Merge branch '5-2-sec' into 5-2-stable

* 5-2-sec:
  Preparing for 5.2.4.6 release
  Update changelog
  Prevent slow regex when parsing host authorization header
  Prevent string polymorphic route arguments

Author: tenderlove

Gemfile.lock

@@ -3,6 +3,11 @@
 *   No changes.
 
 
+## Rails 5.2.4.6 (May 05, 2021) ##
+
+*   No changes.
+
+
 ## Rails 5.2.4.5 (February 10, 2021) ##
 
 *   No changes.

actioncable/CHANGELOG.md

@@ -3,6 +3,11 @@
 *   No changes.
 
 
+## Rails 5.2.4.6 (May 05, 2021) ##
+
+*   No changes.
+
+
 ## Rails 5.2.4.5 (February 10, 2021) ##
 
 *   No changes.

actionmailer/CHANGELOG.md

@@ -24,6 +24,21 @@
 *   No changes.
 
 
+## Rails 5.2.4.6 (May 05, 2021) ##
+
+*   Prevent regex DoS in HTTP token authentication
+    CVE-2021-22904
+
+*   Prevent string polymorphic route arguments.
+
+    `url_for` supports building polymorphic URLs via an array
+    of arguments (usually symbols and records). If a developer passes a
+    user input array, strings can result in unwanted route helper calls.
+
+    CVE-2021-22885
+
+    *Gannon McGibbon*
+
 ## Rails 5.2.4.5 (February 10, 2021) ##
 
 *   No changes.

actionpack/CHANGELOG.md

@@ -406,7 +406,7 @@ def opaque(secret_key)
     module Token
       TOKEN_KEY = "token="
       TOKEN_REGEX = /^(Token|Bearer)\s+/
-      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
+      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
       extend self
 
       module ControllerMethods

actionpack/lib/action_controller/metal/http_authentication.rb

@@ -288,23 +288,27 @@ def handle_list(list)
 
             args = []
 
-            route = record_list.map { |parent|
+            route = record_list.map do |parent|
               case parent
-              when Symbol, String
+              when Symbol
                 parent.to_s
+              when String
+                raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
               when Class
                 args << parent
                 parent.model_name.singular_route_key
               else
                 args << parent.to_model
                 parent.to_model.model_name.singular_route_key
               end
-            }
+            end
 
             route <<
             case record
-            when Symbol, String
+            when Symbol
               record.to_s
+            when String
+              raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
             when Class
               @key_strategy.call record.model_name
             else

actionpack/lib/action_dispatch/routing/polymorphic_routes.rb

@@ -89,6 +89,16 @@ def authenticate_long_credentials
     assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed"
   end
 
+  test "authentication request with evil header" do
+    @request.env["HTTP_AUTHORIZATION"] = "Token ." + " " * (1024*80-8) + "."
+    Timeout.timeout(1) do
+      get :index
+    end
+
+    assert_response :unauthorized
+    assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed"
+  end
+
   test "successful authentication request with Bearer instead of Token" do
     @request.env["HTTP_AUTHORIZATION"] = "Bearer lifo"
     get :index

actionpack/test/controller/http_token_authentication_test.rb

@@ -108,6 +108,14 @@ def redirect_to_nil
     redirect_to nil
   end
 
+  def redirect_to_polymorphic
+    redirect_to [:internal, Workshop.new(5)]
+  end
+
+  def redirect_to_polymorphic_string_args
+    redirect_to ["internal", Workshop.new(5)]
+  end
+
   def redirect_to_params
     redirect_to ActionController::Parameters.new(status: 200, protocol: "javascript", f: "%0Aeval(name)")
   end
@@ -310,6 +318,43 @@ def test_redirect_to_record
     end
   end
 
+  def test_polymorphic_redirect
+    with_routing do |set|
+      set.draw do
+        namespace :internal do
+          resources :workshops
+        end
+
+        ActiveSupport::Deprecation.silence do
+          get ":controller/:action"
+        end
+      end
+
+      get :redirect_to_polymorphic
+      assert_equal "http://test.host/internal/workshops/5", redirect_to_url
+      assert_redirected_to [:internal, Workshop.new(5)]
+    end
+  end
+
+  def test_polymorphic_redirect_with_string_args
+    with_routing do |set|
+      set.draw do
+        namespace :internal do
+          resources :workshops
+        end
+
+        ActiveSupport::Deprecation.silence do
+          get ":controller/:action"
+        end
+      end
+
+      error = assert_raises(ArgumentError) do
+        get :redirect_to_polymorphic_string_args
+      end
+      assert_equal("Please use symbols for polymorphic route arguments.", error.message)
+    end
+  end
+
   def test_redirect_to_nil
     error = assert_raise(ActionController::ActionControllerError) do
       get :redirect_to_nil

actionpack/test/controller/redirect_test.rb

@@ -3,6 +3,11 @@
 *   No changes.
 
 
+## Rails 5.2.4.6 (May 05, 2021) ##
+
+*   No changes.
+
+
 ## Rails 5.2.4.5 (February 10, 2021) ##
 
 *   No changes.

actionview/CHANGELOG.md

@@ -460,12 +460,6 @@ def test_with_array_containing_single_name
     end
   end
 
-  def test_with_array_containing_single_string_name
-    with_test_routes do
-      assert_url "http://example.com/projects", ["projects"]
-    end
-  end
-
   def test_with_array_containing_symbols
     with_test_routes do
       assert_url "http://example.com/series/new", [:new, :series]
@@ -620,6 +614,22 @@ def test_nested_routing_to_a_model_delegate
     end
   end
 
+  def test_string_route_arguments
+    with_admin_test_routes do
+      error = assert_raises(ArgumentError) do
+        polymorphic_url(["admin", @project])
+      end
+
+      assert_equal("Please use symbols for polymorphic route arguments.", error.message)
+
+      error = assert_raises(ArgumentError) do
+        polymorphic_url([@project, "bid"])
+      end
+
+      assert_equal("Please use symbols for polymorphic route arguments.", error.message)
+    end
+  end
+
   def with_namespaced_routes(name)
     with_routing do |set|
       set.draw do