Version 1.7.5
Released on 2019-10-09.
This release includes several minor bug fixes, and a fix for a security vulnerability. This upgrade is recommended for everyone using 1.7.x.
Versions of Ratpack 0.9.1 through and including 1.7.4 are vulnerable to HTTP Response Splitting, if untrusted and unsanitized data is used to populate the headers of a HTTP response. An attacker can utilize this vulnerability to have the server issue any HTTP response they specify.
If your application uses arbitrary user input as the value of a response header it is vulnerable. If your application does not use arbitrary values as response header values, it is not vulnerable.
Previously, Ratpack did not validate response header values. Now, adding a header value that contains the header value termination characters produces a runtime exception. As there is no mechanism for escaping or encoding the termination characters in a value, a runtime exception is necessary.
As potentially dangerous values now cause runtime exceptions, it is a good idea to continue to validate and sanitize any user supplied values being used as response headers.
We would like to thank Jonathan Leitschuh for reporting this vulnerability.
Please see the security advisory for this issue for more information.
Links
Pull Requests (3)
- [1453] - Add regression test for #1369 (wololock)
- [1484] - Update links for HikariCP since github.io page is now unavailable (michaelschlies)
- [1489] - Flush channel after writing PongWebSocketFrame (marcphilipp)