Sourced from sinatra's changelog.
\n\n\n3.1.0 / 2023-08-07
\n\n
\n- \n
\nNew: Add sass support via sass-embedded #1911 by なつき
\n- \n
\nNew: Add start and stop callbacks #1913 by Jevin Sew
\n- \n
\nNew: Warn on dropping sessions #1900 by Jonathan del Strother
\n- \n
\nNew: Make Puma the default server #1924 by Patrik Ragnarsson
\n- \n
\nFix: Remove use of Tilt::Cache #1922 by Jeremy Evans (allows use of Tilt 2.2.0 without deprecation warning)
\n- \n
\nFix: rack-protection: specify rack version requirement #1932 by Patrik Ragnarsson
\n#1911: sinatra/sinatra#1911\n#1913: sinatra/sinatra#1913\n#1900: sinatra/sinatra#1900\n#1924: sinatra/sinatra#1924\n#1922: sinatra/sinatra#1922\n#1932: sinatra/sinatra#1932
\n3.0.6 / 2023-04-11
\n\n
\n- \n
\nFix: Add support to keep open streaming connections with Puma #1858 by Jordan Owens
\n- \n
\nFix: Avoid crash in
\nuri
helper on Integer input #1890 by Patrik Ragnarsson- \n
\nFix: Rescue
\nRuntimeError
when trying to useSecureRandom
#1888 by Stefan Sundin3.0.5 / 2022-12-16
\n\n
\n- \n
\nFix: Add Zeitwerk compatibility. #1831 by Dawid Janczak
\n- \n
\nFix: Allow CALLERS_TO_IGNORE to be overridden
\n3.0.4 / 2022-11-25
\n\n
\n- Fix: Escape filename in the Content-Disposition header. #1841 by Kunpei Sakai
\n3.0.3 / 2022-11-11
\n\n
\n- Fix: fixed ReDoS for Rack::Protection::IPSpoofing. #1823 by
\n@ooooooo-q
3.0.2 / 2022-10-01
\n\n
\n- New: Add Haml 6 support. #1820 by Jordan Owens
\n3.0.1 / 2022-09-26
\n\n
\n\n- Fix: Revert removal of rack-protection.rb. #1814 by Olle Jonsson
\n
... (truncated)
\na182dca
3.1.0 release (#1935)ae6bd6f
CI: Always allow notify
job to fail (#1934)1fc37fe
Mitigate gem build
warning from RubyGems9c95cf9
Have git ignore *.gem
files7018ab7
rack-protection
: specify rack
version requirement (#1932)2d6af28
Warn on dropping sessions (#1900)fa60779
Use Minitest
instead of MiniTest
(#1931)3fe6297
Add start and stop callbacks (#1913)6d8f180
Make CI pass on Ruby 2.6 (#1928)5f4dde1
Add sass support via sass-embedded (#1911)Sourced from nokogiri's releases.
\n\n\n1.15.5 / 2023-11-17
\nDependencies
\n\n
\n- [CRuby] Vendored libxml2 is updated to v2.11.6 from v2.11.5. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.6
\n- [CRuby] Vendored libxslt is updated to v1.1.39 from v1.1.38. For details please see https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.39
\n
\nsha256 checksums:
\n\n6dfa1d9837ddb233e234d56e244560ab1bc545d3d1744478060e18691f44ded7 nokogiri-1.15.5-aarch64-linux.gem\ne3ac6608c6e1714bc11ff04e29a43fedf4cac2aea1bd88256cc3b927c06f347f nokogiri-1.15.5-arm-linux.gem\n4d7b15d53c0397d131376a19875aa97dd1c8b404c2c03bd2171f9b77e9592d40 nokogiri-1.15.5-arm64-darwin.gem\n5f87e71aaeb4f7479b94698737a0aacea77836b4805c7433b655e9565bd56cfe nokogiri-1.15.5-java.gem\n7612be800909ae51e0a7cfbe1f768757857a9ff0339686814ca67d9bae271ca2 nokogiri-1.15.5-x64-mingw-ucrt.gem\n28fd78d98e12005fe017db5ceccb74b2497f30582e6e26a3344200625fe46aae nokogiri-1.15.5-x64-mingw32.gem\n0d1b564d7f148a6766380966bb48b23afa72c72c992c69c71d21acd4a7f5c0e4 nokogiri-1.15.5-x86-linux.gem\nd27dbf44c19b83e570e65b660a8a921441d1e8b6063ab1b985b516f78e0a2854 nokogiri-1.15.5-x86-mingw32.gem\n10bafa54935f68aebd23235cb0fc7dfb8f6f5e52131379484771247eb3a0cc70 nokogiri-1.15.5-x86_64-darwin.gem\nc5d9453cc155dc15f08ac699cc1293fd994ec6cfacec48e67653aa95ee946adf nokogiri-1.15.5-x86_64-linux.gem\n22448ca35dbcbdcec60dbe25ccf452b685a5436c28f21b2fec2e20917aba9100 nokogiri-1.15.5.gem\n
1.15.4 / 2023-08-11
\nDependencies
\n\n
\n- [CRuby] Vendored libxml2 is updated to v2.11.5 from v2.11.4. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.5
\nFixed
\n\n
\n- Fixed a typo in a HTML5 parser error message. [#2927] (Thanks,
\n@anishathalye
!)- [CRuby]
\nObjectSpace.memsize_of
is now safe to call onDocument
s with complex DTDs. In previous versions, this debugging method could result in a segfault. [#2923, #2924]
\nsha256 checksums:
\n\n14091a07e07045a440213f7d5ced732fa7654ae8b6c7d180137f4124c5284ab8 nokogiri-1.15.4-aarch64-linux.gem\n572ddc19934d010e98821a946d89462ae66b310fecc3fe12c48b0025c2f76855 nokogiri-1.15.4-arm-linux.gem\n707288e293f4fc82a008f90b7ba0180d9f803f6a239a13e424378fedf8cf93e9 nokogiri-1.15.4-arm64-darwin.gem\n04745925f63af61144eccef38a703928629cf97c34dbb1c42e3def17ac77ec92 nokogiri-1.15.4-java.gem\na0bfb65461a0453afed1a41b235fe84d5b9c7f4d70afd45f0dc2fdec8909faf1 nokogiri-1.15.4-x64-mingw-ucrt.gem\nb9d01b9202e33cc23d19b2c1fc18ff4029cdda9b4f937a4baaefd4124a2158ba nokogiri-1.15.4-x64-mingw32.gem\n</tr></table> \n
... (truncated)
\nSourced from nokogiri's changelog.
