Merge branch '6-1-sec' into 6-1-stable

* 6-1-sec: Preparing for 6.1.4.7 release bumping version Added image trasnformation validation via configurable allow-list
rails · Mar 8, 2022 · b10c0ff · b10c0ff
2 parents 13cdd7a + 6607333
commit b10c0ff
Show file tree

Hide file tree

Showing 37 changed files with 604 additions and 71 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -30,83 +30,83 @@ GIT
 PATH
   remote: .
   specs:
-    actioncable (6.1.4.6)
-      actionpack (= 6.1.4.6)
-      activesupport (= 6.1.4.6)
+    actioncable (6.1.4.7)
+      actionpack (= 6.1.4.7)
+      activesupport (= 6.1.4.7)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.1.4.6)
-      actionpack (= 6.1.4.6)
-      activejob (= 6.1.4.6)
-      activerecord (= 6.1.4.6)
-      activestorage (= 6.1.4.6)
-      activesupport (= 6.1.4.6)
+    actionmailbox (6.1.4.7)
+      actionpack (= 6.1.4.7)
+      activejob (= 6.1.4.7)
+      activerecord (= 6.1.4.7)
+      activestorage (= 6.1.4.7)
+      activesupport (= 6.1.4.7)
       mail (>= 2.7.1)
-    actionmailer (6.1.4.6)
-      actionpack (= 6.1.4.6)
-      actionview (= 6.1.4.6)
-      activejob (= 6.1.4.6)
-      activesupport (= 6.1.4.6)
+    actionmailer (6.1.4.7)
+      actionpack (= 6.1.4.7)
+      actionview (= 6.1.4.7)
+      activejob (= 6.1.4.7)
+      activesupport (= 6.1.4.7)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.1.4.6)
-      actionview (= 6.1.4.6)
-      activesupport (= 6.1.4.6)
+    actionpack (6.1.4.7)
+      actionview (= 6.1.4.7)
+      activesupport (= 6.1.4.7)
       rack (~> 2.0, >= 2.0.9)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.1.4.6)
-      actionpack (= 6.1.4.6)
-      activerecord (= 6.1.4.6)
-      activestorage (= 6.1.4.6)
-      activesupport (= 6.1.4.6)
+    actiontext (6.1.4.7)
+      actionpack (= 6.1.4.7)
+      activerecord (= 6.1.4.7)
+      activestorage (= 6.1.4.7)
+      activesupport (= 6.1.4.7)
       nokogiri (>= 1.8.5)
-    actionview (6.1.4.6)
-      activesupport (= 6.1.4.6)
+    actionview (6.1.4.7)
+      activesupport (= 6.1.4.7)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.1.4.6)
-      activesupport (= 6.1.4.6)
+    activejob (6.1.4.7)
+      activesupport (= 6.1.4.7)
       globalid (>= 0.3.6)
-    activemodel (6.1.4.6)
-      activesupport (= 6.1.4.6)
-    activerecord (6.1.4.6)
-      activemodel (= 6.1.4.6)
-      activesupport (= 6.1.4.6)
-    activestorage (6.1.4.6)
-      actionpack (= 6.1.4.6)
-      activejob (= 6.1.4.6)
-      activerecord (= 6.1.4.6)
-      activesupport (= 6.1.4.6)
+    activemodel (6.1.4.7)
+      activesupport (= 6.1.4.7)
+    activerecord (6.1.4.7)
+      activemodel (= 6.1.4.7)
+      activesupport (= 6.1.4.7)
+    activestorage (6.1.4.7)
+      actionpack (= 6.1.4.7)
+      activejob (= 6.1.4.7)
+      activerecord (= 6.1.4.7)
+      activesupport (= 6.1.4.7)
       marcel (~> 1.0)
       mini_mime (>= 1.1.0)
-    activesupport (6.1.4.6)
+    activesupport (6.1.4.7)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
       zeitwerk (~> 2.3)
-    rails (6.1.4.6)
-      actioncable (= 6.1.4.6)
-      actionmailbox (= 6.1.4.6)
-      actionmailer (= 6.1.4.6)
-      actionpack (= 6.1.4.6)
-      actiontext (= 6.1.4.6)
-      actionview (= 6.1.4.6)
-      activejob (= 6.1.4.6)
-      activemodel (= 6.1.4.6)
-      activerecord (= 6.1.4.6)
-      activestorage (= 6.1.4.6)
-      activesupport (= 6.1.4.6)
+    rails (6.1.4.7)
+      actioncable (= 6.1.4.7)
+      actionmailbox (= 6.1.4.7)
+      actionmailer (= 6.1.4.7)
+      actionpack (= 6.1.4.7)
+      actiontext (= 6.1.4.7)
+      actionview (= 6.1.4.7)
+      activejob (= 6.1.4.7)
+      activemodel (= 6.1.4.7)
+      activerecord (= 6.1.4.7)
+      activestorage (= 6.1.4.7)
+      activesupport (= 6.1.4.7)
       bundler (>= 1.15.0)
-      railties (= 6.1.4.6)
+      railties (= 6.1.4.7)
       sprockets-rails (>= 2.0.0)
-    railties (6.1.4.6)
-      actionpack (= 6.1.4.6)
-      activesupport (= 6.1.4.6)
+    railties (6.1.4.7)
+      actionpack (= 6.1.4.7)
+      activesupport (= 6.1.4.7)
       method_source
       rake (>= 12.2)
       thor (~> 1.0)

diff --git a/RAILS_VERSION b/RAILS_VERSION
@@ -1 +1 @@
-6.1.4.6
+6.1.4.7
diff --git a/actioncable/CHANGELOG.md b/actioncable/CHANGELOG.md
@@ -14,6 +14,11 @@
     *J Smith*
 
