Issue #17303 has been updated by jeremyevans0 (Jeremy Evans).


I am in favor of this change.  I prefer removing webrick from stdlib, as otherwise we are still likely to be shipping vulnerable code if there is a security issue in webrick.  Moving webrick from default gems to bundled gems doesn't change much security wise, other than making it slightly more difficult to use an separately installed webrick gem.

----------------------------------------
Feature #17303: Make webrick to bundled gems or remove from stdlib
https://bugs.ruby-lang.org/issues/17303#change-88333

* Author: hsbt (Hiroshi SHIBATA)
* Status: Open
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
----------------------------------------
I propose to make webrick to bundled gems or remove from stdlib of ruby.

We have a several issues related vulnerabilities in webrick gem.

https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/

The ruby core team don't have enough time to handle them. We should remove webrick from default gems at least.

Patch for this feature: https://github.com/ruby/ruby/pull/3729



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>