You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flagon.apache.org by GitBox <gi...@apache.org> on 2019/11/01 12:17:25 UTC
[GitHub] [incubator-flagon-tap] dependabot[bot] opened a new pull request
#6: Bump httpie from 0.9.3 to 1.0.3
dependabot[bot] opened a new pull request #6: Bump httpie from 0.9.3 to 1.0.3
URL: https://github.com/apache/incubator-flagon-tap/pull/6
Bumps [httpie](https://github.com/jakubroztocil/httpie) from 0.9.3 to 1.0.3.
<details>
<summary>Release notes</summary>
*Sourced from [httpie's releases](https://github.com/jakubroztocil/httpie/releases).*
> ## HTTPie 1.0.3
> Fixed CVE-2019-10751 — the way the output filename is generated for `--download` requests without `--output` resulting in a redirect has been changed to only consider the initial URL as the base for the generated filename, and not the final one. This fixes a potential security issue under the following scenario:
>
> 1. A `--download` request with no explicit `--output` is made (e.g., `$ http -d example.org/file.txt`), instructing HTTPie to [generate the output filename](https://httpie.org/doc#downloaded-filename) from the `Content-Disposition` response header, or from the URL if the header is not provided.
> 2. The server handling the request has been modified by an attacker and instead of the expected response the URL returns a redirect to another URL, e.g., `attacker.example.org/.bash_profile`, whose response does not provide a `Content-Disposition` header (i.e., the base for the generated filename becomes `.bash_profile` instead of `file.txt`).
> 3. Your current directory doesn’t already contain `.bash_profile` (i.e., no unique suffix is added to the generated filename).
> 4. You don’t notice the potentially unexpected output filename as reported by HTTPie in the console output (e.g., `Downloading 100.00 B to ".bash_profile"`).
>
> ## HTTPie 1.0.2
> * Fixed tests for installation with pyOpenSSL.
>
> ## HTTPie 1.0.1
> * Removed external URL calls from tests.
>
> ## HTTPie 1.0.0
>
> * Added ``--style=auto`` which follows the terminal ANSI color styles.
> * Added support for selecting TLS 1.3 via ``--ssl=tls1.3``
> (available once implemented in upstream libraries).
> * Added ``true``/``false`` as valid values for ``--verify``
> (in addition to ``yes``/``no``) and the boolean value is case-insensitive.
> * Changed the default ``--style`` from ``solarized`` to ``auto`` (on Windows it stays ``fruity``).
> * Fixed default headers being incorrectly case-sensitive.
> * Removed Python 2.6 support.
>
> ## HTTPie 0.9.9
> * Only README changes.
>
> ## HTTPie 0.9.8
> - Extended auth plugin API.
> - Added exit status code `7` for plugin errors.
> - Added support for `curses`-less Python installations.
> - Fixed `REQUEST_ITEM` arg incorrectly being reported as required.
> - Improved `CTRL-C` interrupt handling.
> - Added the standard exit status code `130` for keyboard interrupts.
>
> ## HTTPie 0.9.6
> - Added Python 3 as a dependency for Homebrew installations
> to ensure some of the newer HTTP features work out of the box
> for macOS users (starting with HTTPie 0.9.4.).
> - Added the ability to unset a request header with `Header:`, and send an
> empty value with `Header;`.
> - Added `--default-scheme <URL_SCHEME>` to enable things like
> `$ alias https='http --default-scheme=https`.
> - Added `-I` as a shortcut for `--ignore-stdin`.
> - Added fish shell completion (located in `extras/httpie-completion.fish`
> in the Github repo).
> - Updated `requests` to 2.10.0 so that SOCKS support can be added via
> `pip install requests[socks]`.
> - Changed the default JSON `Accept` header from `application/json`
></tr></table> ... (truncated)
</details>
<details>
<summary>Changelog</summary>
*Sourced from [httpie's changelog](https://github.com/jakubroztocil/httpie/blob/master/CHANGELOG.rst).*
> `1.0.3`_ (2019-08-26)
> ---------------------
>
> * Fixed CVE-2019-10751 — the way the output filename is generated for
> ``--download`` requests without ``--output`` resulting in a redirect has
> been changed to only consider the initial URL as the base for the generated
> filename, and not the final one. This fixes a potential security issue under
> the following scenario:
>
> 1. A ``--download`` request with no explicit ``--output`` is made (e.g.,
> ``$ http -d example.org/file.txt``), instructing httpie to
> `generate the output filename <https://httpie.org/doc#downloaded-filename>`_
> from the ``Content-Disposition`` response header, or from the URL if the header
> is not provided.
