Need release to address rack update, XSS fix #190
Comments
kares
added a commit
that referenced
this issue
Jan 11, 2015
… fix see #190) more details at rack/rack@479fe8fecad0b33b88e6a9de01
kares
added a commit
that referenced
this issue
Jan 16, 2015
* 1.1-stable: (27 commits) update for next development snapshot prepare for 1.1.18 note that ErrorApp::ShowStatus is not public API + delay rack loading setup and integration spec with a Rails 4.1 stub make back-ported ShowStatus compatible and use it instead of Rack::ShowStatus back-port Rack::ShowStatus to be used with out ErrorApp (contains XSS fix see #190) missed Gemfile.lock for rack ~> 1.5.2 context-loader rackup script resolution should work also when rackup.path configured search config.ru on context-classloader if not found otherwise introduce a new layout where the whole application + gems are packed under WEB-INF/classes update to rack ~> 1.5.2 (for JRuby-Rack 1.1.x) [travis-ci] more JRuby 1.6.8 excludes + allow failures (still useful for spec regressions) do not care about "OpenSSL::Random requires the jruby-openssl gem" on 1.6.8 [travis-ci ] make sure 1.1 is kept backwards (JRuby 1.6.x) compatible fix compatibility for newly added (servlet-env) specs with all (supported) rack versions [travis-ci] fix jruby excludes (using explicit jruby-1.7.x version number now) use Rack::Utils.best_q_match in ErrorApp if available, also accepts_html? is private API re-arrange JRuby::Rack::ErrorApp internals even more compatibility with rack's parse_nested_query logic for "pure" servlet-env improved rack-compatibility for our "pure" servlet-env request env parsing impl ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See #189 for a PR merged to update to a newer rack, which fixes an XSS issue in ShowError. jruby-rack enables ShowError by default, so we should get an updated release out for this ASAP.
The text was updated successfully, but these errors were encountered: