codeformuenster / buergerbuero

http://buergerbuero.codeformuenster.org/latest
1 stars 0 forks source link

Bump mechanize from 2.7.4 to 2.7.7 #35

Open dependabot[bot] opened 3 years ago

dependabot[bot] commented 3 years ago

Bumps mechanize from 2.7.4 to 2.7.7.

Release notes

Sourced from mechanize's releases.

2.7.7 / 2021-02-01

  • Security fixes for CVE-2021-21289

    Mechanize >= v2.0, < v2.7.7 allows for OS commands to be injected into several classes' methods via implicit use of Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls:

    • Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
    • Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
    • Mechanize#download: since v2.2 (see dc91667)
    • Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
    • Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
    • Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)

    See https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g for more information.

    Also see #547, #548. Thank you, @kyoshidajp!

  • New Features

    • Support for Ruby 3.0 by adding webrick as a runtime dependency. (#557) @pvalena
  • Bug fix

    • Ignore input fields with blank names (#542, #536)
Changelog

Sourced from mechanize's changelog.

=== 2.7.7 / 2021-02-01

  • Security fixes for CVE-2021-21289

    Mechanize >= v2.0, < v2.7.7 allows for OS commands to be injected into several classes' methods via implicit use of Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls:

    • Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
    • Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
    • Mechanize#download: since v2.2 (see dc91667)
    • Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
    • Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
    • Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)

    See https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g for more information.

    Also see #547, #548. Thank you, @kyoshidajp!

  • New Features

    • Support for Ruby 3.0 by adding webrick as a runtime dependency. (#557) @pvalena
  • Bug fix

    • Ignore input fields with blank names (#542, #536)

=== 2.7.6

  • New Features

    • Mechanize#set_proxy accepts an HTTP URL/URI. (#513)
  • Bug fix

    • Fix element(s)_with(search: selector) methods not working for forms, form fields and frames. (#444)
    • Improve the filename parser for the Content-Disposition header. (#496, #517)
    • Accept Content-Encoding: identity. (#515)
    • Mechanize::Page#title no longer picks a title in an embeded SVG/RDF element. (#503)
    • Make Mechanize::Form#has_field? boolean. (#501)

=== 2.7.5

  • New Features

    • All 4xx responses and RedirectLimitReachedError when fetching robots.txt are treated as full allow just like Googlebot does.
    • Enable support for mime-types > 3.
  • Bug fix

    • Don't cause infinite loop when GET /robots.txt redirects. (#457)
    • Fix basic authentication for a realm that contains uppercase characters. (#458, #459)
    • Fix encoding error when uploading a file which name is non-ASCII. (#333)
Commits
  • 3044b4e version bump to v2.7.7
  • df36360 changelog: note assigned CVE in the recent security fix description
  • 66a6a1b Merge pull request #548 from kyoshidajp/fix_command_injection
  • e238b07 changelog: note the patched command injection vulnerabilities
  • 5b30aed test: remove rubocop security warnings from TestCase
  • 63f8779 fix(security): prevent command injection in FileResponse#read_body
  • b48b12f fix(security): prevent command injection in Mechanize::File#save!
  • f43a395 fix(security): prevent command injection in Download#save!
  • 2ac906b fix(security): prevent command injection in Mechanize#download
  • aae0b13 fix(security): prevent command injection in CookieJar
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/codeformuenster/buergerbuero/network/alerts).