head 1.4; access; symbols pkgsrc-2026Q2:1.4.0.2 pkgsrc-2026Q2-base:1.4 pkgsrc-2026Q1:1.3.0.4 pkgsrc-2026Q1-base:1.3 pkgsrc-2025Q4:1.3.0.2 pkgsrc-2025Q4-base:1.3 pkgsrc-2025Q3:1.2.0.2 pkgsrc-2025Q3-base:1.2 pkgsrc-2025Q2:1.1.0.6 pkgsrc-2025Q2-base:1.1 pkgsrc-2025Q1:1.1.0.4 pkgsrc-2025Q1-base:1.1 pkgsrc-2024Q4:1.1.0.2 pkgsrc-2024Q4-base:1.1; locks; strict; comment @# @; 1.4 date 2026.03.29.14.07.38; author taca; state Exp; branches; next 1.3; commitid 7MD3YzIuBQozqSzG; 1.3 date 2025.11.03.08.40.03; author taca; state Exp; branches 1.3.4.1; next 1.2; commitid Bg437QUqu66cj5hG; 1.2 date 2025.08.14.15.22.46; author taca; state Exp; branches; next 1.1; commitid EsnJg8uLp28F8I6G; 1.1 date 2024.12.13.16.51.04; author taca; state Exp; branches; next ; commitid YQBdeR0JkxAktmBF; 1.3.4.1 date 2026.03.31.13.31.42; author maya; state Exp; branches; next ; commitid iqK8mCnuD32ja8AG; desc @@ 1.4 log @www/ruby-rails72: update to 7.2.3.1 Ruby on Rails 7.2.3.1 (2026-03-23) Active Support * Reject scientific notation in NumberConverter [CVE-2026-33176] Jean Boussier * Fix SafeBuffer#% to preserve unsafe status [CVE-2026-33170] Jean Boussier * Improve performance of NumberToDelimitedConverter [CVE-2026-33169] Jean Boussier Action View * Skip blank attribute names in tag helpers to avoid generating invalid HTML. [CVE-2026-33168] Mike Dalessio Active Storage * Filter user supplied metadata in DirectUploadController [CVE-2026-33173] Jean Boussier * Configurable maxmimum streaming chunk size Makes sure that byte ranges for blobs don't exceed 100mb by default. Content ranges that are too big can result in denial of service. [CVE-2026-33174] Gannon McGibbon * Limit range requests to a single range [CVE-2026-33658] Jean Boussier * Prevent path traversal in DiskService. DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".", ".."), or if the resolved path is outside the storage root directory. #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for example containing null bytes or having an incompatible encoding. Previously, the exception raised may have been ArgumentError or Encoding::CompatibilityError. DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes. [CVE-2026-33195] Mike Dalessio * Prevent glob injection in DiskService#delete_prefixed. Escape glob metacharacters in the resolved path before passing to Dir.glob. Note that this change breaks any existing code that is relying on delete_prefixed to expand glob metacharacters. This change presumes that is unintended behavior (as other storage services do not respect these metacharacters). [CVE-2026-33202] Mike Dalessio Active Model Active Record Action Pack Active Job Action Mailer Action Cable Action Mailbox Action Text Railties * No change except version. @ text @$NetBSD: distinfo,v 1.3 2025/11/03 08:40:03 taca Exp $ BLAKE2s (actionpack-7.2.3.1.gem) = a24f815e83f90bdebdf9820498ae74dd55ebd94698773031edb13f1c9e8b829e SHA512 (actionpack-7.2.3.1.gem) = c3e7131b1a4e39b81a19459bdb93bb019e6c83a1faf730c140c58ab9a6ddfca67a8f1c95366c12d0cef6dc148e49e1268350d14bd3a0c2a0bbd6d5b7500f66e3 Size (actionpack-7.2.3.1.gem) = 244224 bytes @ 1.3 log @www/ruby-actionpack72: update to 7.2.3 7.2.3 (2025-10-28) * Submit test requests using as: :html with Content-Type: x-www-form-urlencoded Sean Doyle * Address rack 3.2 deprecations warnings. warning: Status code :unprocessable_entity is deprecated and will be removed in a future version of Rack. Please use :unprocessable_content instead. Rails API will transparently convert one into the other for the forseable future. Earlopain, Jean Boussier * Always return empty body for HEAD requests in PublicExceptions and DebugExceptions. This is required by Rack::Lint (per RFC9110). Hartley McGuire * Fix url_for to handle :path_params gracefully