|IMPORTANT: Grape 0.2.6 Released (CVE-2013-0175)
||1/11/13 7:25 AM
Grape 0.2.6 has been released. It notably addresses CVE-2013-0175, a serious security vulnerability in multi_xml. You must upgrade, even if you don't use XML in your application - you're vulnerable.
Combined changelog for 0.2.5 and 0.2.6. Thanks to all who have contributed and to @ Nathan Sutton (https://github.com/nate) for responsible disclosure and the vulnerability report.
- Fix: support content-type with character set when parsing POST and PUT input - @dblock.
- Fix: CVE-2013-0175, multi_xml parse vulnerability, require multi_xml 0.5.2 - @dblock.
- Added support for custom parsers via
parser, in addition to built-in multipart, JSON and XML parsers - @dblock.
body_params, data sent via a POST or PUT with a supported content-type is merged into
params - @dblock.
format will automatically remove other content-types by calling
content_type - @dblock.
content_type will prevent any input data other than the matching content-type or any Rack-supported form and parseable media types (
multipart/mixed) from being parsed - @dblock.
- #305: Fix: presenting arrays of objects via
represent or when auto-detecting an
Entity constant in the objects being presented - @brandonweiss.
- #306: Added i18n support for validation error messages - @niedhui.