2.7.7 / 2021-02-01
2.7.7 / 2021-02-01
-
Security fixes for CVE-2021-21289
Mechanize
>= v2.0,< v2.7.7allows for OS commands to be injected into several classes'
methods via implicit use of Ruby'sKernel.openmethod. Exploitation is possible only if
untrusted input is used as a local filename and passed to any of these calls:Mechanize::CookieJar#load: since v2.0 (see 208e3ed)Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)Mechanize#download: since v2.2 (see dc91667)Mechanize::Download#saveand#save!since v2.1 (see 98b2f51, bd62ff0)Mechanize::File#saveand#save_as: since v2.1 (see 2bf7519)Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)
See GHSA-qrqm-fpv6-6r8g for more
information.Also see #547, #548. Thank you, @kyoshidajp!
-
New Features
-
Bug fix