Skip to content

Commit

Permalink
Bump version to 2.0.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@jdleesmiller
jdleesmiller committed Sep 25, 2019
1 parent e1d9af6 commit 1cc0164
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 9 deletions.
12 changes: 12 additions & 0 deletions Changelog.md
View file
Expand Up @@ -2,6 +2,18 @@

-

# 2.0.0 (2019-09-25)

Security

- Default the `validate_entry_sizes` option from to true, so that callers can trust an entry's reported size when using `extract` [#403](https://github.com/rubyzip/rubyzip/pull/403)
- This option defaulted to `false` in 1.3.0 for backward compatibility, but it now defaults to `true`. If you are using an older version of ruby and can't yet upgrade to 2.x, you can still use 1.3.0 and set the option to `true`.

Tooling / Documentation

- Remove test files from the gem to avoid problems with antivirus detections on the test files [#405](https://github.com/rubyzip/rubyzip/pull/405) / [#384](https://github.com/rubyzip/rubyzip/issues/384)
- Drop support for unsupported ruby versions [#406](https://github.com/rubyzip/rubyzip/pull/406)

# 1.3.0 (2019-09-25)

Security
Expand Down
8 changes: 1 addition & 7 deletions README.md
View file
Expand Up @@ -265,13 +265,7 @@ Zip.warn_invalid_date = false

### Size Validation

**This setting defaults to `false` in rubyzip 1.3 for backward compatibility, but it will default to `true` in rubyzip 2.0.**

If you set
```
Zip.validate_entry_sizes = true
```
then `rubyzip`'s `extract` method checks that an entry's reported uncompressed size is not (significantly) smaller than its actual size. This is to help you protect your application against [zip bombs](https://en.wikipedia.org/wiki/Zip_bomb). Before `extract`ing an entry, you should check that its size is in the range you expect. For example, if your application supports processing up to 100 files at once, each up to 10MiB, your zip extraction code might look like:
By default (in rubyzip >= 2.0), `rubyzip`'s `extract` method checks that an entry's reported uncompressed size is not (significantly) smaller than its actual size. This is to help you protect your application against [zip bombs](https://en.wikipedia.org/wiki/Zip_bomb). Before `extract`ing an entry, you should check that its size is in the range you expect. For example, if your application supports processing up to 100 files at once, each up to 10MiB, your zip extraction code might look like:

```ruby
MAX_FILE_SIZE = 10 * 1024**2 # 10MiB
Expand Down
2 changes: 1 addition & 1 deletion lib/zip.rb
View file
Expand Up @@ -55,7 +55,7 @@ def reset!
@write_zip64_support = false
@warn_invalid_date = true
@case_insensitive_match = false
@validate_entry_sizes = false
@validate_entry_sizes = true
end

def setup
Expand Down
2 changes: 1 addition & 1 deletion lib/zip/version.rb
View file
@@ -1,3 +1,3 @@
module Zip
VERSION = '1.3.0'
VERSION = '2.0.0'
end

0 comments on commit 1cc0164

Please sign in to comment.