Merge branch '7-0-sec' into 7-0-stable

* 7-0-sec:
  Preparing for 7.0.8.1 release
  update changelog
  fix XSS vulnerability when using translation
  Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers

RAILS_VERSION

@@ -1 +1 @@
-7.0.8
+7.0.8.1

actioncable/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 7.0.8.1 (February 21, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8 (September 09, 2023) ##
 
 *   No changes.

actioncable/lib/action_cable/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actioncable/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rails/actioncable",
-  "version": "7.0.8",
+  "version": "7.0.8-1",
   "description": "WebSocket framework for Ruby on Rails.",
   "module": "app/assets/javascripts/actioncable.esm.js",
   "main": "app/assets/javascripts/actioncable.js",

actionmailbox/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 7.0.8.1 (February 21, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8 (September 09, 2023) ##
 
 *   No changes.

actionmailbox/lib/action_mailbox/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actionmailer/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 7.0.8.1 (February 21, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8 (September 09, 2023) ##
 
 *   No changes.

actionmailer/lib/action_mailer/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actionpack/CHANGELOG.md

@@ -11,6 +11,12 @@
     *Hartley McGuire*
 
 
+## Rails 7.0.8.1 (February 21, 2024) ##
+
+*   Fix possible XSS vulnerability with the `translate` method in controllers
+
+    CVE-2024-26143
+
 ## Rails 7.0.8 (September 09, 2023) ##
 
 *   Fix `HostAuthorization` potentially displaying the value of the

actionpack/lib/abstract_controller/translation.rb

@@ -25,7 +25,25 @@ def translate(key, **options)
 
       i18n_raise = options.fetch(:raise, self.raise_on_missing_translations)
 
-      ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
+      if options[:default]
+        options[:default] = [options[:default]] unless options[:default].is_a?(Array)
+        options[:default] = options[:default].map do |value|
+          value.is_a?(String) ? ERB::Util.html_escape(value) : value
+        end
+      end
+
+      unless i18n_raise
+        options[:default] = [] unless options[:default]
+        options[:default] << MISSING_TRANSLATION
+      end
+
+      result = ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
+
+      if result == MISSING_TRANSLATION
+        +"translation missing: #{key}"
+      else
+        result
+      end
     end
     alias :t :translate
 
@@ -34,5 +52,9 @@ def localize(object, **options)
       I18n.localize(object, **options)
     end
     alias :l :localize
+
+    private
+      MISSING_TRANSLATION = -(2**60)
+      private_constant :MISSING_TRANSLATION
   end
 end

actionpack/lib/action_pack/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actionpack/test/abstract/translation_test.rb

@@ -93,6 +93,22 @@ def test_default_translation
         end
       end
 
+      def test_default_translation_as_safe_html
+        @controller.stub :action_name, :index do
+          translation = @controller.t(".twoz", default: ["<tag>"])
+          assert_equal "&lt;tag&gt;", translation
+          assert_equal true, translation.html_safe?
+        end
+      end
+
+      def test_default_translation_with_raise_as_safe_html
+        @controller.stub :action_name, :index do
+          translation = @controller.t(".twoz", raise: true, default: ["<tag>"])
+          assert_equal "&lt;tag&gt;", translation
+          assert_equal true, translation.html_safe?
+        end
+      end
+
       def test_localize
         time, expected = Time.gm(2000), "Sat, 01 Jan 2000 00:00:00 +0000"
         I18n.stub :localize, expected do
@@ -136,6 +152,21 @@ def test_translate_escapes_interpolations_in_translations_with_a_html_suffix
           assert_equal true, translation.html_safe?
         end
       end
+
+      def test_translate_marks_translation_with_missing_html_key_as_safe_html
+        @controller.stub :action_name, :index do
+          translation = @controller.t("<tag>.html")
+          assert_equal "translation missing: <tag>.html", translation
+          assert_equal false, translation.html_safe?
+        end
+      end
+      def test_translate_marks_translation_with_missing_nested_html_key_as_safe_html
+        @controller.stub :action_name, :index do
+          translation = @controller.t(".<tag>.html")
+          assert_equal "translation missing: abstract_controller.testing.translation.index.<tag>.html", translation
+          assert_equal false, translation.html_safe?
+        end
+      end
     end
   end
 end

actiontext/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 7.0.8.1 (February 21, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8 (September 09, 2023) ##
 