\n\n\n1.15.5 / 2023-11-17
\nDependencies
\n\n
\n- [CRuby] Vendored libxml2 is updated to v2.11.6 from v2.11.5. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.6
\n- [CRuby] Vendored libxslt is updated to v1.1.39 from v1.1.38. For details please see https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.39
\n1.15.4 / 2023-08-11
\nDependencies
\n\n
\n- [CRuby] Vendored libxml2 is updated to v2.11.5 from v2.11.4. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.5
\nFixed
\n\n
\n- Fixed a typo in a HTML5 parser error message. #2927 (
\n@anishathalye
)- [CRuby]
\nObjectSpace.memsize_of
is now safe to call onDocument
s with complex DTDs. In previous versions, this debugging method could result in a segfault. [#2923, #2924]1.15.3 / 2023-07-05
\nFixed
\n\n
\n- Passing an object that is not a kind of
\nXML::Node
as the first parameter toCDATA.new
now raises aTypeError
. Previously this would result in either a segfault (CRuby) or a Java exception (JRuby). #2920- Passing an object that is not a kind of
\nXML::Node
as the first parameter toSchema.from_document
now raises aTypeError
. Previously this would result in either a segfault (CRuby) or a Java exception (JRuby). #2920- [CRuby] Passing an object that is not a kind of
\nXML::Node
as the second parameter toText.new
now raises aTypeError
. Previously this would result in a segfault. #2920- [CRuby] Replacing a node's children via methods like
\nNode#inner_html=
,#children=
, and#replace
no longer defensively dups the node's next sibling if it is a Text node. This behavior was originally adopted to work around libxml2's memory management (see #283 and #595) but should not have included operations involvingxmlAddChild()
. #2916- [JRuby] Fixed NPE when serializing an unparented HTML node. [#2559, #2895] (
\n@cbasguti
)1.15.2 / 2023-05-24
\nDependencies
\n\n
\n- [JRuby] Vendored org.nokogiri:nekodtd is updated to v0.1.11.noko2. This is functionally equivalent to v0.1.11.noko1 but restores support for Java 8.
\nFixed
\n\n
\n- [JRuby] Java 8 support is restored, fixing a regression present in v1.14.0..v1.14.4 and v1.15.0..v1.15.1. #2887
\n1.15.1 / 2023-05-19
\nDependencies
\n\n
\n\n- [CRuby] Vendored libxml2 is updated to v2.11.4 from v2.11.3. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.4
\n
... (truncated)
\n5745d4b
version bump to v1.15.5da2d908
ci: add ruby version to vendored libs cache key (backport) (#3029)0f56450
ci: add ruby version to vendored libs cache key (#3028)32b2c35
dep: update libxml to 2.11.5 and libxslt to 1.1.39 (v1.15.x) (#3025)b8f7e16
ci: skip the BSD builds for nowaa3208b
dep: update libxml to 2.11.5 and libxslt to 1.1.39141c2ac
doc(fix): correct :nodoc:1aee13d
version bump to v1.15.4769faec
backport updates and fixes to v1.15.x (#2953)8460bfe
dep: update libxml2 to v2.11.5Sourced from rack's releases.
\n\n\nv3.0.9.1
\nWhat's Changed
\n\n
\n- Fixed ReDoS in Accept header parsing [CVE-2024-26146]
\n- Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
\n- Reject Range headers which are too large [CVE-2024-26141]
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.9...v3.0.9.1
\nv3.0.9
\nWhat's Changed
\n\n
\n- Fix content-length calcuation in Rack:Response#write #2150
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.8...v3.0.9
\nv3.0.8
\nWhat's Changed
\n\n
\n- Backport "Fix some unused variable verbose warnings" by
\n@skipkayhil
in rack/rack#2084New Contributors
\n\n
\n- \n
@skipkayhil
made their first contribution in rack/rack#2084Full Changelog: https://github.com/rack/rack/compare/v3.0.7...v3.0.8
\nv3.0.7
\nWhat's Changed
\n\n
\n- Backport "Make query parameters without = have nil values". by
\n@jeremyevans
in rack/rack#2060Full Changelog: https://github.com/rack/rack/compare/v3.0.6.1...v3.0.7
\nv3.0.6.1
\nNo release notes provided.
\nv3.0.4.1
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.4...v3.0.4.1
\nv3.0.4
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.3...v3.0.4
\nv3.0.3
\nWhat's Changed
\n\n
\n- Release v3.0.3 by
\n@ioquatix
in rack/rack#2000Full Changelog: https://github.com/rack/rack/compare/v3.0.2...v3.0.3
\nv3.0.2
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.1...v3.0.2
\n
Sourced from rack's changelog.
\n\n\nChangelog
\nAll notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.
\nUnreleased
\nSPEC Changes
\n\n
\n- \n
rack.input
is now optional. (#1997, [@ioquatix
])- \n
Rack::Utils.escape_html
is now delegated toCGI.escapeHTML
.'
is escaped to[#39](https://github.com/rack/rack/issues/39);
instead of#x27;
. (decimal vs hexadecimal) (#2099,@JunichiIto
)Changed
\n\n
\n- \n
rack.input
is now optional, and if missing, will raise an error. Use this to fail on multipart parsing a request without an input body. (#2018, [@ioquatix
])- Introduce
\nmodule Rack::BadRequest
which is included in multipart and query parser errors. (#2019, [@ioquatix
])- MIME type for JavaScript files (
\n.js
) changed fromapplication/javascript
totext/javascript
(1bd0f15
)- Add
\n.mjs
MIME type (#2057, [@axilleas
])- Update MIME types associated to
\n.ttf
,.woff
,.woff2
and.otf
extensions to use mondernfont/*
types. (#2065, [@davidstosik
])- \n
set_cookie_header
utility now supports thepartitioned
cookie attribute. This is required by Chrome in some embedded contexts. (#2131, [@flavio-b
])- Remove non-standard status codes 306, 509, & 510 and update descriptions for 413, 422, & 451. (#2137, [
\n@wtn
])- Add fallback lookup and deprecation warning for obsolete status symbols. (#2137, [
\n@wtn
])[3.0.9] - 2024-01-31
\n\n
\n- Fix incorrect content-length header that was emitted when
\nRack::Response#write
was used in some situations. (#2150, [@mattbrictson
])[3.0.8] - 2023-06-14
\n\n
\n- Fix some unused variable verbose warnings. (#2084, [
\n@jeremyevans
],@skipkayhil
)[3.0.7] - 2023-03-16
\n\n
\n- Make query parameters without
\n=
havenil
values. (#2059, [@jeremyevans
])[3.0.6.1] - 2023-03-13
\n\n
\n- [CVE-2023-27539] Avoid ReDoS in header parsing
\n[3.0.6] - 2023-03-13
\n\n
\n- Add
\nQueryParser#missing_value
for handling missing values + tests. (#2052, [@ioquatix
])[3.0.5] - 2023-03-13
\n\n
\n- Split form/query parsing into two steps. (#2038,
\n@matthewd
)[3.0.4.2] - 2023-03-02
\n\n
\n\n- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
\n
... (truncated)
\na4bc5e0
bump version6efb2ce
Avoid 2nd degree polynomial regexp in MediaType4849132
Return an empty array when ranges are too largea227cd7
Fixing ReDoS in header parsing0b3f997
Bump patch version.d3d415e
Update Ruby versions for external tests: drop v2.7 and add v3.2 and v3.3. (#2...c8b977f
Fix content-length calcuation in Rack:Response#write (#2150)8d1bf99
Update CHANGELOG for 3.0.8 (#2086)d28c464
Bump patch verison.32736d2
Fix some unused variable verbose warnings (#2084)Sourced from nokogiri's releases.
