1
0
mirror of https://github.com/httpie/cli.git synced 2024-11-24 08:22:22 +02:00
This commit is contained in:
Jakub Roztocil 2019-08-26 12:42:34 +02:00
parent 88a9583f4c
commit 747be30d2e
4 changed files with 29 additions and 9 deletions

View File

@ -6,12 +6,32 @@ This document records all notable changes to `HTTPie <http://httpie.org>`_.
This project adheres to `Semantic Versioning <http://semver.org/>`_.
`1.0.3-dev`_ (unreleased)
`1.0.3`_ (2019-08-26)
-------------------------
* Changed the way the output filename is generated for ``--download`` requests
without ``--output`` and with a redirect — now only the initial URL is
considered, not the final one. Thanks to Raul Onitza of Snyk for bringing this up.
* Fixed CVE-2019-10751 — the way the output filename is generated for
``--download`` requests without ``--output`` resulting in a redirect has
been changed to only consider the initial URL as the base for the generated
filename, and not the final one. This fixes a potential security issue under
the following scenario:
1. A ``--download`` request with no explicit ``--output`` is made (e.g.,
``$ http -d example.org/file.txt``), instructing httpie to
`generate the output filename <https://httpie.org/doc#downloaded-file-name>`_
from the ``Content-Disposition`` response, or from the URL if the header
is not provided.
2. The server handling the request has been modified by an attacker and
instead of the expected response the URL returns a redirect to another
URL, e.g., ``attacker.example.org/.bash_profile``, whose response does
not provide a ``Content-Disposition`` header (i.e., the base for the
generated filename becomes ``.bash_profile`` instead of ``file.txt``).
3. Your current directory doesn’t already contain ``.bash_profile``
(i.e., no unique suffix is added to the generated filename).
4. You don’t notice the potentially unexpected output filename
as reported by httpie in the console output
(e.g., ``Downloading 100.00 B to ".bash_profile"``).
Reported by Raul Onitza and Giulio Comi.
`1.0.2`_ (2018-11-14)
@ -363,4 +383,4 @@ This project adheres to `Semantic Versioning <http://semver.org/>`_.
.. _1.0.0: https://github.com/jakubroztocil/httpie/compare/0.9.9...1.0.0
.. _1.0.1: https://github.com/jakubroztocil/httpie/compare/1.0.0...1.0.1
.. _1.0.2: https://github.com/jakubroztocil/httpie/compare/1.0.1...1.0.2
.. _1.0.3-dev: https://github.com/jakubroztocil/httpie/compare/1.0.2...master
.. _1.0.3: https://github.com/jakubroztocil/httpie/compare/1.0.2...1.0.3

View File

@ -93,9 +93,8 @@ publish-no-test:
@echo $(TAG)Testing wheel build an installation$(END)
@echo "$(VERSION)"
@echo "$(VERSION)" | grep -q "dev" && echo '!!!Not publishing dev version!!!' && exit 1 || echo ok
python setup.py register
python setup.py sdist upload
python setup.py bdist_wheel upload
python setup.py sdist bdist_wheel
twine upload dist/*
@echo

View File

@ -2,7 +2,7 @@
HTTPie - a CLI, cURL-like tool for humans.
"""
__version__ = '1.0.3-dev'
__version__ = '1.0.3'
__author__ = 'Jakub Roztocil'
__licence__ = 'BSD'

View File

@ -6,3 +6,4 @@ pytest-httpbin>=0.0.6
docutils
wheel
pycodestyle
twine