when it's not a Hash. Prevents various security scanners from causing exceptions. Martin Emde * Fix ActionDispatch::Executor to unwrap exceptions like other error reporting middlewares. Jean Boussier * Fix NoMethodError when a non-string CSRF token is passed through headers. Ryan Heneise * Fix invalid response when rescuing ActionController::Redirecting::UnsafeRedirectError in a controller. Alex Ghiculescu @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2 2025/08/14 15:22:46 taca Exp $ d3 3 a5 3 BLAKE2s (actionpack-7.2.3.gem) = 27e03aa2fc3d2100bad41aab42350f4e8be0f68460f09d696d7b2d4fdc21e8b7 SHA512 (actionpack-7.2.3.gem) = 159182a3a7498a13610d911eea91fb541c0dbf7d0a8aacd1de29e7c2978e2d69f825ab0c147cffa11aea9cba4311fc7a695363649138ee025699c2977c599b70 Size (actionpack-7.2.3.gem) = 244224 bytes @ 1.3.4.1 log @Pullup ticket #7061 - requested by taca databases/ruby-activerecord72: Security fix devel/ruby-activejob72: Security fix devel/ruby-activemodel72: Security fix devel/ruby-activestorage72: Security fix devel/ruby-activesupport72: Security fix devel/ruby-activesupport72: Security fix devel/ruby-railties72: Security fix devel/ruby-railties72: Security fix lang/ruby: Security fix mail/ruby-actionmailbox72: Security fix mail/ruby-actionmailer72: Security fix textproc/ruby-actiontext72: Security fix www/ruby-actioncable72: Security fix www/ruby-actionpack72: Security fix www/ruby-actionpack72: Security fix www/ruby-actionview72: Security fix www/ruby-rails72: Security fix Revisions pulled up: - databases/ruby-activerecord72/distinfo 1.4 - devel/ruby-activejob72/distinfo 1.4 - devel/ruby-activemodel72/distinfo 1.4 - devel/ruby-activestorage72/distinfo 1.4 - devel/ruby-activesupport72/Makefile 1.4 - devel/ruby-activesupport72/distinfo 1.4 - devel/ruby-railties72/Makefile 1.5 - devel/ruby-railties72/distinfo 1.4 - lang/ruby/rails.mk 1.188 - mail/ruby-actionmailbox72/distinfo 1.4 - mail/ruby-actionmailer72/distinfo 1.4 - textproc/ruby-actiontext72/distinfo 1.4 - www/ruby-actioncable72/distinfo 1.4 - www/ruby-actionpack72/Makefile 1.3 - www/ruby-actionpack72/distinfo 1.4 - www/ruby-actionview72/distinfo 1.4 - www/ruby-rails72/distinfo 1.4 --- Module Name: pkgsrc Committed By: taca Date: Sun Mar 29 14:07:39 UTC 2026 Modified Files: pkgsrc/databases/ruby-activerecord72: distinfo pkgsrc/devel/ruby-activejob72: distinfo pkgsrc/devel/ruby-activemodel72: distinfo pkgsrc/devel/ruby-activestorage72: distinfo pkgsrc/devel/ruby-activesupport72: Makefile distinfo pkgsrc/devel/ruby-railties72: Makefile distinfo pkgsrc/mail/ruby-actionmailbox72: distinfo pkgsrc/mail/ruby-actionmailer72: distinfo pkgsrc/textproc/ruby-actiontext72: distinfo pkgsrc/www/ruby-actioncable72: distinfo pkgsrc/www/ruby-actionpack72: Makefile distinfo pkgsrc/www/ruby-actionview72: distinfo pkgsrc/www/ruby-rails72: distinfo Log Message: www/ruby-rails72: update to 7.2.3.1 Ruby on Rails 7.2.3.1 (2026-03-23) Active Support * Reject scientific notation in NumberConverter [CVE-2026-33176] Jean Boussier * Fix SafeBuffer#% to preserve unsafe status [CVE-2026-33170] Jean Boussier * Improve performance of NumberToDelimitedConverter [CVE-2026-33169] Jean Boussier Action View * Skip blank attribute names in tag helpers to avoid generating invalid HTML. [CVE-2026-33168] Mike Dalessio Active Storage * Filter user supplied metadata in DirectUploadController [CVE-2026-33173] Jean Boussier * Configurable maxmimum streaming chunk size Makes sure that byte ranges for blobs don't exceed 100mb by default. Content ranges that are too big can result in denial of service. [CVE-2026-33174] Gannon McGibbon * Limit range requests to a single range [CVE-2026-33658] Jean Boussier * Prevent path traversal in DiskService. DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".", ".."), or