Issue #17303 has been updated by Eregon (Benoit Daloze).


Doesn't RubyGems depend on WEBrick (notably for `gem server`)?
It seems also RDoc depends on it.
And I know `ruby -run -e httpd . -p8080` depends on it as well.

I think having a basic HTTP server in stdlib is important (bundled gem is fine for that).
Notably for properly testing Socket and new IO APIs.

Also removing it entirely without any kind of deprecation first seems like it might break lots of things.

----------------------------------------
Feature #17303: Make webrick to bundled gems or remove from stdlib
https://bugs.ruby-lang.org/issues/17303#change-88337

* Author: hsbt (Hiroshi SHIBATA)
* Status: Open
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
----------------------------------------
I propose to make webrick to bundled gems or remove from stdlib of ruby.

We have a several issues related vulnerabilities in webrick gem.

https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/

The ruby core team don't have enough time to handle them. We should remove webrick from default gems at least.

Patch for this feature: https://github.com/ruby/ruby/pull/3729



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>