RubyGems - addressable - Versions diffs - 2.8.9 → 2.8.10 - Mend

addressable 2.8.9 → 2.8.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d530bb874824f8d1004aaea0fb9cd6721e0bd791c404fcb1a15f79f821f056b1
-  data.tar.gz: a9f4955da072c19e998744fedd8dd12129027caae3f4854108054358ee0b740f
+  metadata.gz: 567262751c8952b3e982148b0759abfd535b3cb65b2693691b7bfc66ae529395
+  data.tar.gz: e097aecb9c501b7573412046a7df248b89dc73c9d3a1282010d640a79374a982
 SHA512:
-  metadata.gz: 216c9bf5530cd1265b9418864d0ab4222ce7040c5cbb5501e6185ad44058970423f025291511cbabad3e20115dab935476af53c4e4aeffd79a7e3423f6770045
-  data.tar.gz: 2c5ddcfa6e8e51bef14738173066debd7a54b920f68568e689d49bb0111ac0320d660440db8011912cd943f895ea0a4f62e387ac4699bde736c74db779c35845
+  metadata.gz: 84a81528fc62622ca0a384ce46495ffbc629700636b6751d7a0f128f3596d7419a8c797fc82059f97319e5e9a36f773d9ca49a0420b0e95aac693dc362ac26b6
+  data.tar.gz: 21aa9369e4eca88921f94d7d8785526b26e2b9bfbe8bc531a4e368f43c71e888ad0bb554190ec3a58a7d17a4ba4e5c5aedd3166a2bf68f58822b9b765de6c3f4

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,8 @@
 # Changelog
+## Addressable 2.8.10 <a name="v2.8.10">
+- fixes ReDoS vulnerability in Addressable::Template#match
 ## Addressable 2.8.9 <a name="v2.8.9">
 - Reduce gem size by excluding test files ([#569])
 - No need for bundler as development dependency ([#571], [5fc1d93](https://github.com/sporkmonger/addressable/commit/5fc1d93))

data/lib/addressable/template.rb CHANGED Viewed

@@ -39,6 +39,8 @@ module Addressable
       "(?>(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)"
     RESERVED =
       "(?:[#{anything}]|%[a-fA-F0-9][a-fA-F0-9])"
+    RESERVED_NO_COMMA =
+      "(?:[#{anything.delete(',')}]|%[a-fA-F0-9][a-fA-F0-9])"
     UNRESERVED =
       "(?:[#{
         Addressable::URI::CharacterClasses::UNRESERVED
@@ -1011,7 +1013,11 @@ module Addressable
               "#{ UNRESERVED }*?"
             end
             if modifier == '*'
-              "(?<#{name}>#{group}(?:#{joiner}?#{group})*)?"
+              seg = case operator
+                    when '+', '#' then "#{RESERVED_NO_COMMA}*+"
+                    else group
+                    end
+              "(?<#{name}>#{seg}(?:#{joiner}?#{seg})*)?"
             else
               "(?<#{name}>#{group})?"
             end

data/lib/addressable/version.rb CHANGED Viewed

@@ -23,7 +23,7 @@ if !defined?(Addressable::VERSION)
     module VERSION
       MAJOR = 2
       MINOR = 8
-      TINY  = 9
+      TINY  = 10
       STRING = [MAJOR, MINOR, TINY].join('.')
     end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: addressable
 version: !ruby/object:Gem::Version
-  version: 2.8.9
+  version: 2.8.10
 platform: ruby
 authors:
 - Bob Aman
@@ -53,7 +53,7 @@ homepage: https://github.com/sporkmonger/addressable
 licenses:
 - Apache-2.0
 metadata:
-  changelog_uri: https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md#v2.8.9
+  changelog_uri: https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md#v2.8.10
 rdoc_options:
 - "--main"
 - README.md
@@ -70,7 +70,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.3
+rubygems_version: 4.0.6
 specification_version: 4
 summary: URI Implementation
 test_files: []