Merge branch '7-1-sec' into 7-1-stable

* 7-1-sec:
  Preparing for 7.1.3.1 release
  update changelog
  fix XSS vulnerability when using translation
  Fix ReDoS in accept header scanning

Gemfile.lock

@@ -10,71 +10,71 @@ GIT
 PATH
   remote: .
   specs:
-    actioncable (7.1.3)
-      actionpack (= 7.1.3)
-      activesupport (= 7.1.3)
+    actioncable (7.1.3.1)
+      actionpack (= 7.1.3.1)
+      activesupport (= 7.1.3.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
       zeitwerk (~> 2.6)
-    actionmailbox (7.1.3)
-      actionpack (= 7.1.3)
-      activejob (= 7.1.3)
-      activerecord (= 7.1.3)
-      activestorage (= 7.1.3)
-      activesupport (= 7.1.3)
+    actionmailbox (7.1.3.1)
+      actionpack (= 7.1.3.1)
+      activejob (= 7.1.3.1)
+      activerecord (= 7.1.3.1)
+      activestorage (= 7.1.3.1)
+      activesupport (= 7.1.3.1)
       mail (>= 2.7.1)
       net-imap
       net-pop
       net-smtp
-    actionmailer (7.1.3)
-      actionpack (= 7.1.3)
-      actionview (= 7.1.3)
-      activejob (= 7.1.3)
-      activesupport (= 7.1.3)
+    actionmailer (7.1.3.1)
+      actionpack (= 7.1.3.1)
+      actionview (= 7.1.3.1)
+      activejob (= 7.1.3.1)
+      activesupport (= 7.1.3.1)
       mail (~> 2.5, >= 2.5.4)
       net-imap
       net-pop
       net-smtp
       rails-dom-testing (~> 2.2)
-    actionpack (7.1.3)
-      actionview (= 7.1.3)
-      activesupport (= 7.1.3)
+    actionpack (7.1.3.1)
+      actionview (= 7.1.3.1)
+      activesupport (= 7.1.3.1)
       nokogiri (>= 1.8.5)
       racc
       rack (>= 2.2.4)
       rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    actiontext (7.1.3)
-      actionpack (= 7.1.3)
-      activerecord (= 7.1.3)
-      activestorage (= 7.1.3)
-      activesupport (= 7.1.3)
+    actiontext (7.1.3.1)
+      actionpack (= 7.1.3.1)
+      activerecord (= 7.1.3.1)
+      activestorage (= 7.1.3.1)
+      activesupport (= 7.1.3.1)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.1.3)
-      activesupport (= 7.1.3)
+    actionview (7.1.3.1)
+      activesupport (= 7.1.3.1)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    activejob (7.1.3)
-      activesupport (= 7.1.3)
+    activejob (7.1.3.1)
+      activesupport (= 7.1.3.1)
       globalid (>= 0.3.6)
-    activemodel (7.1.3)
-      activesupport (= 7.1.3)
-    activerecord (7.1.3)
-      activemodel (= 7.1.3)
-      activesupport (= 7.1.3)
+    activemodel (7.1.3.1)
+      activesupport (= 7.1.3.1)
+    activerecord (7.1.3.1)
+      activemodel (= 7.1.3.1)
+      activesupport (= 7.1.3.1)
       timeout (>= 0.4.0)
-    activestorage (7.1.3)
-      actionpack (= 7.1.3)
-      activejob (= 7.1.3)
-      activerecord (= 7.1.3)
-      activesupport (= 7.1.3)
+    activestorage (7.1.3.1)
+      actionpack (= 7.1.3.1)
+      activejob (= 7.1.3.1)
+      activerecord (= 7.1.3.1)
+      activesupport (= 7.1.3.1)
       marcel (~> 1.0)
-    activesupport (7.1.3)
+    activesupport (7.1.3.1)
       base64
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
@@ -84,23 +84,23 @@ PATH
       minitest (>= 5.1, < 5.22.0)
       mutex_m
       tzinfo (~> 2.0)
-    rails (7.1.3)
-      actioncable (= 7.1.3)
-      actionmailbox (= 7.1.3)
-      actionmailer (= 7.1.3)
-      actionpack (= 7.1.3)
-      actiontext (= 7.1.3)
-      actionview (= 7.1.3)
-      activejob (= 7.1.3)
-      activemodel (= 7.1.3)
-      activerecord (= 7.1.3)
-      activestorage (= 7.1.3)
-      activesupport (= 7.1.3)
+    rails (7.1.3.1)
+      actioncable (= 7.1.3.1)
+      actionmailbox (= 7.1.3.1)
+      actionmailer (= 7.1.3.1)
+      actionpack (= 7.1.3.1)
+      actiontext (= 7.1.3.1)
+      actionview (= 7.1.3.1)
+      activejob (= 7.1.3.1)
+      activemodel (= 7.1.3.1)
+      activerecord (= 7.1.3.1)
+      activestorage (= 7.1.3.1)
+      activesupport (= 7.1.3.1)
       bundler (>= 1.15.0)
-      railties (= 7.1.3)
-    railties (7.1.3)
-      actionpack (= 7.1.3)
-      activesupport (= 7.1.3)
+      railties (= 7.1.3.1)
+    railties (7.1.3.1)
+      actionpack (= 7.1.3.1)
+      activesupport (= 7.1.3.1)
       irb
       rackup (>= 1.0.0)
       rake (>= 12.2)
@@ -149,7 +149,7 @@ GEM
     bcrypt (3.1.18)
     beaneater (1.1.3)
     benchmark-ips (2.10.0)
-    bigdecimal (3.1.5)
+    bigdecimal (3.1.6)
     bindex (0.8.1)
     bootsnap (1.15.0)
       msgpack (~> 1.2)
@@ -338,7 +338,7 @@ GEM
     mysql2 (0.5.5)
     net-http-persistent (4.0.1)
       connection_pool (~> 2.2)
-    net-imap (0.4.9.1)
+    net-imap (0.4.10)
       date
       net-protocol
     net-pop (0.1.2)
@@ -551,7 +551,7 @@ GEM
     websocket-extensions (0.1.5)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.6.12)
+    zeitwerk (2.6.13)
 
