: fix broken Procs on JRuby 9.2.0.0"bump version number to 0.9.1Merge pull request #51 from kyrylo/jruby-9200-fixmethod_source: fix broken Procs on JRuby 9.2.0.0Merge pull request #50 from mensfeld/masterremove gemfile locklicense for the gemspectweaks to .travis.ymlRun rake gemspec task to bump gemspec data (incl version number)↗️ mini_portile2 (indirect, 2.3.0 → 2.4.0) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 10 commits:
version bump to v2.4.0update CHANGELOG in preparation for v2.4.0update dev dependenciesMerge pull request #86 from eagletmt/skip-progress-when-chunkedMerge pull request #87 from halfbyte/patch-1Make version in changelog fit release version.Skip progress report when Content-Length is unavailableupdate test:examples to libiconv 1.15concourse: test most-recent two rubiesconvert to using windows-ruby-dev-tools-release↗️ minitest (indirect, 5.11.1 → 5.11.3) · Repo · Changelog
↗️ nokogiri (indirect, 1.8.1 → 1.10.1) · Repo · Changelog
Release Notes
1.10.1
1.10.0
1.9.1
1.9.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ rack (indirect, 2.0.3 → 2.0.6) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 19 commits:
Bumping version for releaseWhitelist http/https schemesReduce buffer size to avoid pathological parsingMerge tag '2.0.5' into 2-0-stableMerge pull request #1296 from tomelm/fix-prefers-plaintextBump version for releaseMerge pull request #1268 from eileencodes/forwardport-pr-1249-to-2-0-stableMerge pull request #1249 from mclark/handle-invalid-method-parametersStick with a passing version of Rubygems and bundlerLeahizeBumping versionwebrick: remove concurrent-ruby dev dependencyMerge pull request #1190 from hugoabonizio/masterMerge pull request #1193 from tompng/multipart_less_memoryMerge pull request #1192 from jkowens/masterMerge pull request #1179 from tompng/masterMerge pull request #1151 from cremno/simplify-some-string-creationsMerge pull request #1189 from lugray/fix_rack_lockRequire the right file for the digest we're using↗️ rack-test (indirect, 0.8.2 → 1.1.0) · Repo · Changelog
Release Notes
1.1.0
1.0.0
0.8.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 20 commits:
Release 1.1.0Add simplecov (#227)Follow relative locations correctly. Fixes #228 (#230)follow_direct: Include rack.session.options (#233)Added configuration for Stale (#232)Release v1.0.0Create tempfile using the basename without extension: (#201)Always set CONTENT_TYPE for non-GET requests (#223)README.md: Removed 'require' in GemfileAdded missing 0.8.3 commitRFC 6265 adjustment: Delimit cookies by semicolon and single space (#221)History.md: Added note about #220Document how to use URL params with DELETE method (#220):cop: Exclude bin/ in RubocopSave `session` during `follow_redirect!` (#218)README.md: Add note about Capybara incompatibilityDo not set Content-Type if params are explicitly set to nil (#212):cop: Change the BlockDelimieter setting[CI] Test against Ruby 2.5 (#217)Fix UploadedFile#new regression (#215)↗️ rails-html-sanitizer (indirect, 1.0.3 → 1.0.4) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 16 commits:
Prepare to 1.0.4 releaseMake sure we address CVE-2018-8048Remove rbx since it doesn't seem to install.Merge pull request #66 from fschwahn/improve-testsFix deprecation warning from MinitestMake tests pass again with recent nokogiri versionsRename test to better reflect what is actually testedtyposWe're still testing against ruby 1.9 and 2.0 that aren't supported by nokogiri 1.7activesupport 5 doesn't support ruby < 2.2.2 that are still tested in this repobundle with the newest released bundlerTest against newer released rubies[ci skip] Remove faulty overrides in scrubber example.[ci skip] Change override method in PermitScrubber.Merge pull request #47 from pvalena/patch-1Correct license filename↗️ rake (indirect, 12.3.0 → 12.3.2) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ responders (indirect, 2.4.0 → 2.4.1) · Repo · Changelog
Release Notes
2.4.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 15 commits:
Prepare for `2.4.1` releaseMerge pull request #201 from plataformatec/revert-197-rails_6_undefined_local_variable_or_method_mimes_for_respond_toRevert "Allow rails 6"Merge pull request #197 from oystersauce8/rails_6_undefined_local_variable_or_method_mimes_for_respond_toMerge pull request #199 from jfeaver/patch-1use "these" for plural noun phraseAllow rails 6Merge pull request #188 from Fudoshiki/masterchange travis matrixchange right borderAllow rails 6Merge pull request #185 from uuushiro/masterfix typoMerge pull request #183 from amatsuda/httpsGitHub is HTTPS by default↗️ thor (indirect, 0.20.0 → 0.20.3) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 73 commits:
Prepare to 0.20.3Merge pull request #637 from y-yagi/add_care_of_old_did_you_meanAdd care about old version of `did_you_mean`Prepare to 0.20.2 releaseMerge pull request #636 from y-yagi/fixes_buildRemove the globally installed gem by rvmRun command with bundle execMake sure did_you_mean feature works when the gem is availablePrepare to 0.20.1 releaseMerge pull request #630 from kddeisz/did-you-meanMerge pull request #628 from deivid-rodriguez/abort_on_failureMerge pull request #629 from deivid-rodriguez/fix_warningsFix up keyword argument usage in did_you_mean for ruby 1.8Fix up did_you_mean on older ruby versionsSupport did-you-mean functionality in thorFix "warning: setting Encoding.default_external"Add `abort_on_failure` option to #run actionRemove unused stuffFix "warning: assigned but unused variable - junk"Merge pull request #616 from Choms/masterRe-add versionMerge pull request #623 from marcandre/remove_dupRemove duplicate option creation in specDelete version.rbMerge pull request #620 from MaxLap/fix-invalid-path-displayFix relative_to_original_destination_root and better testsRemove the root path from the absolute path only onceMerge pull request #618 from MaxLap/fix_check_unknownMerge pull request #589 from pocke/correct-linenoFix check_unknown_options! when parsing gets stoppedFix indent calculationSmall change to use more of the terminal sizeFix print_wrapped to properly parse "\x5" newline characterMerge pull request #610 from deivid-rodriguez/skip_exit_status_specs_on_1.8.7Document possible attack vector on `get`Merge pull request #611 from bosoxbill/doc-for-cve-2016-10545Add open-uri referenceAdd language about how not to use ThorSkip exit status specs on 1.8.7Merge pull request #578 from jmax315/masterMerge pull request #608 from y-yagi/fix_typo_in_inject_into_module_testFix typo in `inject_into_module` testMerge pull request #605 from y-yagi/add_merge_action_to_file_collisionMerge pull request #606 from y-yagi/remove_gemnasium_badgeRemove Gemnasium badgeMerge pull request #604 from y-yagi/test_against_latest_rubiesAdd `merge` action to file colision menuTest against latest RubiesMerge pull request #600 from jonathanhefner/fix-comment-regexMerge pull request #601 from pallan/patch-1Updates method documentation for askFix comment_lines regexpMerge pull request #599 from utilum/identifiy_future_ERB_versionsMake sure future versions of ERB are invoked appropriatelyMerge pull request #594 from koic/deprecate_safe_level_of_erb_new_in_ruby_2_6Merge pull request #598 from yahonda/diag595Address #595 by duplicating string objectsDeprecate safe_level of ERB.new in Ruby 2.6Use correct line numbers for `class_eval` and `module_eval` methodsMerge pull request #586 from hsbt/fix-misspellFixed misspelling words.Merge pull request #584 from lostapathy/bump_travis_versionsMerge pull request #583 from lostapathy/fix_travisupdate ruby version in travis configlock hashdiff to <0.3.6 to fix travisFix incorrect use of Process::exit. This fixes open issue #244.Merge pull request #576 from sshaw/masterrequire open-uri when loading http templateMerge pull request #572 from sschuberth/masterIntroduce a constant for the default terminal widthMerge pull request #568 from segiddins/seg-hash-fetch-testsAdd more tests for HashWithIndifferentAccess#fetchRelease should use invoke not execute↗️ tzinfo (indirect, 1.2.4 → 1.2.5) · Repo · Changelog
Release Notes
1.2.5
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 10 commits:
Preparing v1.2.5.Update copyright years.Use Ruby 1.8 compatible syntax.Document that utc_offset and std_offset may be inaccurate with zoneinfo.Allow zoneinfo offset derivation to pick a negative std_offset.Don't store lazily-evaluated results if the object has been frozen.Remove unnecessary calls to Country.get in tests.Restore $SAFE after running a safe mode test (if possible).Disable Minitest's use of external diff tools during safe mode tests.Add Ruby 2.5.0 and update to the latest Ruby, JRuby and Rbx releases.↗️ warden (indirect, 1.2.7 → 1.2.8) · Repo · Changelog
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands