diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 0bf5cc2e50..d922ea34e2 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -407,7 +407,7 @@ module ActionController module Token TOKEN_KEY = "token=" TOKEN_REGEX = /^(Token|Bearer)\s+/ - AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/ + AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/ extend self module ControllerMethods diff --git a/actionpack/lib/action_dispatch/http/mime_type.rb b/actionpack/lib/action_dispatch/http/mime_type.rb index 5d4bab1119..4fd6757b02 100644 --- a/actionpack/lib/action_dispatch/http/mime_type.rb +++ b/actionpack/lib/action_dispatch/http/mime_type.rb @@ -228,7 +228,7 @@ module Mime MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}" MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?" MIME_PARAMETER = "\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?" - MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?:\s*#{MIME_PARAMETER}\s*)*)\z/ + MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/ class InvalidMimeType < StandardError; end diff --git a/actionpack/lib/action_dispatch/middleware/host_authorization.rb b/actionpack/lib/action_dispatch/middleware/host_authorization.rb index 0362820540..d5a596ed31 100644 --- a/actionpack/lib/action_dispatch/middleware/host_authorization.rb +++ b/actionpack/lib/action_dispatch/middleware/host_authorization.rb @@ -53,7 +53,7 @@ module ActionDispatch if host.start_with?(".") /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i else - /\A#{host}\z/i + /\A#{Regexp.escape host}\z/i end end end diff --git a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb index e98e4aaa66..77499bf157 100644 --- a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb +++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb @@ -287,10 +287,12 @@ module ActionDispatch args = [] - route = record_list.map { |parent| + route = record_list.map do |parent| case parent - when Symbol, String + when Symbol parent.to_s + when String + raise(ArgumentError, "Please use symbols for polymorphic route arguments.") when Class args << parent parent.model_name.singular_route_key @@ -298,12 +300,14 @@ module ActionDispatch args << parent.to_model parent.to_model.model_name.singular_route_key end - } + end route << case record - when Symbol, String + when Symbol record.to_s + when String + raise(ArgumentError, "Please use symbols for polymorphic route arguments.") when Class @key_strategy.call record.model_name else diff --git a/actionpack/test/controller/http_token_authentication_test.rb b/actionpack/test/controller/http_token_authentication_test.rb index 5940858197..ca69eb1389 100644 --- a/actionpack/test/controller/http_token_authentication_test.rb +++ b/actionpack/test/controller/http_token_authentication_test.rb @@ -88,6 +88,16 @@ class HttpTokenAuthenticationTest < ActionController::TestCase assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed" end + test "authentication request with evil header" do + @request.env["HTTP_AUTHORIZATION"] = "Token ." + " " * (1024*80-8) + "." + Timeout.timeout(1) do + get :index + end + + assert_response :unauthorized + assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed" + end + test "successful authentication request with Bearer instead of Token" do @request.env["HTTP_AUTHORIZATION"] = "Bearer lifo" get :index diff --git a/actionpack/test/controller/redirect_test.rb b/actionpack/test/controller/redirect_test.rb index f7495703c7..e1b31667a1 100644 --- a/actionpack/test/controller/redirect_test.rb +++ b/actionpack/test/controller/redirect_test.rb @@ -130,6 +130,14 @@ class RedirectController < ActionController::Base redirect_to nil end + def redirect_to_polymorphic + redirect_to [:internal, Workshop.new(5)] + end + + def redirect_to_polymorphic_string_args + redirect_to ["internal", Workshop.new(5)] + end + def redirect_to_params redirect_to ActionController::Parameters.new(status: 200, protocol: "javascript", f: "%0Aeval(name)") end @@ -376,6 +384,43 @@ class RedirectTest < ActionController::TestCase end end + def test_polymorphic_redirect + with_routing do |set| + set.draw do + namespace :internal do + resources :workshops + end + + ActiveSupport::Deprecation.silence do + get ":controller/:action" + end + end + + get :redirect_to_polymorphic + assert_equal "http://test.host/internal/workshops/5", redirect_to_url + assert_redirected_to [:internal, Workshop.new(5)] + end + end + + def test_polymorphic_redirect_with_string_args + with_routing do |set| + set.draw do + namespace :internal do + resources :workshops + end + + ActiveSupport::Deprecation.silence do + get ":controller/:action" + end + end + + error = assert_raises(ArgumentError) do + get :redirect_to_polymorphic_string_args + end + assert_equal("Please use symbols for polymorphic route arguments.", error.message) + end + end + def test_redirect_to_nil error = assert_raise(ActionController::ActionControllerError) do get :redirect_to_nil diff --git a/actionpack/test/dispatch/host_authorization_test.rb b/actionpack/test/dispatch/host_authorization_test.rb index 1304d32ad9..d6e366bb1a 100644 --- a/actionpack/test/dispatch/host_authorization_test.rb +++ b/actionpack/test/dispatch/host_authorization_test.rb @@ -232,6 +232,17 @@ class HostAuthorizationTest < ActionDispatch::IntegrationTest assert_match "Blocked host: attacker.com#x.example.com", response.body end + test "blocks requests to similar host" do + @app = ActionDispatch::HostAuthorization.new(App, "sub.example.com") + + get "/", env: { + "HOST" => "sub-example.com", + } + + assert_response :forbidden + assert_match "Blocked host: sub-example.com", response.body + end + test "config setting action_dispatch.hosts_response_app is deprecated" do assert_deprecated do ActionDispatch::HostAuthorization.new(App, "example.com", ->(env) { true }) diff --git a/actionpack/test/dispatch/mime_type_test.rb b/actionpack/test/dispatch/mime_type_test.rb index b29a7f6273..d5ef7b7f53 100644 --- a/actionpack/test/dispatch/mime_type_test.rb +++ b/actionpack/test/dispatch/mime_type_test.rb @@ -231,6 +231,12 @@ class MimeTypeTest < ActiveSupport::TestCase assert_raises Mime::Type::InvalidMimeType do Mime::Type.new(nil) end + + assert_raises Mime::Type::InvalidMimeType do + Timeout.timeout(1) do # Shouldn't take more than 1s + Mime::Type.new("text/html ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0;") + end + end end test "holds a reference to mime symbols" do diff --git a/actionview/test/activerecord/polymorphic_routes_test.rb b/actionview/test/activerecord/polymorphic_routes_test.rb index 45f7173d24..bde1911417 100644 --- a/actionview/test/activerecord/polymorphic_routes_test.rb +++ b/actionview/test/activerecord/polymorphic_routes_test.rb @@ -464,12 +464,6 @@ class PolymorphicRoutesTest < ActionController::TestCase end end - def test_with_array_containing_single_string_name - with_test_routes do - assert_url "http://example.com/projects", ["projects"] - end - end - def test_with_array_containing_symbols with_test_routes do assert_url "http://example.com/series/new", [:new, :series] @@ -624,6 +618,22 @@ class PolymorphicRoutesTest < ActionController::TestCase end end + def test_string_route_arguments + with_admin_test_routes do + error = assert_raises(ArgumentError) do + polymorphic_url(["admin", @project]) + end + + assert_equal("Please use symbols for polymorphic route arguments.", error.message) + + error = assert_raises(ArgumentError) do + polymorphic_url([@project, "bid"]) + end + + assert_equal("Please use symbols for polymorphic route arguments.", error.message) + end + end + def with_namespaced_routes(name) with_routing do |set| set.draw do