\n\n\n1.15.5 / 2023-11-17
\nDependencies
\n\n
\n- [CRuby] Vendored libxml2 is updated to v2.11.6 from v2.11.5. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.6
\n- [CRuby] Vendored libxslt is updated to v1.1.39 from v1.1.38. For details please see https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.39
\n
\nsha256 checksums:
\n\n6dfa1d9837ddb233e234d56e244560ab1bc545d3d1744478060e18691f44ded7 nokogiri-1.15.5-aarch64-linux.gem\ne3ac6608c6e1714bc11ff04e29a43fedf4cac2aea1bd88256cc3b927c06f347f nokogiri-1.15.5-arm-linux.gem\n4d7b15d53c0397d131376a19875aa97dd1c8b404c2c03bd2171f9b77e9592d40 nokogiri-1.15.5-arm64-darwin.gem\n5f87e71aaeb4f7479b94698737a0aacea77836b4805c7433b655e9565bd56cfe nokogiri-1.15.5-java.gem\n7612be800909ae51e0a7cfbe1f768757857a9ff0339686814ca67d9bae271ca2 nokogiri-1.15.5-x64-mingw-ucrt.gem\n28fd78d98e12005fe017db5ceccb74b2497f30582e6e26a3344200625fe46aae nokogiri-1.15.5-x64-mingw32.gem\n0d1b564d7f148a6766380966bb48b23afa72c72c992c69c71d21acd4a7f5c0e4 nokogiri-1.15.5-x86-linux.gem\nd27dbf44c19b83e570e65b660a8a921441d1e8b6063ab1b985b516f78e0a2854 nokogiri-1.15.5-x86-mingw32.gem\n10bafa54935f68aebd23235cb0fc7dfb8f6f5e52131379484771247eb3a0cc70 nokogiri-1.15.5-x86_64-darwin.gem\nc5d9453cc155dc15f08ac699cc1293fd994ec6cfacec48e67653aa95ee946adf nokogiri-1.15.5-x86_64-linux.gem\n22448ca35dbcbdcec60dbe25ccf452b685a5436c28f21b2fec2e20917aba9100 nokogiri-1.15.5.gem\n
1.15.4 / 2023-08-11
\nDependencies
\n\n
\n- [CRuby] Vendored libxml2 is updated to v2.11.5 from v2.11.4. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.5
\nFixed
\n\n
\n- Fixed a typo in a HTML5 parser error message. [#2927] (Thanks,
\n@anishathalye
!)- [CRuby]
\nObjectSpace.memsize_of
is now safe to call onDocument
s with complex DTDs. In previous versions, this debugging method could result in a segfault. [#2923, #2924]
\nsha256 checksums:
\n\n14091a07e07045a440213f7d5ced732fa7654ae8b6c7d180137f4124c5284ab8 nokogiri-1.15.4-aarch64-linux.gem\n572ddc19934d010e98821a946d89462ae66b310fecc3fe12c48b0025c2f76855 nokogiri-1.15.4-arm-linux.gem\n707288e293f4fc82a008f90b7ba0180d9f803f6a239a13e424378fedf8cf93e9 nokogiri-1.15.4-arm64-darwin.gem\n04745925f63af61144eccef38a703928629cf97c34dbb1c42e3def17ac77ec92 nokogiri-1.15.4-java.gem\na0bfb65461a0453afed1a41b235fe84d5b9c7f4d70afd45f0dc2fdec8909faf1 nokogiri-1.15.4-x64-mingw-ucrt.gem\nb9d01b9202e33cc23d19b2c1fc18ff4029cdda9b4f937a4baaefd4124a2158ba nokogiri-1.15.4-x64-mingw32.gem\n</tr></table> \n
... (truncated)
\nSourced from nokogiri's changelog.
\n\n\n1.15.5 / 2023-11-17
\nDependencies
\n\n
\n- [CRuby] Vendored libxml2 is updated to v2.11.6 from v2.11.5. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.6
\n- [CRuby] Vendored libxslt is updated to v1.1.39 from v1.1.38. For details please see https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.39
\n1.15.4 / 2023-08-11
\nDependencies
\n\n
\n- [CRuby] Vendored libxml2 is updated to v2.11.5 from v2.11.4. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.5
\nFixed
\n\n
\n- Fixed a typo in a HTML5 parser error message. #2927 (
\n@anishathalye
)- [CRuby]
\nObjectSpace.memsize_of
is now safe to call onDocument
s with complex DTDs. In previous versions, this debugging method could result in a segfault. [#2923, #2924]1.15.3 / 2023-07-05
\nFixed
\n\n
\n- Passing an object that is not a kind of
\nXML::Node
as the first parameter toCDATA.new
now raises aTypeError
. Previously this would result in either a segfault (CRuby) or a Java exception (JRuby). #2920- Passing an object that is not a kind of
\nXML::Node
as the first parameter toSchema.from_document
now raises aTypeError
. Previously this would result in either a segfault (CRuby) or a Java exception (JRuby). #2920- [CRuby] Passing an object that is not a kind of
\nXML::Node
as the second parameter toText.new
now raises aTypeError
. Previously this would result in a segfault. #2920- [CRuby] Replacing a node's children via methods like
\nNode#inner_html=
,#children=
, and#replace
no longer defensively dups the node's next sibling if it is a Text node. This behavior was originally adopted to work around libxml2's memory management (see #283 and #595) but should not have included operations involvingxmlAddChild()
. #2916- [JRuby] Fixed NPE when serializing an unparented HTML node. [#2559, #2895] (
\n@cbasguti
)1.15.2 / 2023-05-24
\nDependencies
\n\n
\n- [JRuby] Vendored org.nokogiri:nekodtd is updated to v0.1.11.noko2. This is functionally equivalent to v0.1.11.noko1 but restores support for Java 8.