 PLATFORMS
   ruby

RAILS_VERSION

@@ -1 +1 @@
-7.1.3
+7.1.3.1

actioncable/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 7.1.3.1 (February 21, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.1.3 (January 16, 2024) ##
 
 *   No changes.

actioncable/lib/action_cable/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 1
     TINY  = 3
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actioncable/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rails/actioncable",
-  "version": "7.1.3",
+  "version": "7.1.3-1",
   "description": "WebSocket framework for Ruby on Rails.",
   "module": "app/assets/javascripts/actioncable.esm.js",
   "main": "app/assets/javascripts/actioncable.js",

actionmailbox/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 7.1.3.1 (February 21, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.1.3 (January 16, 2024) ##
 
 *   No changes.

actionmailbox/lib/action_mailbox/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 1
     TINY  = 3
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actionmailer/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 7.1.3.1 (February 21, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.1.3 (January 16, 2024) ##
 
 *   No changes.

actionmailer/lib/action_mailer/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 1
     TINY  = 3
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actionpack/CHANGELOG.md

@@ -6,6 +6,16 @@
 
     *Jean Boussier*
 
+## Rails 7.1.3.1 (February 21, 2024) ##
+
+*   Fix possible XSS vulnerability with the `translate` method in controllers
+
+    CVE-2024-26143
+
+*   Fix ReDoS in Accept header parsing
+
+    CVE-2024-26142
+
 ## Rails 7.1.3 (January 16, 2024) ##
 
 *   Fix including `Rails.application.routes.url_helpers` directly in an

actionpack/lib/abstract_controller/translation.rb

@@ -21,7 +21,25 @@ def translate(key, **options)
         key = "#{path}.#{action_name}#{key}"
       end
 
