Bump rubyzip from 1.2.2 to 1.3.0

Bumps [rubyzip](https://github.com/rubyzip/rubyzip) from 1.2.2 to 1.3.0. **This update includes a security fix.** - [Release notes](https://github.com/rubyzip/rubyzip/releases/tag/v1.3.0) - [Changelog](https://github.com/rubyzip/rubyzip/blob/master/Changelog.md) - [Commits](rubyzip/[email protected]) Security fix adds `validate_entry_sizes` option so that callers can trust an entry's reported size when using `extract`. We don't currently call `extract`, so I don't think we're affected by this issue. As per rubyzip/rubyzip#403, I've created an initializer to set `validate_entry_sizes`, which can be removed once we drop support for Ruby 2.3 (#5222).
mysociety · Oct 18, 2019 · a17d9de · a17d9de
1 parent c7658f1
commit a17d9de
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 5 deletions.
diff --git a/Gemfile b/Gemfile
@@ -118,7 +118,7 @@ gem 'recaptcha', '~> 4.9.0', '< 4.10.0', :require => 'recaptcha/rails'
 gem 'rmagick', '~> 2.16.0'
 gem 'rolify', '~> 5.2.0'
 gem 'ruby-msg', '~> 1.5.0', :git => 'https://github.com/mysociety/ruby-msg.git', :branch => 'ascii-encoding'
-gem 'rubyzip', '~> 1.2.2'
+gem 'rubyzip', '~> 1.3.0', '< 2.0.0'
 gem 'secure_headers', '~> 3.6.0'
 gem 'statistics2', '~> 0.54'
 gem 'strip_attributes', :git => 'https://github.com/mysociety/strip_attributes.git', :ref => 'c1c14da'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -358,7 +358,7 @@ GEM
       unicode-display_width (~> 1.4.0)
     ruby-ole (1.2.12.1)
     ruby-progressbar (1.10.0)
-    rubyzip (1.2.2)
+    rubyzip (1.3.0)
     safe_yaml (1.0.4)
     sass (3.4.25)
     sass-rails (5.0.7)
@@ -498,7 +498,7 @@ DEPENDENCIES
   rspec-rails (~> 3.7.2)
   rubocop (~> 0.63.1)
   ruby-msg (~> 1.5.0)!
-  rubyzip (~> 1.2.2)
+  rubyzip (~> 1.3.0, < 2.0.0)
   sass-rails (~> 5.0.7)
   secure_headers (~> 3.6.0)
   statistics2 (~> 0.54)

diff --git a/Gemfile.rails_next.lock b/Gemfile.rails_next.lock
@@ -358,7 +358,7 @@ GEM
       unicode-display_width (~> 1.4.0)
     ruby-ole (1.2.12.1)
     ruby-progressbar (1.10.0)
-    rubyzip (1.2.2)
+    rubyzip (1.3.0)
     safe_yaml (1.0.4)
     sass (3.4.25)
     sass-rails (5.0.7)
@@ -498,7 +498,7 @@ DEPENDENCIES
   rspec-rails (~> 3.7.2)
   rubocop (~> 0.63.1)
   ruby-msg (~> 1.5.0)!
-  rubyzip (~> 1.2.2)
+  rubyzip (~> 1.3.0, < 2.0.0)
   sass-rails (~> 5.0.7)
   secure_headers (~> 3.6.0)
   statistics2 (~> 0.54)

diff --git a/config/initializers/rubyzip.rb b/config/initializers/rubyzip.rb
@@ -0,0 +1,8 @@
+# -*- encoding : utf-8 -*-
+require 'zip'
+
+# Manually set `validate_entry_sizes`, which is the default in rubyzip 2.0.0.
+# rubyzip 2.0.0 requires Ruby 2.4+, so we can't upgrade to that yet.
+#
+# See: https://github.com/rubyzip/rubyzip/pull/403
+Zip.validate_entry_sizes = true