- Unsafe Object Deserialization Vulnerability in RubyGems
- * test/net/ftp/test_ftp.rb (process_port_or_eprt): merge a part of r56973 to pass the test introduced at previous commit.
- Fix a command injection vulnerability in Net::FTP.
- webrick: compile RE correctly for beginning and end match Using ^ and $ in regexps means we can accidentally get fooled by “%0a” in HTTP request paths being decoded to newline characters. Use \A and \z to match beginning and end-of-string respectively, instead.
- webrick: do not hang acceptor on slow TLS connections
OpenSSL::SSL::SSLSocket#accept may block indefinitely on clients which negotiate the TCP connection, but fail (or are slow) to negotiate the subsequent TLS handshake. This prevents the multi-threaded WEBrick server from accepting other connections.
Since the TLS handshake (via OpenSSL::SSL::SSLSocket#accept) consists of normal read/write traffic over TCP, handle it in the per-client thread, instead. Furthermore, using non-blocking accept() is useful for non-TLS sockets anyways because spurious wakeups are possible from select(2).