 *   No changes.

actiontext/lib/action_text/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actiontext/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rails/actiontext",
-  "version": "7.0.8",
+  "version": "7.0.8-1",
   "description": "Edit and display rich text in Rails applications",
   "main": "app/assets/javascripts/actiontext.js",
   "type": "module",

actionview/CHANGELOG.md

@@ -3,6 +3,11 @@
     *Earlopain*
 
 
+## Rails 7.0.8.1 (February 21, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8 (September 09, 2023) ##
 
 *   Fix `form_for` missing the hidden `_method` input for models with a

actionview/lib/action_view/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actionview/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rails/ujs",
-  "version": "7.0.8",
+  "version": "7.0.8-1",
   "description": "Ruby on Rails unobtrusive scripting adapter",
   "main": "lib/assets/compiled/rails-ujs.js",
   "files": [

activejob/CHANGELOG.md

@@ -3,6 +3,11 @@
     *Joshua Young*
 
 
+## Rails 7.0.8.1 (February 21, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8 (September 09, 2023) ##
 
 *   Fix Active Job log message to correctly report a job failed to enqueue

activejob/lib/active_job/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

activemodel/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 7.0.8.1 (February 21, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8 (September 09, 2023) ##
 
 *   No changes.

activemodel/lib/active_model/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

activerecord/CHANGELOG.md

@@ -65,6 +65,11 @@
     *Felix Tscheulin*
 
 
+## Rails 7.0.8.1 (February 21, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8 (September 09, 2023) ##
 
 *   Fix `change_column` not setting `precision: 6` on `datetime` columns when

activerecord/lib/active_record/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

activestorage/CHANGELOG.md

@@ -25,6 +25,16 @@
 
     *Russell Porter*
 
+## Rails 7.0.8.1 (February 21, 2024) ##
+
+*   Disables the session in `ActiveStorage::Blobs::ProxyController`
+    and `ActiveStorage::Representations::ProxyController`
+    in order to allow caching by default in some CDNs as CloudFlare
+
+    Fixes #44136
+
+    *Bruno Prieto*
+
 ## Rails 7.0.8 (September 09, 2023) ##
 
 *   No changes.

activestorage/app/controllers/active_storage/blobs/proxy_controller.rb

@@ -9,6 +9,7 @@
 class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
   include ActiveStorage::SetBlob
   include ActiveStorage::Streaming
+  include ActiveStorage::DisableSession
 
   def show
     if request.headers["Range"].present?

activestorage/app/controllers/active_storage/representations/proxy_controller.rb

@@ -8,6 +8,7 @@
 # {Authenticated Controllers}[https://guides.rubyonrails.org/active_storage_overview.html#authenticated-controllers].
 class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController
   include ActiveStorage::Streaming
+  include ActiveStorage::DisableSession
 
   def show
     http_cache_forever public: true do

activestorage/app/controllers/concerns/active_storage/disable_session.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# This concern disables the session in order to allow caching by default in some CDNs as CloudFlare.
+module ActiveStorage::DisableSession
+  extend ActiveSupport::Concern
+
+  included do
+    before_action do
+      request.session_options[:skip] = true
+    end
+  end
+end

activestorage/lib/active_storage/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

activestorage/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rails/activestorage",
-  "version": "7.0.8",
+  "version": "7.0.8-1",
   "description": "Attach cloud and local files in Rails applications",
   "module": "app/assets/javascripts/activestorage.esm.js",
   "main": "app/assets/javascripts/activestorage.js",

activesupport/CHANGELOG.md

@@ -44,6 +44,11 @@
 
     *Nobuyoshi Nakada*, *Shouichi Kamiya*, *Hartley McGuire*
 
+## Rails 7.0.8.1 (February 21, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8 (September 09, 2023) ##
 
 *   Fix `TimeWithZone` still using deprecated `#to_s` when `ENV` or `config` to

activesupport/lib/active_support/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

guides/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 7.0.8.1 (February 21, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8 (September 09, 2023) ##
 
 *   No changes.

railties/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 7.0.8.1 (February 21, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.0.8 (September 09, 2023) ##
 
 *   Omit `webdrivers` gem dependency from `Gemfile` template

railties/lib/rails/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end