\nFixed
\n\n
\n- [JRuby] Java 8 support is restored, fixing a regression present in v1.14.0..v1.14.4 and v1.15.0..v1.15.1. #2887
\n1.15.1 / 2023-05-19
\nDependencies
\n\n
\n\n- [CRuby] Vendored libxml2 is updated to v2.11.4 from v2.11.3. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.4
\n
... (truncated)
\n5745d4b
version bump to v1.15.5da2d908
ci: add ruby version to vendored libs cache key (backport) (#3029)0f56450
ci: add ruby version to vendored libs cache key (#3028)32b2c35
dep: update libxml to 2.11.5 and libxslt to 1.1.39 (v1.15.x) (#3025)b8f7e16
ci: skip the BSD builds for nowaa3208b
dep: update libxml to 2.11.5 and libxslt to 1.1.39141c2ac
doc(fix): correct :nodoc:1aee13d
version bump to v1.15.4769faec
backport updates and fixes to v1.15.x (#2953)8460bfe
dep: update libxml2 to v2.11.5Sourced from rack's releases.
\n\n\nv3.0.9.1
\nWhat's Changed
\n\n
\n- Fixed ReDoS in Accept header parsing [CVE-2024-26146]
\n- Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
\n- Reject Range headers which are too large [CVE-2024-26141]
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.9...v3.0.9.1
\nv3.0.9
\nWhat's Changed
\n\n
\n- Fix content-length calcuation in Rack:Response#write #2150
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.8...v3.0.9
\nv3.0.8
\nWhat's Changed
\n\n
\n- Backport "Fix some unused variable verbose warnings" by
\n@skipkayhil
in rack/rack#2084New Contributors
\n\n
\n- \n
@skipkayhil
made their first contribution in rack/rack#2084Full Changelog: https://github.com/rack/rack/compare/v3.0.7...v3.0.8
\nv3.0.7
\nWhat's Changed
\n\n
\n- Backport "Make query parameters without = have nil values". by
\n@jeremyevans
in rack/rack#2060Full Changelog: https://github.com/rack/rack/compare/v3.0.6.1...v3.0.7
\nv3.0.6.1
\nNo release notes provided.
\nv3.0.4.1
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.4...v3.0.4.1
\nv3.0.4
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.3...v3.0.4
\nv3.0.3
\nWhat's Changed
\n\n
\n- Release v3.0.3 by
\n@ioquatix
in rack/rack#2000Full Changelog: https://github.com/rack/rack/compare/v3.0.2...v3.0.3
\nv3.0.2
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.1...v3.0.2
\n
Sourced from rack's changelog.
\n\n\nChangelog
\nAll notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.
\nUnreleased
\nSPEC Changes
\n\n
\n- \n
rack.input
is now optional. (#1997, [@ioquatix
])- \n
Rack::Utils.escape_html
is now delegated toCGI.escapeHTML
.'
is escaped to[#39](https://github.com/rack/rack/issues/39);
instead of#x27;
. (decimal vs hexadecimal) (#2099,@JunichiIto
)Changed
\n\n
\n- \n
rack.input
is now optional, and if missing, will raise an error. Use this to fail on multipart parsing a request without an input body. (#2018, [@ioquatix
])- Introduce
\nmodule Rack::BadRequest
which is included in multipart and query parser errors. (#2019, [@ioquatix
])- MIME type for JavaScript files (
\n.js
) changed fromapplication/javascript
totext/javascript
(1bd0f15
)- Add
\n.mjs
MIME type (#2057, [@axilleas
])- Update MIME types associated to
\n.ttf
,.woff
,.woff2
and.otf
extensions to use mondernfont/*
types. (#2065, [@davidstosik
])- \n
set_cookie_header
utility now supports thepartitioned
cookie attribute. This is required by Chrome in some embedded contexts. (#2131, [@flavio-b
])- Remove non-standard status codes 306, 509, & 510 and update descriptions for 413, 422, & 451. (#2137, [
\n@wtn
])- Add fallback lookup and deprecation warning for obsolete status symbols. (#2137, [
\n@wtn
])[3.0.9] - 2024-01-31
\n\n
\n- Fix incorrect content-length header that was emitted when
\nRack::Response#write
was used in some situations. (#2150, [@mattbrictson
])[3.0.8] - 2023-06-14
\n\n
\n- Fix some unused variable verbose warnings. (#2084, [
\n@jeremyevans
],@skipkayhil
)[3.0.7] - 2023-03-16
\n\n
\n- Make query parameters without
\n=
havenil
values. (#2059, [@jeremyevans
])[3.0.6.1] - 2023-03-13
\n\n
\n- [CVE-2023-27539] Avoid ReDoS in header parsing
\n[3.0.6] - 2023-03-13
\n\n
\n- Add
\nQueryParser#missing_value
for handling missing values + tests. (#2052, [@ioquatix
])[3.0.5] - 2023-03-13
\n\n
\n- Split form/query parsing into two steps. (#2038,
\n@matthewd
)[3.0.4.2] - 2023-03-02
\n\n
\n\n- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
\n
... (truncated)
\na4bc5e0
bump version6efb2ce
Avoid 2nd degree polynomial regexp in MediaType4849132
Return an empty array when ranges are too largea227cd7
Fixing ReDoS in header parsing0b3f997
Bump patch version.d3d415e
Update Ruby versions for external tests: drop v2.7 and add v3.2 and v3.3. (#2...c8b977f
Fix content-length calcuation in Rack:Response#write (#2150)8d1bf99
Update CHANGELOG for 3.0.8 (#2086)d28c464
Bump patch verison.32736d2
Fix some unused variable verbose warnings (#2084)Sourced from sinatra's changelog.
