addressable 2.8.10 → 2.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/lib/addressable/template.rb +7 -2
  4. data/lib/addressable/version.rb +2 -2
  5. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 567262751c8952b3e982148b0759abfd535b3cb65b2693691b7bfc66ae529395
4
- data.tar.gz: e097aecb9c501b7573412046a7df248b89dc73c9d3a1282010d640a79374a982
3
+ metadata.gz: ffaab8b78df30a2126058a425f168d76b26bc33e60849cabc1a6beabae24464d
4
+ data.tar.gz: 841ab2bd18fbcf3ff746cb85ea1661e628e278e6c7bc5ad96cd480e36a54f067
5
5
  SHA512:
6
- metadata.gz: 84a81528fc62622ca0a384ce46495ffbc629700636b6751d7a0f128f3596d7419a8c797fc82059f97319e5e9a36f773d9ca49a0420b0e95aac693dc362ac26b6
7
- data.tar.gz: 21aa9369e4eca88921f94d7d8785526b26e2b9bfbe8bc531a4e368f43c71e888ad0bb554190ec3a58a7d17a4ba4e5c5aedd3166a2bf68f58822b9b765de6c3f4
6
+ metadata.gz: f5884313cb2c68ea73d25e8f7f0a76200030bb3fb7abad8b31532180b1ae3c1df10f8db614a273dba115c87860682d227fdf046c743370e020a577cae667d026
7
+ data.tar.gz: c97dd91446991ce20400e9b4c2586aefbc1dca9fd1d49efca9606fc505ff0d49807686ab1fdfd7d4dba447c9c4bf8fb6c0bbd5a1d3d69a4952207d035e912dc2
data/CHANGELOG.md CHANGED
@@ -1,5 +1,9 @@
1
1
  # Changelog
2
2
 
3
+ ## Addressable 2.9.0 <a name="v2.9.0">
4
+ - fixes ReDoS vulnerability in Addressable::Template#match (fixes incomplete
5
+ remediation in 2.8.10)
6
+
3
7
  ## Addressable 2.8.10 <a name="v2.8.10">
4
8
  - fixes ReDoS vulnerability in Addressable::Template#match
5
9
 
data/lib/addressable/template.rb CHANGED
@@ -987,7 +987,8 @@ module Addressable
987
987
  _, operator, varlist = *expansion.match(EXPRESSION)
988
988
  leader = Regexp.escape(LEADERS.fetch(operator, ''))
989
989
  joiner = Regexp.escape(JOINERS.fetch(operator, ','))
990
- combined = varlist.split(',').map do |varspec|
990
+ varspecs = varlist.split(',')
991
+ combined = varspecs.map do |varspec|
991
992
  _, name, modifier = *varspec.match(VARSPEC)
992
993
 
993
994
  result = processor && processor.respond_to?(:match) ? processor.match(name) : nil
@@ -1017,7 +1018,11 @@ module Addressable
1017
1018
  when '+', '#' then "#{RESERVED_NO_COMMA}*+"
1018
1019
  else group
1019
1020
  end
1020
- "(?<#{name}>#{seg}(?:#{joiner}?#{seg})*)?"
1021
+ joiner_pattern = operator.nil? ? joiner : "#{joiner}?"
1022
+ "(?<#{name}>#{seg}(?:#{joiner_pattern}#{seg})*)?"
1023
+ elsif varspecs.size > 1 && (operator == '+' || operator == '#') &&
1024
+ varspec != varspecs.last
1025
+ "(?<#{name}>#{RESERVED_NO_COMMA}*+)?"
1021
1026
  else
1022
1027
  "(?<#{name}>#{group})?"
1023
1028
  end
data/lib/addressable/version.rb CHANGED
@@ -22,8 +22,8 @@ if !defined?(Addressable::VERSION)
22
22
  module Addressable
23
23
  module VERSION
24
24
  MAJOR = 2
25
- MINOR = 8
26
- TINY = 10
25
+ MINOR = 9
26
+ TINY = 0
27
27
 
28
28
  STRING = [MAJOR, MINOR, TINY].join('.')
29
29
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: addressable
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.8.10
4
+ version: 2.9.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Bob Aman
@@ -53,7 +53,7 @@ homepage: https://github.com/sporkmonger/addressable
53
53
  licenses:
54
54
  - Apache-2.0
55
55
  metadata:
56
- changelog_uri: https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md#v2.8.10
56
+ changelog_uri: https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md#v2.9.0
57
57
  rdoc_options:
58
58
  - "--main"
59
59
  - README.md