All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.
Removed options from Rack::Builder.parse_file and Rack::Builder.load_file. (#1663, @ioquatix)
HMAC argument for Rack::Session::Cookie doesn't accept a class constant anymore, but only a string recognized by OpenSSL (e.g. "SHA256") or compatible instance (e.g. OpenSSL::Digest.new("SHA256")) (#1676, @bdewater)
Rack::HTTP_VERSION has been removed and the HTTP_VERSION env setting is no longer set in the CGI and Webrick handlers . (#970, @jeremyevans)
Rack::Request#[] and #[]= now warn even in non-verbose mode. (#1277, @jeremyevans)
Decrease default allowed parameter recursion level from 100 to 32. (#1640, @jeremyevans)
Attempting to parse a multipart response with an empty body now raises Rack::Multipart::EmptyContentError. (#1603, @jeremyevans)
Rack::Utils.secure_compare uses OpenSSL's faster implementation if available. (#1711, @bdewater)
TempfileReaper now deletes temp files if application raises an exception. (#1679, @jeremyevans)
Fix using Rack::Session::Cookie with coder: Rack::Session::Cookie::Base64::{JSON,Zip}. (#1666, @jeremyevans)
Avoid NoMethodError when accessing Rack::Session::Cookie without requiring delegate first. (#1610, @onigra)
Handle cookies with values that end in '=' (#1645, @lukaso)
Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. (#1736, @muirdm)
Rack::Request#scheme returns ws or wss when one of the X-Forwarded-Scheme / X-Forwarded-Proto headers is set to ws or wss, respectively. (#1730, @erwanst)
Rack::Request::Env#initialize does not need to call super(). This was leftover from the creation of the Env module. Flatten the Env module into Request as it is unused outside. (#1751), @agrberg)
[2.2.3] - 2020-06-15
Security
[CVE-2020-8184] Do not allow percent-encoded cookie name to override existing cookie names. BREAKING CHANGE: Accessing cookie names that require URL encoding with decoded name no longer works. (@fletchto99)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/samvera-labs/chimera/network/alerts).
Bumps rack from 2.0.6 to 2.1.4.
Changelog
Sourced from rack's changelog.
... (truncated)
Commits
5280870
bump versiona243510
When parsing cookies, only decode the valuese7ba1b0
fix directory listingb9b8652
bump version775c836
adding a test for directory traversaldddb7ad
Use Dir.entries instead of Dir[glob] to prevent user-specified glob metachara...16a51d8
Bump for 2.1.2 release0a2c927
Update changelog in preparation for 2.1.2b50bc8b
Fix multipart parser for special files #1308f9ef9a0
Fixuse
with kwargsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/samvera-labs/chimera/network/alerts).