\n\n\n3.1.0 / 2023-08-07
\n\n
\n- \n
\nNew: Add sass support via sass-embedded #1911 by なつき
\n- \n
\nNew: Add start and stop callbacks #1913 by Jevin Sew
\n- \n
\nNew: Warn on dropping sessions #1900 by Jonathan del Strother
\n- \n
\nNew: Make Puma the default server #1924 by Patrik Ragnarsson
\n- \n
\nFix: Remove use of Tilt::Cache #1922 by Jeremy Evans (allows use of Tilt 2.2.0 without deprecation warning)
\n- \n
\nFix: rack-protection: specify rack version requirement #1932 by Patrik Ragnarsson
\n#1911: sinatra/sinatra#1911\n#1913: sinatra/sinatra#1913\n#1900: sinatra/sinatra#1900\n#1924: sinatra/sinatra#1924\n#1922: sinatra/sinatra#1922\n#1932: sinatra/sinatra#1932
\n3.0.6 / 2023-04-11
\n\n
\n- \n
\nFix: Add support to keep open streaming connections with Puma #1858 by Jordan Owens
\n- \n
\nFix: Avoid crash in
\nuri
helper on Integer input #1890 by Patrik Ragnarsson- \n
\nFix: Rescue
\nRuntimeError
when trying to useSecureRandom
#1888 by Stefan Sundin3.0.5 / 2022-12-16
\n\n
\n- \n
\nFix: Add Zeitwerk compatibility. #1831 by Dawid Janczak
\n- \n
\nFix: Allow CALLERS_TO_IGNORE to be overridden
\n3.0.4 / 2022-11-25
\n\n
\n- Fix: Escape filename in the Content-Disposition header. #1841 by Kunpei Sakai
\n3.0.3 / 2022-11-11
\n\n
\n- Fix: fixed ReDoS for Rack::Protection::IPSpoofing. #1823 by
\n@ooooooo-q
3.0.2 / 2022-10-01
\n\n
\n- New: Add Haml 6 support. #1820 by Jordan Owens
\n3.0.1 / 2022-09-26
\n\n
\n\n- Fix: Revert removal of rack-protection.rb. #1814 by Olle Jonsson
\n
... (truncated)
\na182dca
3.1.0 release (#1935)ae6bd6f
CI: Always allow notify
job to fail (#1934)1fc37fe
Mitigate gem build
warning from RubyGems9c95cf9
Have git ignore *.gem
files7018ab7
rack-protection
: specify rack
version requirement (#1932)2d6af28
Warn on dropping sessions (#1900)fa60779
Use Minitest
instead of MiniTest
(#1931)3fe6297
Add start and stop callbacks (#1913)6d8f180
Make CI pass on Ruby 2.6 (#1928)5f4dde1
Add sass support via sass-embedded (#1911)Sourced from nokogiri's releases.
\n\n\n1.15.5 / 2023-11-17
\nDependencies
\n\n
\n- [CRuby] Vendored libxml2 is updated to v2.11.6 from v2.11.5. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.6
\n- [CRuby] Vendored libxslt is updated to v1.1.39 from v1.1.38. For details please see https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.39
\n
\nsha256 checksums:
\n\n6dfa1d9837ddb233e234d56e244560ab1bc545d3d1744478060e18691f44ded7 nokogiri-1.15.5-aarch64-linux.gem\ne3ac6608c6e1714bc11ff04e29a43fedf4cac2aea1bd88256cc3b927c06f347f nokogiri-1.15.5-arm-linux.gem\n4d7b15d53c0397d131376a19875aa97dd1c8b404c2c03bd2171f9b77e9592d40 nokogiri-1.15.5-arm64-darwin.gem\n5f87e71aaeb4f7479b94698737a0aacea77836b4805c7433b655e9565bd56cfe nokogiri-1.15.5-java.gem\n7612be800909ae51e0a7cfbe1f768757857a9ff0339686814ca67d9bae271ca2 nokogiri-1.15.5-x64-mingw-ucrt.gem\n28fd78d98e12005fe017db5ceccb74b2497f30582e6e26a3344200625fe46aae nokogiri-1.15.5-x64-mingw32.gem\n0d1b564d7f148a6766380966bb48b23afa72c72c992c69c71d21acd4a7f5c0e4 nokogiri-1.15.5-x86-linux.gem\nd27dbf44c19b83e570e65b660a8a921441d1e8b6063ab1b985b516f78e0a2854 nokogiri-1.15.5-x86-mingw32.gem\n10bafa54935f68aebd23235cb0fc7dfb8f6f5e52131379484771247eb3a0cc70 nokogiri-1.15.5-x86_64-darwin.gem\nc5d9453cc155dc15f08ac699cc1293fd994ec6cfacec48e67653aa95ee946adf nokogiri-1.15.5-x86_64-linux.gem\n22448ca35dbcbdcec60dbe25ccf452b685a5436c28f21b2fec2e20917aba9100 nokogiri-1.15.5.gem\n
1.15.4 / 2023-08-11
\nDependencies
\n\n
\n- [CRuby] Vendored libxml2 is updated to v2.11.5 from v2.11.4. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.5
\nFixed
\n\n
\n- Fixed a typo in a HTML5 parser error message. [#2927] (Thanks,
\n@anishathalye
!)- [CRuby]
\nObjectSpace.memsize_of
is now safe to call onDocument
s with complex DTDs. In previous versions, this debugging method could result in a segfault. [#2923, #2924]
\nsha256 checksums:
\n\n14091a07e07045a440213f7d5ced732fa7654ae8b6c7d180137f4124c5284ab8 nokogiri-1.15.4-aarch64-linux.gem\n572ddc19934d010e98821a946d89462ae66b310fecc3fe12c48b0025c2f76855 nokogiri-1.15.4-arm-linux.gem\n707288e293f4fc82a008f90b7ba0180d9f803f6a239a13e424378fedf8cf93e9 nokogiri-1.15.4-arm64-darwin.gem\n04745925f63af61144eccef38a703928629cf97c34dbb1c42e3def17ac77ec92 nokogiri-1.15.4-java.gem\na0bfb65461a0453afed1a41b235fe84d5b9c7f4d70afd45f0dc2fdec8909faf1 nokogiri-1.15.4-x64-mingw-ucrt.gem\nb9d01b9202e33cc23d19b2c1fc18ff4029cdda9b4f937a4baaefd4124a2158ba nokogiri-1.15.4-x64-mingw32.gem\n</tr></table> \n
... (truncated)
\nSourced from nokogiri's changelog.