if the resolved path is outside the storage root directory. #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for example containing null bytes or having an incompatible encoding. Previously, the exception raised may have been ArgumentError or Encoding::CompatibilityError. DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes. [CVE-2026-33195] Mike Dalessio * Prevent glob injection in DiskService#delete_prefixed. Escape glob metacharacters in the resolved path before passing to Dir.glob. Note that this change breaks any existing code that is relying on delete_prefixed to expand glob metacharacters. This change presumes that is unintended behavior (as other storage services do not respect these metacharacters). [CVE-2026-33202] Mike Dalessio Active Model Active Record Action Pack Active Job Action Mailer Action Cable Action Mailbox Action Text Railties * No change except version. --- Module Name: pkgsrc Committed By: taca Date: Sun Mar 29 14:26:36 UTC 2026 Modified Files: pkgsrc/lang/ruby: rails.mk Log Message: lang/ruby: update to rails to 7.2.3.1 Make sure to update rails72 to 7.2.3.1. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 BLAKE2s (actionpack-7.2.3.1.gem) = a24f815e83f90bdebdf9820498ae74dd55ebd94698773031edb13f1c9e8b829e SHA512 (actionpack-7.2.3.1.gem) = c3e7131b1a4e39b81a19459bdb93bb019e6c83a1faf730c140c58ab9a6ddfca67a8f1c95366c12d0cef6dc148e49e1268350d14bd3a0c2a0bbd6d5b7500f66e3 Size (actionpack-7.2.3.1.gem) = 244224 bytes @ 1.2 log @www/ruby-rails72: update to 7.2.2.2 Ruby on Rails 7.2.2.2 (2025-08-13) Active Record * Call inspect on ids in RecordNotFound error [CVE-2025-55193] Gannon McGibbon, John Hawthorn Active Storage * Remove dangerous transformations [CVE-2025-24293] Zack Deveau @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1 2024/12/13 16:51:04 taca Exp $ d3 3 a5 3 BLAKE2s (actionpack-7.2.2.2.gem) = c4bd043e61e9affa9ba70ef73b47314a61054d0a9f4b6ef77bcb2a19a75601f2 SHA512 (actionpack-7.2.2.2.gem) = d5da56cf7458f59311311f233a010d72cf63ad2438e72fda982451655ed33d298f56365824d008f9e50e1794eec61ed78dd2abfdf527a8721a60e12b7b6be1de Size (actionpack-7.2.2.2.gem) = 243200 bytes @ 1.1 log @www/ruby-actionpack72: add package version 7.2.2.1 Action Pack -- From request to response Action Pack is a framework for handling and responding to web requests. It provides mechanisms for *routing* (mapping request URLs to actions), defining *controllers* that implement actions, and generating responses. In short, Action Pack provides the controller layer in the MVC paradigm. It consists of several modules: * Action Dispatch, which parses information about the web request, handles routing as defined by the user, and does advanced processing related to HTTP such as MIME-type negotiation, decoding parameters in POST, PATCH, or PUT bodies, handling HTTP caching logic, cookies and sessions. * Action Controller, which provides a base controller class that can be subclassed to implement filters and actions to handle requests. The result of an action is typically content generated from views. With the Ruby on Rails framework, users only directly interface with the Action Controller module. Necessary Action Dispatch functionality is activated by default and Action View rendering is implicitly triggered by Action Controller. However, these modules are designed to function on their own and can be used outside of Rails. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 BLAKE2s (actionpack-7.2.2.1.gem) = c5591b99310c48a11fff82818a51c12b4af4df536913de3f127751993d0512b9 SHA512 (actionpack-7.2.2.1.gem) = 3ecb6b80caaa813b9932f14410353f0637b15de9678cc6c83a13a5a210affeaaa0322e409c4b95f572e875ebe9128016eb61df908b18db94ea81021381604376 Size (actionpack-7.2.2.1.gem) = 243200 bytes @