 
+## Rails 6.1.4.7 (March 08, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.4.6 (February 11, 2022) ##
 
 *   No changes.

diff --git a/actioncable/lib/action_cable/gem_version.rb b/actioncable/lib/action_cable/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 4
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actioncable/package.json b/actioncable/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@rails/actioncable",
-  "version": "6.1.4-6",
+  "version": "6.1.4-7",
   "description": "WebSocket framework for Ruby on Rails.",
   "main": "app/assets/javascripts/action_cable.js",
   "files": [

diff --git a/actionmailbox/CHANGELOG.md b/actionmailbox/CHANGELOG.md
@@ -11,6 +11,11 @@
     *David Jones*, *Dana Henke*
 
 
+## Rails 6.1.4.7 (March 08, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.4.6 (February 11, 2022) ##
 
 *   No changes.

diff --git a/actionmailbox/lib/action_mailbox/gem_version.rb b/actionmailbox/lib/action_mailbox/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 4
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.1.4.7 (March 08, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.4.6 (February 11, 2022) ##
 
 *   No changes.

diff --git a/actionmailer/lib/action_mailer/gem_version.rb b/actionmailer/lib/action_mailer/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 4
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
@@ -24,6 +24,11 @@
     *Nikita Vyrko*
 
 
+## Rails 6.1.4.7 (March 08, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.4.6 (February 11, 2022) ##
 
 *   No changes.

diff --git a/actionpack/lib/action_pack/gem_version.rb b/actionpack/lib/action_pack/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 4
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actiontext/CHANGELOG.md b/actiontext/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.1.4.7 (March 08, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.4.6 (February 11, 2022) ##
 
 *   No changes.

diff --git a/actiontext/lib/action_text/gem_version.rb b/actiontext/lib/action_text/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 4
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actiontext/package.json b/actiontext/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@rails/actiontext",
-  "version": "6.1.4-6",
+  "version": "6.1.4-7",
   "description": "Edit and display rich text in Rails applications",
   "main": "app/javascript/actiontext/index.js",
   "files": [

diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md
@@ -3,6 +3,11 @@
     *Nate Berkopec*
 
 
+## Rails 6.1.4.7 (March 08, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.4.6 (February 11, 2022) ##
 
 *   No changes.

diff --git a/actionview/lib/action_view/gem_version.rb b/actionview/lib/action_view/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 4
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actionview/package.json b/actionview/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@rails/ujs",
-  "version": "6.1.4-6",
+  "version": "6.1.4-7",
   "description": "Ruby on Rails unobtrusive scripting adapter",
   "main": "lib/assets/compiled/rails-ujs.js",
   "files": [

diff --git a/activejob/CHANGELOG.md b/activejob/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.1.4.7 (March 08, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.4.6 (February 11, 2022) ##
 
 *   No changes.

diff --git a/activejob/lib/active_job/gem_version.rb b/activejob/lib/active_job/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 4
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md
@@ -23,6 +23,11 @@
     *Benoit Daloze*
 
 
+## Rails 6.1.4.7 (March 08, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.4.6 (February 11, 2022) ##
 
 *   No changes.

diff --git a/activemodel/lib/active_model/gem_version.rb b/activemodel/lib/active_model/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 4
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
@@ -59,6 +59,11 @@
 *   `ActiveRecord::Base.logger` is now a `class_attribute`.
 
 
+## Rails 6.1.4.7 (March 08, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.1.4.6 (February 11, 2022) ##
 
 *   No changes.

diff --git a/activerecord/lib/active_record/gem_version.rb b/activerecord/lib/active_record/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 1
     TINY  = 4
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/activestorage/CHANGELOG.md b/activestorage/CHANGELOG.md
@@ -5,6 +5,16 @@
     *Don Sisco*
 
 
+## Rails 6.1.4.7 (March 08, 2022) ##
+
+*   Added image transformation validation via configurable allow-list.
+
+    Variant now offers a configurable allow-list for
+    transformation methods in addition to a configurable deny-list for arguments.
+
+    [CVE-2022-21831]
+
+
 ## Rails 6.1.4.6 (February 11, 2022) ##
 
 *   No changes.

diff --git a/activestorage/lib/active_storage.rb b/activestorage/lib/active_storage.rb
@@ -58,6 +58,9 @@ module ActiveStorage
   mattr_accessor :content_types_to_serve_as_binary, default: []
   mattr_accessor :content_types_allowed_inline,     default: []
 
+  mattr_accessor :supported_image_processing_methods, default: []
+  mattr_accessor :unsupported_image_processing_arguments
+
   mattr_accessor :service_urls_expire_in, default: 5.minutes
 
   mattr_accessor :routes_prefix, default: "/rails/active_storage"