\n\n\n1.15.5 / 2023-11-17
\nDependencies
\n\n
\n- [CRuby] Vendored libxml2 is updated to v2.11.6 from v2.11.5. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.6
\n- [CRuby] Vendored libxslt is updated to v1.1.39 from v1.1.38. For details please see https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.39
\n1.15.4 / 2023-08-11
\nDependencies
\n\n
\n- [CRuby] Vendored libxml2 is updated to v2.11.5 from v2.11.4. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.5
\nFixed
\n\n
\n- Fixed a typo in a HTML5 parser error message. #2927 (
\n@anishathalye
)- [CRuby]
\nObjectSpace.memsize_of
is now safe to call onDocument
s with complex DTDs. In previous versions, this debugging method could result in a segfault. [#2923, #2924]1.15.3 / 2023-07-05
\nFixed
\n\n
\n- Passing an object that is not a kind of
\nXML::Node
as the first parameter toCDATA.new
now raises aTypeError
. Previously this would result in either a segfault (CRuby) or a Java exception (JRuby). #2920- Passing an object that is not a kind of
\nXML::Node
as the first parameter toSchema.from_document
now raises aTypeError
. Previously this would result in either a segfault (CRuby) or a Java exception (JRuby). #2920- [CRuby] Passing an object that is not a kind of
\nXML::Node
as the second parameter toText.new
now raises aTypeError
. Previously this would result in a segfault. #2920- [CRuby] Replacing a node's children via methods like
\nNode#inner_html=
,#children=
, and#replace
no longer defensively dups the node's next sibling if it is a Text node. This behavior was originally adopted to work around libxml2's memory management (see #283 and #595) but should not have included operations involvingxmlAddChild()
. #2916- [JRuby] Fixed NPE when serializing an unparented HTML node. [#2559, #2895] (
\n@cbasguti
)1.15.2 / 2023-05-24
\nDependencies
\n\n
\n- [JRuby] Vendored org.nokogiri:nekodtd is updated to v0.1.11.noko2. This is functionally equivalent to v0.1.11.noko1 but restores support for Java 8.
\nFixed
\n\n
\n- [JRuby] Java 8 support is restored, fixing a regression present in v1.14.0..v1.14.4 and v1.15.0..v1.15.1. #2887
\n1.15.1 / 2023-05-19
\nDependencies
\n\n
\n\n- [CRuby] Vendored libxml2 is updated to v2.11.4 from v2.11.3. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.4
\n
... (truncated)
\n5745d4b
version bump to v1.15.5da2d908
ci: add ruby version to vendored libs cache key (backport) (#3029)0f56450
ci: add ruby version to vendored libs cache key (#3028)32b2c35
dep: update libxml to 2.11.5 and libxslt to 1.1.39 (v1.15.x) (#3025)b8f7e16
ci: skip the BSD builds for nowaa3208b
dep: update libxml to 2.11.5 and libxslt to 1.1.39141c2ac
doc(fix): correct :nodoc:1aee13d
version bump to v1.15.4769faec
backport updates and fixes to v1.15.x (#2953)8460bfe
dep: update libxml2 to v2.11.5Sourced from rack's releases.
\n\n\nv3.0.9.1
\nWhat's Changed
\n\n
\n- Fixed ReDoS in Accept header parsing [CVE-2024-26146]
\n- Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
\n- Reject Range headers which are too large [CVE-2024-26141]
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.9...v3.0.9.1
\nv3.0.9
\nWhat's Changed
\n\n
\n- Fix content-length calcuation in Rack:Response#write #2150
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.8...v3.0.9
\nv3.0.8
\nWhat's Changed
\n\n
\n- Backport "Fix some unused variable verbose warnings" by
\n@skipkayhil
in rack/rack#2084New Contributors
\n\n
\n- \n
@skipkayhil
made their first contribution in rack/rack#2084Full Changelog: https://github.com/rack/rack/compare/v3.0.7...v3.0.8
\nv3.0.7
\nWhat's Changed
\n\n
\n- Backport "Make query parameters without = have nil values". by
\n@jeremyevans
in rack/rack#2060Full Changelog: https://github.com/rack/rack/compare/v3.0.6.1...v3.0.7
\nv3.0.6.1
\nNo release notes provided.
\nv3.0.4.1
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.4...v3.0.4.1
\nv3.0.4
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.3...v3.0.4
\nv3.0.3
\nWhat's Changed
\n\n
\n- Release v3.0.3 by
\n@ioquatix
in rack/rack#2000Full Changelog: https://github.com/rack/rack/compare/v3.0.2...v3.0.3
\nv3.0.2
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.1...v3.0.2
\n
Sourced from rack's changelog.
\n\n\nChangelog
\nAll notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.
\nUnreleased
\nSPEC Changes
\n\n
\n- \n
rack.input
is now optional. (#1997, [@ioquatix
])- \n
Rack::Utils.escape_html
is now delegated toCGI.escapeHTML
.'
is escaped to[#39](https://github.com/rack/rack/issues/39);
instead of#x27;
. (decimal vs hexadecimal) (#2099,@JunichiIto
)Changed
\n\n
\n- \n
rack.input
is now optional, and if missing, will raise an error. Use this to fail on multipart parsing a request without an input body. (#2018, [@ioquatix
])- Introduce
\nmodule Rack::BadRequest
which is included in multipart and query parser errors. (#2019, [@ioquatix
])- MIME type for JavaScript files (
\n.js
) changed fromapplication/javascript
totext/javascript
(1bd0f15
)- Add
\n.mjs
MIME type (#2057, [@axilleas
])- Update MIME types associated to
\n.ttf
,.woff
,.woff2
and.otf
extensions to use mondernfont/*
types. (#2065, [@davidstosik
])- \n
set_cookie_header
utility now supports thepartitioned
cookie attribute. This is required by Chrome in some embedded contexts. (#2131, [@flavio-b
])- Remove non-standard status codes 306, 509, & 510 and update descriptions for 413, 422, & 451. (#2137, [
\n@wtn
])- Add fallback lookup and deprecation warning for obsolete status symbols. (#2137, [
\n@wtn
])- In
\nRack::Files
, ignore theRange
header if served file is 0 bytes. (#2159, [@zarqman
])[3.0.9] - 2024-01-31
\n\n
\n- Fix incorrect content-length header that was emitted when
\nRack::Response#write
was used in some situations. (#2150, [@mattbrictson
])[3.0.8] - 2023-06-14
\n\n
\n- Fix some unused variable verbose warnings. (#2084, [
\n@jeremyevans
],@skipkayhil
)[3.0.7] - 2023-03-16
\n\n
\n- Make query parameters without
\n=
havenil
values. (#2059, [@jeremyevans
])[3.0.6.1] - 2023-03-13
\n\n
\n- [CVE-2023-27539] Avoid ReDoS in header parsing
\n[3.0.6] - 2023-03-13
\n\n
\n- Add
\nQueryParser#missing_value
for handling missing values + tests. (#2052, [@ioquatix
])[3.0.5] - 2023-03-13
\n\n
\n- Split form/query parsing into two steps. (#2038,
\n@matthewd
)[3.0.4.2] - 2023-03-02
\n\n
\n\n- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
\n
... (truncated)
\na4bc5e0
bump version6efb2ce
Avoid 2nd degree polynomial regexp in MediaType4849132
Return an empty array when ranges are too largea227cd7
Fixing ReDoS in header parsing0b3f997
Bump patch version.d3d415e
Update Ruby versions for external tests: drop v2.7 and add v3.2 and v3.3. (#2...c8b977f
Fix content-length calcuation in Rack:Response#write (#2150)8d1bf99
Update CHANGELOG for 3.0.8 (#2086)d28c464
Bump patch verison.32736d2
Fix some unused variable verbose warnings (#2084)Sourced from nokogiri's releases.