-      ActiveSupport::HtmlSafeTranslation.translate(key, **options)
+      if options[:default]
+        options[:default] = [options[:default]] unless options[:default].is_a?(Array)
+        options[:default] = options[:default].map do |value|
+          value.is_a?(String) ? ERB::Util.html_escape(value) : value
+        end
+      end
+
+      if options[:raise].nil?
+        options[:default] = [] unless options[:default]
+        options[:default] << MISSING_TRANSLATION
+      end
+
+      result = ActiveSupport::HtmlSafeTranslation.translate(key, **options)
+
+      if result == MISSING_TRANSLATION
+        +"translation missing: #{key}"
+      else
+        result
+      end
     end
     alias :t :translate
 
@@ -30,5 +48,9 @@ def localize(object, **options)
       I18n.localize(object, **options)
     end
     alias :l :localize
+
+    private
+      MISSING_TRANSLATION = -(2**60)
+      private_constant :MISSING_TRANSLATION
   end
 end

actionpack/lib/action_dispatch/http/mime_type.rb

@@ -154,7 +154,7 @@ class << self
       TRAILING_STAR_REGEXP = /^(text|application)\/\*/
       # all media-type parameters need to be before the q-parameter
       # https://www.rfc-editor.org/rfc/rfc7231#section-5.3.2
-      PARAMETER_SEPARATOR_REGEXP = /\s*;\s*q="?/
+      PARAMETER_SEPARATOR_REGEXP = /;\s*q="?/
       ACCEPT_HEADER_REGEXP = /[^,\s"](?:[^,"]|"[^"]*")*/
 
       def register_callback(&block)
@@ -193,7 +193,7 @@ def register(string, symbol, mime_type_synonyms = [], extension_synonyms = [], s
       def parse(accept_header)
         if !accept_header.include?(",")
           if (index = accept_header.index(PARAMETER_SEPARATOR_REGEXP))
-            accept_header = accept_header[0, index]
+            accept_header = accept_header[0, index].strip
           end
           return [] if accept_header.blank?
           parse_trailing_star(accept_header) || Array(Mime::Type.lookup(accept_header))

actionpack/lib/action_pack/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 1
     TINY  = 3
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actionpack/test/abstract/translation_test.rb

@@ -83,6 +83,22 @@ def test_default_translation
         end
       end
 
+      def test_default_translation_as_safe_html
+        @controller.stub :action_name, :index do
+          translation = @controller.t(".twoz", default: ["<tag>"])
+          assert_equal "&lt;tag&gt;", translation
+          assert_equal true, translation.html_safe?
+        end
+      end
+
+      def test_default_translation_with_raise_as_safe_html
+        @controller.stub :action_name, :index do
+          translation = @controller.t(".twoz", raise: true, default: ["<tag>"])
+          assert_equal "&lt;tag&gt;", translation
+          assert_equal true, translation.html_safe?
+        end
+      end
+
       def test_localize
         time, expected = Time.gm(2000), "Sat, 01 Jan 2000 00:00:00 +0000"
         I18n.stub :localize, expected do
@@ -126,6 +142,21 @@ def test_translate_escapes_interpolations_in_translations_with_a_html_suffix
           assert_equal true, translation.html_safe?
         end
       end
+
+      def test_translate_marks_translation_with_missing_html_key_as_safe_html
+        @controller.stub :action_name, :index do
+          translation = @controller.t("<tag>.html")
+          assert_equal "translation missing: <tag>.html", translation
+          assert_equal false, translation.html_safe?
+        end
+      end
+      def test_translate_marks_translation_with_missing_nested_html_key_as_safe_html
+        @controller.stub :action_name, :index do
+          translation = @controller.t(".<tag>.html")
+          assert_equal "translation missing: abstract_controller.testing.translation.index.<tag>.html", translation
+          assert_equal false, translation.html_safe?
+        end
+      end
     end
   end
 end

actiontext/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 7.1.3.1 (February 21, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.1.3 (January 16, 2024) ##
 
 *   No changes.

actiontext/lib/action_text/gem_version.rb

@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 7
     MINOR = 1
     TINY  = 3
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

actiontext/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rails/actiontext",
-  "version": "7.1.3",
+  "version": "7.1.3-1",
   "description": "Edit and display rich text in Rails applications",
   "module": "app/assets/javascripts/actiontext.esm.js",
   "main": "app/assets/javascripts/actiontext.js",