Closed cheister closed 9 years ago
cheister
commented
9 years ago I should also note our current work around/fix for the XSS vulnerability in the default ErrorApp is to add this to our web.xml
<context-param>
<param-name>jruby.rack.error.app</param-name>
<param-value>require 'jruby/rack/error_app'; run JRuby::Rack::ErrorApp.new</param-value>
</context-param>
kares
commented
9 years ago we're far from supporting 1.6.0 fully ... our tests passing do not cover Rack's new features. the packed rack is just there as a fallback, it usually never gets used since gem rack is declared in the Gemfile ... what would be more useful is to know (and backport) the XSS details. thanks for the report!
kares
commented
9 years ago 1.1.18 has been released (note that this merge is NOT in the release and rack 1.5.2 is vendor bundled for now) addressing the issue with a back-ported ShowStatus for out ErrorApp ... 1.6.x while should be working will require some more review work before we're fully confident about it. thanks again!
There have been a lot of changes to rack between 1.5.2 and 1.6.0 but all of the specs pass at least.
The main fix I'm interested in is the XSS vulnerability in the default error app that uses Rack::ShowStatus. The fixed issue is here