\n\n\n1.15.5 / 2023-11-17
\nDependencies
\n\n
\n- [CRuby] Vendored libxml2 is updated to v2.11.6 from v2.11.5. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.6
\n- [CRuby] Vendored libxslt is updated to v1.1.39 from v1.1.38. For details please see https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.39
\n
\nsha256 checksums:
\n\n6dfa1d9837ddb233e234d56e244560ab1bc545d3d1744478060e18691f44ded7 nokogiri-1.15.5-aarch64-linux.gem\ne3ac6608c6e1714bc11ff04e29a43fedf4cac2aea1bd88256cc3b927c06f347f nokogiri-1.15.5-arm-linux.gem\n4d7b15d53c0397d131376a19875aa97dd1c8b404c2c03bd2171f9b77e9592d40 nokogiri-1.15.5-arm64-darwin.gem\n5f87e71aaeb4f7479b94698737a0aacea77836b4805c7433b655e9565bd56cfe nokogiri-1.15.5-java.gem\n7612be800909ae51e0a7cfbe1f768757857a9ff0339686814ca67d9bae271ca2 nokogiri-1.15.5-x64-mingw-ucrt.gem\n28fd78d98e12005fe017db5ceccb74b2497f30582e6e26a3344200625fe46aae nokogiri-1.15.5-x64-mingw32.gem\n0d1b564d7f148a6766380966bb48b23afa72c72c992c69c71d21acd4a7f5c0e4 nokogiri-1.15.5-x86-linux.gem\nd27dbf44c19b83e570e65b660a8a921441d1e8b6063ab1b985b516f78e0a2854 nokogiri-1.15.5-x86-mingw32.gem\n10bafa54935f68aebd23235cb0fc7dfb8f6f5e52131379484771247eb3a0cc70 nokogiri-1.15.5-x86_64-darwin.gem\nc5d9453cc155dc15f08ac699cc1293fd994ec6cfacec48e67653aa95ee946adf nokogiri-1.15.5-x86_64-linux.gem\n22448ca35dbcbdcec60dbe25ccf452b685a5436c28f21b2fec2e20917aba9100 nokogiri-1.15.5.gem\n
1.15.4 / 2023-08-11
\nDependencies
\n\n
\n- [CRuby] Vendored libxml2 is updated to v2.11.5 from v2.11.4. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.5
\nFixed
\n\n
\n- Fixed a typo in a HTML5 parser error message. [#2927] (Thanks,
\n@anishathalye
!)- [CRuby]
\nObjectSpace.memsize_of
is now safe to call onDocument
s with complex DTDs. In previous versions, this debugging method could result in a segfault. [#2923, #2924]
\nsha256 checksums:
\n\n14091a07e07045a440213f7d5ced732fa7654ae8b6c7d180137f4124c5284ab8 nokogiri-1.15.4-aarch64-linux.gem\n572ddc19934d010e98821a946d89462ae66b310fecc3fe12c48b0025c2f76855 nokogiri-1.15.4-arm-linux.gem\n707288e293f4fc82a008f90b7ba0180d9f803f6a239a13e424378fedf8cf93e9 nokogiri-1.15.4-arm64-darwin.gem\n04745925f63af61144eccef38a703928629cf97c34dbb1c42e3def17ac77ec92 nokogiri-1.15.4-java.gem\na0bfb65461a0453afed1a41b235fe84d5b9c7f4d70afd45f0dc2fdec8909faf1 nokogiri-1.15.4-x64-mingw-ucrt.gem\nb9d01b9202e33cc23d19b2c1fc18ff4029cdda9b4f937a4baaefd4124a2158ba nokogiri-1.15.4-x64-mingw32.gem\n</tr></table> \n
... (truncated)
\nSourced from nokogiri's changelog.
\n\n\n1.15.5 / 2023-11-17
\nDependencies
\n\n
\n- [CRuby] Vendored libxml2 is updated to v2.11.6 from v2.11.5. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.6
\n- [CRuby] Vendored libxslt is updated to v1.1.39 from v1.1.38. For details please see https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.39
\n1.15.4 / 2023-08-11
\nDependencies
\n\n
\n- [CRuby] Vendored libxml2 is updated to v2.11.5 from v2.11.4. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.5
\nFixed
\n\n
\n- Fixed a typo in a HTML5 parser error message. #2927 (
\n@anishathalye
)- [CRuby]
\nObjectSpace.memsize_of
is now safe to call onDocument
s with complex DTDs. In previous versions, this debugging method could result in a segfault. [#2923, #2924]1.15.3 / 2023-07-05
\nFixed
\n\n
\n- Passing an object that is not a kind of
\nXML::Node
as the first parameter toCDATA.new
now raises aTypeError
. Previously this would result in either a segfault (CRuby) or a Java exception (JRuby). #2920- Passing an object that is not a kind of
\nXML::Node
as the first parameter toSchema.from_document
now raises aTypeError
. Previously this would result in either a segfault (CRuby) or a Java exception (JRuby). #2920- [CRuby] Passing an object that is not a kind of
\nXML::Node
as the second parameter toText.new
now raises aTypeError
. Previously this would result in a segfault. #2920- [CRuby] Replacing a node's children via methods like
\nNode#inner_html=
,#children=
, and#replace
no longer defensively dups the node's next sibling if it is a Text node. This behavior was originally adopted to work around libxml2's memory management (see #283 and #595) but should not have included operations involvingxmlAddChild()
. #2916- [JRuby] Fixed NPE when serializing an unparented HTML node. [#2559, #2895] (
\n@cbasguti
)1.15.2 / 2023-05-24
\nDependencies
\n\n
\n- [JRuby] Vendored org.nokogiri:nekodtd is updated to v0.1.11.noko2. This is functionally equivalent to v0.1.11.noko1 but restores support for Java 8.
