ruby.git/lib, branch ruby_2_6 The Ruby Programming Language When parsing cookies, only decode the values 2021-11-24T11:41:55+00:00 usa usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2021-11-24T11:41:55+00:00 02c341c9bc5879eae568ed2ba02cf227ed948199 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67953 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67953 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Fix StartTLS stripping vulnerability 2021-07-07T10:38:10+00:00 usa usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2021-07-07T10:38:10+00:00 95ba9053e20ad8d113af37b3f1f4cbfff1f6a8f1 Reported by Alexandr Savca in https://hackerone.com/reports/1178562 Co-authored-by: Shugo Maeda <shugo@ruby-lang.org> git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67950 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
Reported by Alexandr Savca in https://hackerone.com/reports/1178562

Co-authored-by: Shugo Maeda <shugo@ruby-lang.org>


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67950 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Ignore IP addresses in PASV responses by default, and add new option use_pasv_ip 2021-07-07T10:34:08+00:00 usa usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2021-07-07T10:34:08+00:00 be5a83e84a34091f2a4e3c6dfb911b20e78e690c This fixes CVE-2021-31810. Reported by Alexandr Savca. Co-authored-by: Shugo Maeda <shugo@ruby-lang.org> git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67949 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
This fixes CVE-2021-31810.
Reported by Alexandr Savca.

Co-authored-by: Shugo Maeda <shugo@ruby-lang.org>


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67949 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
merge revision(s) b1c73f23,c9ab8fe2: [Backport #17877] 2021-07-03T17:10:28+00:00 usa usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2021-07-03T17:10:28+00:00 fe3c49c9baeeab58304ede915b7edd18ecf360fc [ruby/rdoc] Use File.open to fix the OS Command Injection vulnerability in CVE-2021-31799 https://github.com/ruby/rdoc/commit/a7f5d6ab88 The test for command injection on Unix platforms should be omitted on Windows git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67947 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
	[ruby/rdoc] Use File.open to fix the OS Command Injection vulnerability in CVE-2021-31799
	
	https://github.com/ruby/rdoc/commit/a7f5d6ab88

	The test for command injection on Unix platforms should be omitted on Windows


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67947 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
merge revision(s) 9edc1625: [Backport #17781] 2021-07-03T16:56:34+00:00 usa usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2021-07-03T16:56:34+00:00 83c255e89f376068f632fc1f17e67253184e4451 [ruby/resolv] Fix confusion of received response message This is a follow up for commit 33fb966197f1 ("Remove sender/message_id pair after response received in resolv", 2020-09-11). As the @senders instance variable is also used for tracking transaction ID allocation, simply removing an entry without releasing the ID would eventually deplete the ID space and cause Resolv::DNS.allocate_request_id to hang. It seems the intention of the code was to check that the received DNS message is actually the response for the question made within the method earlier. Let's have it actually do so. [Bug #12838] https://bugs.ruby-lang.org/issues/12838 [Bug #17748] https://bugs.ruby-lang.org/issues/17748 https://github.com/ruby/resolv/commit/53ca9c9209 --- lib/resolv.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67946 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
	[ruby/resolv] Fix confusion of received response message

	This is a follow up for commit 33fb966197f1 ("Remove sender/message_id
	pair after response received in resolv", 2020-09-11).

	As the @senders instance variable is also used for tracking transaction
	ID allocation, simply removing an entry without releasing the ID would
	eventually deplete the ID space and cause
	Resolv::DNS.allocate_request_id to hang.

	It seems the intention of the code was to check that the received DNS
	message is actually the response for the question made within the method
	earlier. Let's have it actually do so.

