v3.4.4 security patch for v3.4.0?

[ywenc]

Hello!

Looks like v3.4.4 patched a security vulnerability from parsing the API key.

I'd love to upgrade our own version of gibbon (we're on v2) to get the security update. But, I noticed that gibbon has dropped support for faraday <1 as of gibbon v3.4.1. faraday ends up touching lots of things, so upgrading is looking like a big lift.

And so, would it be possible to release a security patch for gibbon v3.4.0, which is the last version that supports faraday <1? I noticed that gibbon doesn't have branches for past releases, or I'd also be happy to make a PR, or let me know if I can help in any way.

Thank you so much!

[amro]

Hi @ywenc. I would be glad to release it, yes, and would sincerely appreciate your putting together a PR as things are a bit busy for me at work right now. Thanks!

I should note that issue only applies if you're accepting API keys via a form or something. I recommend validating them on entry if you are anyway.