\nFixed
\n\n
\n- [JRuby] Java 8 support is restored, fixing a regression present in v1.14.0..v1.14.4 and v1.15.0..v1.15.1. #2887
\n1.15.1 / 2023-05-19
\nDependencies
\n\n
\n\n- [CRuby] Vendored libxml2 is updated to v2.11.4 from v2.11.3. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.4
\n
... (truncated)
\n5745d4b
version bump to v1.15.5da2d908
ci: add ruby version to vendored libs cache key (backport) (#3029)0f56450
ci: add ruby version to vendored libs cache key (#3028)32b2c35
dep: update libxml to 2.11.5 and libxslt to 1.1.39 (v1.15.x) (#3025)b8f7e16
ci: skip the BSD builds for nowaa3208b
dep: update libxml to 2.11.5 and libxslt to 1.1.39141c2ac
doc(fix): correct :nodoc:1aee13d
version bump to v1.15.4769faec
backport updates and fixes to v1.15.x (#2953)8460bfe
dep: update libxml2 to v2.11.5Sourced from rack's releases.
\n\n\nv3.0.9.1
\nWhat's Changed
\n\n
\n- Fixed ReDoS in Accept header parsing [CVE-2024-26146]
\n- Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
\n- Reject Range headers which are too large [CVE-2024-26141]
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.9...v3.0.9.1
\nv3.0.9
\nWhat's Changed
\n\n
\n- Fix content-length calcuation in Rack:Response#write #2150
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.8...v3.0.9
\nv3.0.8
\nWhat's Changed
\n\n
\n- Backport "Fix some unused variable verbose warnings" by
\n@skipkayhil
in rack/rack#2084New Contributors
\n\n
\n- \n
@skipkayhil
made their first contribution in rack/rack#2084Full Changelog: https://github.com/rack/rack/compare/v3.0.7...v3.0.8
\nv3.0.7
\nWhat's Changed
\n\n
\n- Backport "Make query parameters without = have nil values". by
\n@jeremyevans
in rack/rack#2060Full Changelog: https://github.com/rack/rack/compare/v3.0.6.1...v3.0.7
\nv3.0.6.1
\nNo release notes provided.
\nv3.0.4.1
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.4...v3.0.4.1
\nv3.0.4
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.3...v3.0.4
\nv3.0.3
\nWhat's Changed
\n\n
\n- Release v3.0.3 by
\n@ioquatix
in rack/rack#2000Full Changelog: https://github.com/rack/rack/compare/v3.0.2...v3.0.3
\nv3.0.2
\nFull Changelog: https://github.com/rack/rack/compare/v3.0.1...v3.0.2
\n
Sourced from rack's changelog.
\n\n\nChangelog
\nAll notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.
\nUnreleased
\nSPEC Changes
\n\n
\n- \n
rack.input
is now optional. (#1997, [@ioquatix
])- \n
Rack::Utils.escape_html
is now delegated toCGI.escapeHTML
.'
is escaped to[#39](https://github.com/rack/rack/issues/39);
instead of#x27;
. (decimal vs hexadecimal) (#2099,@JunichiIto
)Changed
\n\n
\n- \n
rack.input
is now optional, and if missing, will raise an error. Use this to fail on multipart parsing a request without an input body. (#2018, [@ioquatix
])- Introduce
\nmodule Rack::BadRequest
which is included in multipart and query parser errors. (#2019, [@ioquatix
])- MIME type for JavaScript files (
\n.js
) changed fromapplication/javascript
totext/javascript
(1bd0f15
)- Add
\n.mjs
MIME type (#2057, [@axilleas
])- Update MIME types associated to
\n.ttf
,.woff
,.woff2
and.otf
extensions to use mondernfont/*
types. (#2065, [@davidstosik
])- \n
set_cookie_header
utility now supports thepartitioned
cookie attribute. This is required by Chrome in some embedded contexts. (#2131, [@flavio-b
])- Remove non-standard status codes 306, 509, & 510 and update descriptions for 413, 422, & 451. (#2137, [
\n@wtn
])- Add fallback lookup and deprecation warning for obsolete status symbols. (#2137, [
\n@wtn
])- In
\nRack::Files
, ignore theRange
header if served file is 0 bytes. (#2159, [@zarqman
])[3.0.9] - 2024-01-31
\n\n
\n- Fix incorrect content-length header that was emitted when
\nRack::Response#write
was used in some situations. (#2150, [@mattbrictson
])[3.0.8] - 2023-06-14
\n\n
\n- Fix some unused variable verbose warnings. (#2084, [
\n@jeremyevans
],@skipkayhil
)[3.0.7] - 2023-03-16
\n\n
\n- Make query parameters without
\n=
havenil
values. (#2059, [@jeremyevans
])[3.0.6.1] - 2023-03-13
\n\n
\n- [CVE-2023-27539] Avoid ReDoS in header parsing
\n[3.0.6] - 2023-03-13
\n\n
\n- Add
\nQueryParser#missing_value
for handling missing values + tests. (#2052, [@ioquatix
])[3.0.5] - 2023-03-13
\n\n
\n- Split form/query parsing into two steps. (#2038,
\n@matthewd
)[3.0.4.2] - 2023-03-02
\n\n
\n\n- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
\n
... (truncated)
\na4bc5e0
bump version6efb2ce
Avoid 2nd degree polynomial regexp in MediaType4849132
Return an empty array when ranges are too largea227cd7
Fixing ReDoS in header parsing0b3f997
Bump patch version.d3d415e
Update Ruby versions for external tests: drop v2.7 and add v3.2 and v3.3. (#2...c8b977f
Fix content-length calcuation in Rack:Response#write (#2150)8d1bf99
Update CHANGELOG for 3.0.8 (#2086)d28c464
Bump patch verison.32736d2
Fix some unused variable verbose warnings (#2084)