Last active
October 2, 2019 13:06
-
-
Save sue445/7683dc39231697e4da53925b825e7c60 to your computer and use it in GitHub Desktop.
CVE 2019-16892 workaround for rubyzip v1.3.0. c.f. https://sue445.hatenablog.com/entry/2019/10/01/210138
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # zip bomb measures for rubyzip v1.3.0 | |
| # c.f. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubyzip/CVE-2019-16892.yml | |
| # | |
| # validate_entry_sizes has been default enabled since rubyzip v2.0.0, but must be explicitly enabled in v1.3.x | |
| # | |
| # Put this file as `config/initializers/CVE-2019-16892-rubyzip-patch.rb` if rails | |
| begin | |
| require "zip" | |
| require "zip/version" | |
| if Gem::Version.create(Zip::VERSION) >= Gem::Version.create("2.0.0") | |
| raise "this patch has been no longer needed since rubyzip v2.0.0+. Remove this file!" | |
| end | |
| Zip.validate_entry_sizes = true | |
| rescue LoadError | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment