[Security] Bump phoenix from 1.1.6 to 1.4.17

[dependabot-preview]

Bumps phoenix from 1.1.6 to 1.4.17. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Elixir Advisory Database.

Arbitrary URL Redirect The Phoenix team designed Phoenix.Controller.redirect/2 to protect against redirects allowing user input to redirect to an external URL where your application code otherwise assumes a local path redirect. This is why the :to option is used for “local” URL redirects and why you must pass the :external option to intentionally allow external URLs to be redirected to.

It has been disclosed that carefully crafted user input may be treated by some browsers as an external URL. An attacker can use this vulnerability to aid in social engineering attacks. The most common use would be to create highly believable phishing attacks.

For example, the following user input would pass local URL validation, but be treated by Chrome and Firefox as external URLs: http://localhost:4000/?redirect=/\nexample.com

Not all browsers are affected, but latest Chrome and Firefox will issue a get request for example.com and successfully redirect externally.

Patched versions: >= 1.3.0-rc.1; ~> 1.2.3; ~> 1.1.7; ~> 1.0.5 Unaffected versions: none

Release notes

Sourced from phoenix's releases.

v1.3.0-rc.0

For those interested in a detailed overview of the changes and design decisions, check out my LonestarElixir keynote that just went live: https://www.youtube.com/watch?v=tMO28ar0lW8

To use the new phx.new project generator, you can install the archive with the following command:

$ mix archive.install https://github.com/phoenixframework/archives/raw/master/phx_new.ez

As always, we have an upgrade guide with detailed instructions for migrating from 1.2.x projects: https://gist.github.com/chrismccord/71ab10d433c98b714b75c886eff17357

Full changelog:

1.3.0-rc.0 (2017-03-01)

• Enhancements
  • [Generator] Add new phx.new, phx.new.web, phx.new.ecto project generators with improved application structure and support for umbrella applications
  • [Generator] Add new phx.gen.html and phx.gen.json resource generators with improved isolation of API boundaries
  • [Controller] Add current_path and current_url to generate a connection's path and url
  • [Controller] Introduce action_fallback to registers a plug to call as a fallback to the controller action
  • [Controller] Wrap exceptions at controller to maintain connection state
  • [Channel] Add ability to configure channel event logging with :log_join and :log_handle_in options
  • [Channel] Warn on unhandled handle_info/2 messages
  • [Channel] Channels now distinguish from graceful exits and application restarts, allowing clients to enter error mode and reconnected after cold deploys.
  • [Router] document match support for matching on any http method with the special :* argument
  • [ConnTest] Add redirected_params/1 to return the named params matched in the router for the redirected URL
• Deprecations
  • [Generator] All phoenix.* mix tasks have been deprecated in favor of new phx.* tasks
• JavaScript client enhancements
  • Add ability to pass encode and decode functions to socket constructor for custom encoding and decoding of outgoing and incoming messages.
  • Detect heartbeat timeouts on client to handle ungraceful connection loss for faster socket error detection
  • Add support for AMD/RequireJS

v1.2.1

• Enhancements
  • [Router] Improve errors for invalid route paths

... (truncated)

Changelog

Sourced from phoenix's changelog.

1.4.17 (2020-04-23)

Bug Fixes

• [Endpoint] Ignore the root layout on error pages unless explicity opted into

Enhancements

• [Router] Accept a split path on route_info, in addition to string path

1.4.16 (2020-03-15)

Enhancements

• [Router] Allow aliases and helpers to be disabled via scope
• [Controller] Add root layout support with put_root_layout/2

Bug Fixes

• [Router] Fix bug causing dialyzer warning

1.4.15 (2020-03-06)

Enhancements

• [Router] Add :trailing_slash option to scope and match macros for trailing slash generation on Route helpers
• [View] Add :trim_on_html_eex_engine configuration to enable/disable trim mode on the HTML EEx engine

Bug Fixes

• [Controller] Fix plug guard escaping causing module attributes to be expanded too late

1.4.14 (2020-02-20)

Deprecations

• [Token] The encrypt/5 and decrypt/5 API added in 1.4.11 accepted more parameters than necessary. The extra parameter has been deprecated

1.4.13 (2020-02-12)

Enhancements

• [Router] support metadata on route_info
• [Router] emit telemetry events on router dispatch failure, using [:phoenix, :router_dispatch, :failure]

1.4.12 (2020-01-22)

Enhancements

• [Generator] Add --no-gettext flag to phx.new task
• [Generator] Allow a custom migration module to be given to the migration generator
• [Controller] Allow filename encoding to be disabled in send_download/3
• [Channel] Allow using a keyword list/map for socket assigns
• [Endpoint] Support Websocket subprotocols
• [Endpoint] Allow cache manifest to be loaded from specified application
• [Endpoint] Allow disabling logger via application configuration
• [ConnTest] Allow passing a custom set of headers to copy when recycling a connection

Bug Fixes

... (truncated)

Commits

• 83e50f7 Release 1.4.17
• cde2bd9 Ignore the root layout on error pages
• 53d5362 Accept a split path on path_info
• 70cb048 fix guides/channels.md (#3724)
• 30c7117 Merge pull request #3719 from koga1020/patch-views-md
• 8209653 fixed the closing tag from div to section.
• 3161ec8 Release 1.4.16
• 91cdeca No longer log connect_info
• d9a286a Hide private module
• fcb4f95 Allow aliases and helpers to be disabled via scope
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)