Bump mechanize from 2.0.1 to 2.7.7

[dependabot[bot]]

Bumps mechanize from 2.0.1 to 2.7.7.

Release notes

Sourced from mechanize's releases.

2.7.7 / 2021-02-01

• Security fixes for CVE-2021-21289

  Mechanize >= v2.0, < v2.7.7 allows for OS commands to be injected into several classes' methods via implicit use of Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls:

  • Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
  • Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
  • Mechanize#download: since v2.2 (see dc91667)
  • Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
  • Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
  • Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)

  See https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g for more information.

  Also see #547, #548. Thank you, @kyoshidajp!

• New Features

  • Support for Ruby 3.0 by adding webrick as a runtime dependency. (#557) @pvalena

• Bug fix

  • Ignore input fields with blank names (#542, #536)

Changelog

Sourced from mechanize's changelog.

=== 2.7.7 / 2021-02-01

• Security fixes for CVE-2021-21289

  Mechanize >= v2.0, < v2.7.7 allows for OS commands to be injected into several classes' methods via implicit use of Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls:

  • Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
  • Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
  • Mechanize#download: since v2.2 (see dc91667)
  • Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
  • Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
  • Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)

  See https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g for more information.

  Also see #547, #548. Thank you, @kyoshidajp!

• New Features

  • Support for Ruby 3.0 by adding webrick as a runtime dependency. (#557) @pvalena

• Bug fix

  • Ignore input fields with blank names (#542, #536)

=== 2.7.6

• New Features

  • Mechanize#set_proxy accepts an HTTP URL/URI. (#513)

• Bug fix

  • Fix element(s)_with(search: selector) methods not working for forms, form fields and frames. (#444)
  • Improve the filename parser for the Content-Disposition header. (#496, #517)
  • Accept Content-Encoding: identity. (#515)
  • Mechanize::Page#title no longer picks a title in an embeded SVG/RDF element. (#503)
  • Make Mechanize::Form#has_field? boolean. (#501)

=== 2.7.5

• New Features

  • All 4xx responses and RedirectLimitReachedError when fetching robots.txt are treated as full allow just like Googlebot does.
  • Enable support for mime-types > 3.

• Bug fix

  • Don't cause infinite loop when GET /robots.txt redirects. (#457)
  • Fix basic authentication for a realm that contains uppercase characters. (#458, #459)
  • Fix encoding error when uploading a file which name is non-ASCII. (#333)

... (truncated)

Commits

• 3044b4e version bump to v2.7.7
• df36360 changelog: note assigned CVE in the recent security fix description
• 66a6a1b Merge pull request #548 from kyoshidajp/fix_command_injection
• e238b07 changelog: note the patched command injection vulnerabilities
• 5b30aed test: remove rubocop security warnings from TestCase
• 63f8779 fix(security): prevent command injection in FileResponse#read_body
• b48b12f fix(security): prevent command injection in Mechanize::File#save!
• f43a395 fix(security): prevent command injection in Download#save!
• 2ac906b fix(security): prevent command injection in Mechanize#download
• aae0b13 fix(security): prevent command injection in CookieJar
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/bratta/googlevoiceapi/network/alerts).

[dependabot[bot]]

Superseded by #17.