	[Bug #12838] https://bugs.ruby-lang.org/issues/12838
	[Bug #17748] https://bugs.ruby-lang.org/issues/17748

	https://github.com/ruby/resolv/commit/53ca9c9209
	---
	 lib/resolv.rb | 6 +++---
	 1 file changed, 3 insertions(+), 3 deletions(-)

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67946 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
REXML 3.1.9.1 2021-04-05T11:48:23+00:00 usa usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2021-04-05T11:48:23+00:00 1b59a4dc76caa061355f4289d2c54d4625671735 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67940 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67940 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
merge revision(s) 9682db065158da5fa4ec8a3bc267da45b429b92c: [Backport #17658] 2021-04-04T23:47:58+00:00 usa usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2021-04-04T23:47:58+00:00 bde8e4e6f89c579064f0af5a5d922444797478bc Remove sender/message_id pair after response received in resolv Once a response for a given DNS request has been received (which requires a matching message id), the [sender, message_id] pair should be removed from the list of valid senders. This makes it so duplicate responses from the same sender are ignored. Fixes [Bug #12838] --- lib/resolv.rb | 2 +- test/resolv/test_dns.rb | 113 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 114 insertions(+), 1 deletion(-) git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67929 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
	Remove sender/message_id pair after response received in resolv

	Once a response for a given DNS request has been received (which
	requires a matching message id), the [sender, message_id] pair
	should be removed from the list of valid senders.  This makes it
	so duplicate responses from the same sender are ignored.

	Fixes [Bug #12838]
	---
	 lib/resolv.rb           |   2 +-
	 test/resolv/test_dns.rb | 113 ++++++++++++++++++++++++++++++++++++++++++++++++
	 2 files changed, 114 insertions(+), 1 deletion(-)

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67929 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
merge revision(s) e04418bb16cd99b4a4402e7457d3bdc967284f98: [Backport #16830] 2021-04-04T22:27:35+00:00 usa usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2021-04-04T22:27:35+00:00 49b37893a4189c388e51f711bd4164e1037e277b [ruby/uri] Check if DN exists https://bugs.ruby-lang.org/issues/16830 https://github.com/ruby/uri/commit/b4bf8c1217 --- lib/uri/ldap.rb | 1 + test/uri/test_ldap.rb | 4 ++++ 2 files changed, 5 insertions(+) git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67914 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
	[ruby/uri] Check if DN exists

	https://bugs.ruby-lang.org/issues/16830

	https://github.com/ruby/uri/commit/b4bf8c1217
	---
	 lib/uri/ldap.rb       | 1 +
	 test/uri/test_ldap.rb | 4 ++++
	 2 files changed, 5 insertions(+)

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67914 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
merge revision(s) 2ecfb88e: [Backport #16918] 2021-03-02T11:37:36+00:00 usa usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2021-03-02T11:37:36+00:00 34768ea9df63abd5fd9b10553bbd23da52365018 Correctly remove temporary directory if path yielded is mutated Another approach would be to freeze the string, but that could cause backwards compatibility issues. Fixes [Bug #16918] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67910 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
	Correctly remove temporary directory if path yielded is mutated
	
	Another approach would be to freeze the string, but that could
	cause backwards compatibility issues.
	
	Fixes [Bug #16918]


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67910 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
merge revision(s) 5a79d8e0,160511d8: [Backport #16925] 2021-03-02T11:26:58+00:00 usa usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2021-03-02T11:26:58+00:00 a175a30ab9d79b759fa17e71506caef896a4540e Fix error raised by Net::HTTPResponse#inflater if the block raises * See https://bugs.ruby-lang.org/issues/13882#note-6 --- lib/net/http/response.rb | 5 ++- spec/ruby/library/net/http/http/get_spec.rb | 67 +++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+), 2 deletions(-) Quarantine specs which fail frequently with CHECK_LEAKS=true --- spec/ruby/library/net/http/http/get_spec.rb | 2 ++ 1 file changed, 2 insertions(+) git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67909 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
	Fix error raised by Net::HTTPResponse#inflater if the block raises

	* See https://bugs.ruby-lang.org/issues/13882#note-6
	---
	 lib/net/http/response.rb                    |  5 ++-
	 spec/ruby/library/net/http/http/get_spec.rb | 67 +++++++++++++++++++++++++++++
	 2 files changed, 70 insertions(+), 2 deletions(-)

	Quarantine specs which fail frequently with CHECK_LEAKS=true

	---
	 spec/ruby/library/net/http/http/get_spec.rb | 2 ++
	 1 file changed, 2 insertions(+)

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67909 b2dd03c8-39d4-4d8f-98ff-823fe69b080e