Version 1.9.0
Released on 2021-06-29.
Ratpack 1.9.0 is now available!
This release contains the following security fixes:
- Cached redirect poisoning via X-Forwarded-Host header
- Default client side session signing key is highly predictable
- Client side sessions should not allow unencrypted storage
- Remote Code Execution Vulnerability in Session Storage
In response to “Remote Code Execution Vulnerability in Session Storage”, all session objects must now be registered with an explicit allow list to facilitate deserialization. All users of the ratpack-session
module are recommended to read the advisory for details.
Special thanks to Jonathan Leitschuh for reporting and advising on the above issues.
Please also see the additional changes and fixes listed below.
We hope you enjoy Ratpack 1.9.0.
Links
Pull Requests (9)
- [1593] - Update to Gradle Enterprise Gradle Plugin 3.6 (runningcode)
- [1592] - Require registration of types before they can be used in a session (ldaley)
- [1590] - Use random UUID for default client side session encryption secret (ldaley)
- [1589] - Use relative redirects and don't infer the public address (ldaley)
- [1586] - Remove lazybones (ldaley)
- [1584] - Add Predicate and Class onError handlers to Operation (timyates)
- [1583] - Update Netty to 4.1.50 (amityatagiri)
- [1581] - Use netty nio DNS resolver by default in HttpClient (johnrengelman)
- [1560] - Properly handling Expect: 100-continue when request streaming as proxy. (johnrengelman)
Resolved Issues (4)
- [1598] - Impositions should layer instead of being completely overwritten by nearest
- [1596] - RequestSpec.onRedirect functions are not always execution bound
- [1559] - Ratpack reverse-proxy failed on 100-continue response
- [1552] - Client side session module does not allow setting last access time cookie name