root
/
rubyzip
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #408 from rubyzip/v2-0-0 

Bump version to 2.0.0
This commit is contained in:
John Lees-Miller 2019-09-25 21:23:47 +01:00 committed by GitHub
parent e1d9af6e46 cb407b1065
commit 2825898f69
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Changelog.md
View File

@ -2,6 +2,18 @@
- -
# 2.0.0 (2019-09-25)
Security
- Default the `validate_entry_sizes` option to `true`, so that callers can trust an entry's reported size when using `extract` [#403](https://github.com/rubyzip/rubyzip/pull/403)
- This option defaulted to `false` in 1.3.0 for backward compatibility, but it now defaults to `true`. If you are using an older version of ruby and can't yet upgrade to 2.x, you can still use 1.3.0 and set the option to `true`.
Tooling / Documentation
- Remove test files from the gem to avoid problems with antivirus detections on the test files [#405](https://github.com/rubyzip/rubyzip/pull/405) / [#384](https://github.com/rubyzip/rubyzip/issues/384)
- Drop support for unsupported ruby versions [#406](https://github.com/rubyzip/rubyzip/pull/406)
# 1.3.0 (2019-09-25) # 1.3.0 (2019-09-25)
Security Security

8
README.md
View File

@ -265,13 +265,7 @@ Zip.warn_invalid_date = false
### Size Validation ### Size Validation
**This setting defaults to `false` in rubyzip 1.3 for backward compatibility, but it will default to `true` in rubyzip 2.0.** By default (in rubyzip >= 2.0), rubyzip's `extract` method checks that an entry's reported uncompressed size is not (significantly) smaller than its actual size. This is to help you protect your application against [zip bombs](https://en.wikipedia.org/wiki/Zip_bomb). Before `extract`ing an entry, you should check that its size is in the range you expect. For example, if your application supports processing up to 100 files at once, each up to 10MiB, your zip extraction code might look like:
If you set
```
Zip.validate_entry_sizes = true
```
then `rubyzip`'s `extract` method checks that an entry's reported uncompressed size is not (significantly) smaller than its actual size. This is to help you protect your application against [zip bombs](https://en.wikipedia.org/wiki/Zip_bomb). Before `extract`ing an entry, you should check that its size is in the range you expect. For example, if your application supports processing up to 100 files at once, each up to 10MiB, your zip extraction code might look like:
```ruby ```ruby
MAX_FILE_SIZE = 10 * 1024**2 # 10MiB MAX_FILE_SIZE = 10 * 1024**2 # 10MiB

2
lib/zip.rb
View File

@ -55,7 +55,7 @@ module Zip
@write_zip64_support = false @write_zip64_support = false
@warn_invalid_date = true @warn_invalid_date = true
@case_insensitive_match = false @case_insensitive_match = false
@validate_entry_sizes = false @validate_entry_sizes = true
end end
def setup def setup

2
lib/zip/version.rb
View File

@ -1,3 +1,3 @@
module Zip module Zip
VERSION = '1.3.0' VERSION = '2.0.0'
end end