Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update module github.com/gin-gonic/gin to v1.9.1 [security] #19197

Merged
merged 1 commit into from
Jul 12, 2023
Merged

chore(deps): update module github.com/gin-gonic/gin to v1.9.1 [security] #19197

merged 1 commit into from
Jul 12, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 11, 2023

Mend Renovate

This PR contains the following updates:

Package Type Update Change
github.com/gin-gonic/gin indirect patch v1.9.0 -> v1.9.1

GitHub Vulnerability Alerts

CVE-2023-29401

The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat".

If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.

Release Notes

gin-gonic/gin (github.com/gin-gonic/gin)

v1.9.1

Compare Source

BUG FIXES
SECURITY
  • fix lack of escaping of filename in Content-Disposition #​3556
ENHANCEMENTS
  • refactor: use bytes.ReplaceAll directly #​3455
  • convert strings and slices using the officially recommended way #​3344
  • improve render code coverage #​3525
DOCS
  • docs: changed documentation link for trusted proxies #​3575
  • chore: improve linting, testing, and GitHub Actions setup #​3583

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added dependencies Pull requests that update a dependency file release-note-none security labels Jul 11, 2023
@renovate @vrothberg
chore(deps): update module github.com/gin-gonic/gin to v1.9.1 [security]
6fd4ae6 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg vrothberg force-pushed the renovate/go-github.aaakk.us.kg/gin-gonic/gin-vulnerability branch from 3b0609f to 6fd4ae6 Compare July 12, 2023 08:30
vrothberg
vrothberg approved these changes Jul 12, 2023
View reviewed changes
Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 12, 2023
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 12, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jul 12, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: renovate[bot], vrothberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 12, 2023
@vrothberg
Copy link
Member

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 12, 2023
@openshift-merge-robot openshift-merge-robot merged commit 99ca443 into main Jul 12, 2023
@renovate renovate bot deleted the renovate/go-github.aaakk.us.kg/gin-gonic/gin-vulnerability branch July 12, 2023 11:21
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Oct 11, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@vrothberg vrothberg vrothberg approved these changes

Assignees

@vrothberg vrothberg

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dependencies Pull requests that update a dependency file lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. release-note-none security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vrothberg @openshift-merge-robot