Skip to content

@jdleesmiller jdleesmiller released this Sep 25, 2019 · 23 commits to master since this release

Security

  • Default the validate_entry_sizes option to true, so that callers can trust an entry's reported size when using extract #403
    • This option defaulted to false in 1.3.0 for backward compatibility, but it now defaults to true. If you are using an older version of ruby and can't yet upgrade to 2.x, you can still use 1.3.0 and set the option to true.

Tooling / Documentation

  • Remove test files from the gem to avoid problems with antivirus detections on the test files #405 / #384
  • Drop support for unsupported ruby versions #406
Assets 2

@jdleesmiller jdleesmiller released this Sep 25, 2019 · 29 commits to master since this release

Security

  • Add validate_entry_sizes option so that callers can trust an entry's reported size when using extract #403
    • This option defaults to false for backward compatibility in this release, but you are strongly encouraged to set it to true. It will default to true in rubyzip 2.0.

New Feature

  • Add add_stored method to simplify adding entries without compression #366

Tooling / Documentation

  • Add more gem metadata links #402
Assets 2

@jdleesmiller jdleesmiller released this Sep 6, 2019 · 41 commits to master since this release

  • Do not rewrite zip files opened with open_buffer that have not changed #360

Tooling / Documentation

  • Update example_recursive.rb in README #397
  • Hold CI at trusty for now, automatically pick the latest ruby patch version, use rbx-4 and hold jruby at 9.1 #399
Assets 2

@jdleesmiller jdleesmiller released this May 23, 2019 · 58 commits to master since this release

  • Allow tilde in zip entry names #391 (fixes regression in 1.2.2 from #376)
  • Support frozen string literals in more files #390
  • Require pathname explicitly #388 (fixes regression in 1.2.2 from #376)

Tooling / Documentation:

  • CI updates #392, #394
    • Bump supported ruby versions and add 2.6
    • JRuby failures are no longer ignored (reverts #375 / part of #371)
  • Add changelog entry that was missing for last release #387
  • Comment cleanup #385

Since the GitHub release information for 1.2.2 is missing, I will also include it here:

1.2.2

NB: This release drops support for extracting symlinks, because there was no clear way to support this securely. See #376 (comment) for details.

  • Fix CVE-2018-1000544 #376 / #371
  • Fix NoMethodError: undefined method `glob' #363
  • Fix handling of stored files (i.e. files not using compression) with general purpose bit 3 set #358
  • Fix close on StringIO-backed zip file #353
  • Add Zip.force_entry_names_encoding option #340
  • Update rubocop, apply auto-fixes, and fix regressions caused by said auto-fixes #332, #355
  • Save temporary files to temporary directory (rather than current directory) #325

Tooling / Documentation:

Assets 2
Aug 31, 2018
Version 1.2.2

@simonoff simonoff released this Feb 8, 2017 · 135 commits to master since this release

  • Add accessor to @internal_file_attributes #304
  • Extended globbing #303
  • README updates #283, #289
  • Cleanup after tests #298, #306
  • Fix permissions on new zip files #294, #300
  • Fix examples #297
  • Support cp932 encoding #308
  • Fix Directory traversal vulnerability #315
  • Allow open_buffer to work without a given block #314
Assets 2

@simonoff simonoff released this Feb 19, 2016 · 186 commits to master since this release

  • Don't enable JRuby objectspace #252
  • Fixes an exception thrown when decoding some weird .zip files #248
  • Use duck typing with IO methods #244
  • Added error for empty (zero bit) zip file #242
  • Accept StringIO in Zip.open_buffer #238
  • Do something more expected with new file permissions #237
  • Case insensitivity option for #find_entry #222
  • Fixes in documentation and examples
Assets 2
Feb 2, 2015
Version 1.1.7
Jul 2, 2014
Version 1.1.6
Jul 2, 2014
Version 1.1.5
You can’t perform that action at this time.