IMPORTANT: Grape 0.2.6 Released (CVE-2013-0175)

Showing 1-1 of 1 messages
IMPORTANT: Grape 0.2.6 Released (CVE-2013-0175) Daniel Doubrovkine 1/11/13 7:25 AM
Grape 0.2.6 has been released. It notably addresses CVE-2013-0175, a serious security vulnerability in multi_xml. You must upgrade, even if you don't use XML in your application - you're vulnerable.

Combined changelog for 0.2.5 and 0.2.6. Thanks to all who have contributed and to @ Nathan Sutton ( for responsible disclosure and the vulnerability report.

0.2.6 (01/11/2013)

  • Fix: support content-type with character set when parsing POST and PUT input - @dblock.
  • Fix: CVE-2013-0175, multi_xml parse vulnerability, require multi_xml 0.5.2 - @dblock.

0.2.5 (01/10/2013)

  • Added support for custom parsers via parser, in addition to built-in multipart, JSON and XML parsers - @dblock.
  • Removed body_params, data sent via a POST or PUT with a supported content-type is merged into params - @dblock.
  • Setting format will automatically remove other content-types by calling content_type - @dblock.
  • Setting content_type will prevent any input data other than the matching content-type or any Rack-supported form and parseable media types (application/x-www-form-urlencodedmultipart/form-datamultipart/related andmultipart/mixed) from being parsed - @dblock.
  • #305: Fix: presenting arrays of objects via represent or when auto-detecting an Entity constant in the objects being presented - @brandonweiss.
  • #306: Added i18n support for validation error messages - @niedhui.