> 2. The server handling the request has been modified by an attacker and
> instead of the expected response the URL returns a redirect to another
> URL, e.g., ``attacker.example.org/.bash_profile``, whose response does
> not provide a ``Content-Disposition`` header (i.e., the base for the
> generated filename becomes ``.bash_profile`` instead of ``file.txt``).
> 3. Your current directory doesn’t already contain ``.bash_profile``
> (i.e., no unique suffix is added to the generated filename).
> 4. You don’t notice the potentially unexpected output filename
> as reported by httpie in the console output
> (e.g., ``Downloading 100.00 B to ".bash_profile"``).
>
> Reported by Raul Onitza and Giulio Comi.
>
>
> `1.0.2`_ (2018-11-14)
> -------------------------
>
> * Fixed tests for installation with pyOpenSSL.
>
>
> `1.0.1`_ (2018-11-14)
> -------------------------
>
> * Removed external URL calls from tests.
>
>
> `1.0.0`_ (2018-11-02)
> -------------------------
>
> * Added ``--style=auto`` which follows the terminal ANSI color styles.
> * Added support for selecting TLS 1.3 via ``--ssl=tls1.3``
> (available once implemented in upstream libraries).
> * Added ``true``/``false`` as valid values for ``--verify``
> (in addition to ``yes``/``no``) and the boolean value is case-insensitive.
> * Changed the default ``--style`` from ``solarized`` to ``auto`` (on Windows it stays ``fruity``).
> * Fixed default headers being incorrectly case-sensitive.
></tr></table> ... (truncated)
</details>
<details>
<summary>Commits</summary>
- [`747be30`](https://github.com/jakubroztocil/httpie/commit/747be30d2efda1b4287a84f1f27f4328621b222c) 1.0.3
- [`88a9583`](https://github.com/jakubroztocil/httpie/commit/88a9583f4c0682fc4d26525380d82802eb242784) Update CHANGELOG.rst
- [`fd6e879`](https://github.com/jakubroztocil/httpie/commit/fd6e87914ca70f0825f47d226c1454e9a9a191bc) README
- [`6dee493`](https://github.com/jakubroztocil/httpie/commit/6dee49357d793f0112ad806a480b53f2c2d1e627) Fix comments
- [`df36d62`](https://github.com/jakubroztocil/httpie/commit/df36d6255df5793129b02ac82f1010171bd8a0a8) Changed the way the output filename is generated
- [`e92b831`](https://github.com/jakubroztocil/httpie/commit/e92b831e6e044a366d1907761fcc63a254a021a7) Create FUNDING.yml
- [`fd44f1a`](https://github.com/jakubroztocil/httpie/commit/fd44f1af93ce1d2c84f324b8474d2d075b5a7b13) Updated Readme to fix a typo ([#767](https://github-redirect.dependabot.com/jakubroztocil/httpie/issues/767))
- [`b630954`](https://github.com/jakubroztocil/httpie/commit/b6309547d535287dd11429ba11a999414149b7fd) Add a bash here string example
- [`3a46149`](https://github.com/jakubroztocil/httpie/commit/3a46149de1e58ce72563c4011bfee64781bc4af3) Fix several ResourceWarning: unclosed file ([#741](https://github-redirect.dependabot.com/jakubroztocil/httpie/issues/741))
- [`b7c8bf0`](https://github.com/jakubroztocil/httpie/commit/b7c8bf08002b48b5c82df61f5aec09a556f91b74) Add animation by [@​loranallensmith](https://github.com/loranallensmith)
- Additional commits viewable in [compare view](https://github.com/jakubroztocil/httpie/compare/0.9.3...1.0.3)
</details>
<br />
[](https://help.github.com/articles/configuring-automated-security-fixes)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/incubator-flagon-tap/network/alerts).
</details>
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services