Ruby

I would like to retire CGI library from Ruby 3.5.0 release. It means CGI is not promoted bundled gems. The users need to run gem install cgi after Ruby 3.5 if they want to use CGI library.

Background¶

I handled two CVEs related CGI library at https://www.ruby-lang.org/en/news/2025/02/26/security-advisories/

We shouldn't spend our time to maintain CGI library in the future because CGI is old protocol. In fact, Perl 5.22.0 removed CGI.pm at 2015, Python 3.13 also removed cgi at Nov 2024.

Problem¶

CGI is not using widely today. But cgi/escape is core feature in Ruby ecosystem. erb, net-http and bundler depend CGI.escape/CGI.unescape. And CGI.escapeHTML, CGI.escapeURIComponent are used at that libraries.

Solution¶

1. We keep only cgi/escape feature in Ruby. The current CGI library is removed and depend cgi-escape gem.
2. We migrate cgi/escape to other class/module. The current CGI library and cgi/escape are removed.

The new class/module location is diffcult. I discussed that with some Ruby core member.

• URI.escape/unescape: URI.escape is migrated to URI::RFC2396_PARSER.escape at Ruby 3.4. The new URI.escape is confusing name with historical reason.
• URI::Util.escape: It seems okay...?

I think URI or related name are good place for that because other language provide that under the url libraries:

Python:

import urllib.parse
urllib.parse.quote()

Java:

import java.net.URLEncoder;
URLEncoder.encode()

Go:

import "net/url"
url.QueryEscape()

Migration plan¶

If Idea 2 is accepted and decide new location, We provide dummy module and method for cgi/escape. That dummy module call new method and warn about deprecating cgi/escape.