Skip to content

Commit

Permalink
Merge pull request #408 from rubyzip/v2-0-0
Browse files Browse the repository at this point in the history 
Bump version to 2.0.0
  • Loading branch information
@jdleesmiller
jdleesmiller committed Sep 25, 2019
2 parents e1d9af6 + cb407b1 commit 2825898
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 9 deletions.
12 changes: 12 additions & 0 deletions Changelog.md
View file
Expand Up @@ -2,6 +2,18 @@

-

# 2.0.0 (2019-09-25)

Security

- Default the `validate_entry_sizes` option to `true`, so that callers can trust an entry's reported size when using `extract` [#403](https://github.com/rubyzip/rubyzip/pull/403)
- This option defaulted to `false` in 1.3.0 for backward compatibility, but it now defaults to `true`. If you are using an older version of ruby and can't yet upgrade to 2.x, you can still use 1.3.0 and set the option to `true`.

Tooling / Documentation

- Remove test files from the gem to avoid problems with antivirus detections on the test files [#405](https://github.com/rubyzip/rubyzip/pull/405) / [#384](https://github.com/rubyzip/rubyzip/issues/384)
- Drop support for unsupported ruby versions [#406](https://github.com/rubyzip/rubyzip/pull/406)

# 1.3.0 (2019-09-25)

Security
Expand Down
8 changes: 1 addition & 7 deletions README.md
View file
Expand Up @@ -265,13 +265,7 @@ Zip.warn_invalid_date = false

### Size Validation

**This setting defaults to `false` in rubyzip 1.3 for backward compatibility, but it will default to `true` in rubyzip 2.0.**

If you set
```
Zip.validate_entry_sizes = true
```
then `rubyzip`'s `extract` method checks that an entry's reported uncompressed size is not (significantly) smaller than its actual size. This is to help you protect your application against [zip bombs](https://en.wikipedia.org/wiki/Zip_bomb). Before `extract`ing an entry, you should check that its size is in the range you expect. For example, if your application supports processing up to 100 files at once, each up to 10MiB, your zip extraction code might look like:
By default (in rubyzip >= 2.0), rubyzip's `extract` method checks that an entry's reported uncompressed size is not (significantly) smaller than its actual size. This is to help you protect your application against [zip bombs](https://en.wikipedia.org/wiki/Zip_bomb). Before `extract`ing an entry, you should check that its size is in the range you expect. For example, if your application supports processing up to 100 files at once, each up to 10MiB, your zip extraction code might look like:

```ruby
MAX_FILE_SIZE = 10 * 1024**2 # 10MiB
Expand Down
2 changes: 1 addition & 1 deletion lib/zip.rb
View file
Expand Up @@ -55,7 +55,7 @@ def reset!
@write_zip64_support = false
@warn_invalid_date = true
@case_insensitive_match = false
@validate_entry_sizes = false
@validate_entry_sizes = true
end

def setup
Expand Down
2 changes: 1 addition & 1 deletion lib/zip/version.rb
View file
@@ -1,3 +1,3 @@
module Zip
VERSION = '1.3.0'
VERSION = '2.0.0'
end

2 comments on commit 2825898

@jm1264
Copy link

@jm1264 jm1264 commented on 2825898 Oct 9, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

@jm1264
Copy link

@jm1264 jm1264 commented on 2825898 Oct 9, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

Please sign in to comment.