Releases: ratpack/ratpack
v1.9.0
v1.8.2
This release updates the Gradle plugin to be compatible with Gradle 7.
v1.8.1
This release fixes several bugs, adds compatibility with Gradle's configuration caching, and updates two dependencies with critical vulnerabilities.
We hope you enjoy Ratpack 1.8.1.
v1.8.0
Ratpack 1.8.0 is now available!
This release adds support for configuring a proxy to utilize with the HttpClient
for outgoing requests, additional convenience methods for Promise.retry
, a number of dependency updates, and other improvements .
The following core dependencies have been upgraded:
- Netty 4.1.37.Final → 4.1.48.Final
- Netty TCNative 2.0.25.Final → 2.0.30.Final
- Jackson 2.9.8 → 2.10.3
- Slf4j 1.7.25 → 1.7.30
- Guava 21.0 → 28.2-jre
- Dropwizard Metrics 4.0.5 → 4.1.6
- Log4j 2.6.2 → 2.13.1
- Caffeine 2.6.2 → 2.8.1
- Retrofit 2.4.0 → 2.8.1
Ratpack's HttpClient
can now be configured to utilize a proxy server when sending requests using the HttpClientSpec. proxy
method. Configuring the proxy requires specifying the host
and port
of the proxy. Optionally, the configured proxy can be bypassed for a set of destinations. This set uses the same pattern matching utilized by the core Java libraries and specified here: https://docs.oracle.com/javase/8/docs/technotes/guides/net/proxies.html. It should be noted that the HttpClient
does not respect the http.proxyHost
, http.proxyPort
, and http.nonProxyHosts
system properties.
In this release, Promise.retry
has been extended to allow for specifying a Predicate
to indicate when the RetryPolicy
should be evaluated.
There are also a few other new convenience methods added to support easier development and testing of Ratpack applications.
Thanks to all who contributed.
We hope you enjoy Ratpack 1.8.
--
Team Ratpack
v1.7.6
This release includes a fix for a security vulnerability. This upgrade is recommended for all Ratpack users.
Versions of Ratpack 0.9.10 through and including 1.7.5 are vulnerable to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (aka. XSS),
in the development error handler. An attacker can utilize this to perform XSS when an exception message contains untrusted data.
This vulnerability only exists in the handler that renders an internal server error as a readable HTML page which is activates when Ratpack is running in development mode. This mode is only activate by user request (i.e. setting development(true)
in the ServerConfig
, setting RATPACK_DEVELOPMENT=true
in the environment), or when Ratpack detects it is running in an IDE (i.e. IntelliJ), being run by the Groovy shell, or attached to a debugger. By default, Ratpack sets development(false)
when packaged as a Jar.
Users should verify that they are not running Ratpack with development mode activated in production environments.
We would like to thank Jonathan Leitschuh for reporting this vulnerability.
Please see the security advisory for this issue for more information.
v1.7.5
This release includes several minor bug fixes, and a fix for a security vulnerability. This upgrade is recommended for everyone using 1.7.x.
Versions of Ratpack 0.9.1 through and including 1.7.4 are vulnerable to HTTP Response Splitting,
if untrusted and unsanitized data is used to populate the headers of a HTTP response.
An attacker can utilize this vulnerability to have the server issue any HTTP response they specify.
If your application uses arbitrary user input as the value of a response header it is vulnerable.
If your application does not use arbitrary values as response header values, it is not vulnerable.
Previously, Ratpack did not validate response header values.
Now, adding a header value that contains the header value termination characters produces a runtime exception.
As there is no mechanism for escaping or encoding the termination characters in a value, a runtime exception is necessary.
As potentially dangerous values now cause runtime exceptions,
it is a good idea to continue to validate and sanitize any user supplied values being used as response headers.
We would like to thank Jonathan Leitschuh for reporting this vulnerability.
Please see the security advisory for this issue for more information.
v1.7.4
v1.7.3
This release includes a fix for HttpClient
idle timeout that was introduced in Ratpack 1.7.0. Specifically, this timeout was incorrectly applying to in-use HTTP connections from the pool that were idle waiting for a server response. This fixes this behavior and clarifies that idleTimeout
applies only to connections that are not currently acquired from the pool. This upgrade is recommended for everyone using 1.7.x.
v1.7.2
This release includes a fix for a regression introduced in 1.7.0 that resulted in double URL encoded query parameters in redirect responses. Please see the issue list below for details. This upgrade is recommended for everyone using 1.7.x.
v1.7.1
Ratpack 1.7.1 is now available!
This patch release fixes a bug with idle connection timeouts for Ratpack's HttpClient
(introduced in 1.7.0
) which prevented timeouts larger than 1 second to be specified.
No other changes were introduced.
--
Team Ratpack