bushig / webmtube

Service + browser extension to detect screamers on 2ch.hk
23 stars 2 forks source link

Bump httpie from 0.9.9 to 1.0.3 #30

Closed dependabot[bot] closed 2 years ago

dependabot[bot] commented 5 years ago

Bumps httpie from 0.9.9 to 1.0.3.

Release notes *Sourced from [httpie's releases](https://github.com/jakubroztocil/httpie/releases).* > ## HTTPie 1.0.3 > Fixed CVE-2019-10751 — the way the output filename is generated for `--download` requests without `--output` resulting in a redirect has been changed to only consider the initial URL as the base for the generated filename, and not the final one. This fixes a potential security issue under the following scenario: > > 1. A `--download` request with no explicit `--output` is made (e.g., `$ http -d example.org/file.txt`), instructing HTTPie to [generate the output filename](https://httpie.org/doc#downloaded-filename) from the `Content-Disposition` response header, or from the URL if the header is not provided. > 2. The server handling the request has been modified by an attacker and instead of the expected response the URL returns a redirect to another URL, e.g., `attacker.example.org/.bash_profile`, whose response does not provide a `Content-Disposition` header (i.e., the base for the generated filename becomes `.bash_profile` instead of `file.txt`). > 3. Your current directory doesn’t already contain `.bash_profile` (i.e., no unique suffix is added to the generated filename). > 4. You don’t notice the potentially unexpected output filename as reported by HTTPie in the console output (e.g., `Downloading 100.00 B to ".bash_profile"`). > > ## HTTPie 1.0.2 > * Fixed tests for installation with pyOpenSSL. > > ## HTTPie 1.0.1 > * Removed external URL calls from tests. > > ## HTTPie 1.0.0 > > * Added ``--style=auto`` which follows the terminal ANSI color styles. > * Added support for selecting TLS 1.3 via ``--ssl=tls1.3`` > (available once implemented in upstream libraries). > * Added ``true``/``false`` as valid values for ``--verify`` > (in addition to ``yes``/``no``) and the boolean value is case-insensitive. > * Changed the default ``--style`` from ``solarized`` to ``auto`` (on Windows it stays ``fruity``). > * Fixed default headers being incorrectly case-sensitive. > * Removed Python 2.6 support.
Changelog *Sourced from [httpie's changelog](https://github.com/jakubroztocil/httpie/blob/master/CHANGELOG.rst).* > `1.0.3`_ (2019-08-26) > --------------------- > > * Fixed CVE-2019-10751 — the way the output filename is generated for > ``--download`` requests without ``--output`` resulting in a redirect has > been changed to only consider the initial URL as the base for the generated > filename, and not the final one. This fixes a potential security issue under > the following scenario: > > 1. A ``--download`` request with no explicit ``--output`` is made (e.g., > ``$ http -d example.org/file.txt``), instructing httpie to > `generate the output filename `_ > from the ``Content-Disposition`` response header, or from the URL if the header > is not provided. > 2. The server handling the request has been modified by an attacker and > instead of the expected response the URL returns a redirect to another > URL, e.g., ``attacker.example.org/.bash_profile``, whose response does > not provide a ``Content-Disposition`` header (i.e., the base for the > generated filename becomes ``.bash_profile`` instead of ``file.txt``). > 3. Your current directory doesn’t already contain ``.bash_profile`` > (i.e., no unique suffix is added to the generated filename). > 4. You don’t notice the potentially unexpected output filename > as reported by httpie in the console output > (e.g., ``Downloading 100.00 B to ".bash_profile"``). > > Reported by Raul Onitza and Giulio Comi. > > > `1.0.2`_ (2018-11-14) > ------------------------- > > * Fixed tests for installation with pyOpenSSL. > > > `1.0.1`_ (2018-11-14) > ------------------------- > > * Removed external URL calls from tests. > > > `1.0.0`_ (2018-11-02) > ------------------------- > > * Added ``--style=auto`` which follows the terminal ANSI color styles. > * Added support for selecting TLS 1.3 via ``--ssl=tls1.3`` > (available once implemented in upstream libraries). > * Added ``true``/``false`` as valid values for ``--verify`` > (in addition to ``yes``/``no``) and the boolean value is case-insensitive. > * Changed the default ``--style`` from ``solarized`` to ``auto`` (on Windows it stays ``fruity``). > * Fixed default headers being incorrectly case-sensitive. > ... (truncated)
Commits - [`747be30`](https://github.com/jakubroztocil/httpie/commit/747be30d2efda1b4287a84f1f27f4328621b222c) 1.0.3 - [`88a9583`](https://github.com/jakubroztocil/httpie/commit/88a9583f4c0682fc4d26525380d82802eb242784) Update CHANGELOG.rst - [`fd6e879`](https://github.com/jakubroztocil/httpie/commit/fd6e87914ca70f0825f47d226c1454e9a9a191bc) README - [`6dee493`](https://github.com/jakubroztocil/httpie/commit/6dee49357d793f0112ad806a480b53f2c2d1e627) Fix comments - [`df36d62`](https://github.com/jakubroztocil/httpie/commit/df36d6255df5793129b02ac82f1010171bd8a0a8) Changed the way the output filename is generated - [`e92b831`](https://github.com/jakubroztocil/httpie/commit/e92b831e6e044a366d1907761fcc63a254a021a7) Create FUNDING.yml - [`fd44f1a`](https://github.com/jakubroztocil/httpie/commit/fd44f1af93ce1d2c84f324b8474d2d075b5a7b13) Updated Readme to fix a typo ([#767](https://github-redirect.dependabot.com/jakubroztocil/httpie/issues/767)) - [`b630954`](https://github.com/jakubroztocil/httpie/commit/b6309547d535287dd11429ba11a999414149b7fd) Add a bash here string example - [`3a46149`](https://github.com/jakubroztocil/httpie/commit/3a46149de1e58ce72563c4011bfee64781bc4af3) Fix several ResourceWarning: unclosed file ([#741](https://github-redirect.dependabot.com/jakubroztocil/httpie/issues/741)) - [`b7c8bf0`](https://github.com/jakubroztocil/httpie/commit/b7c8bf08002b48b5c82df61f5aec09a556f91b74) Add animation by [@​loranallensmith](https://github.com/loranallensmith) - Additional commits viewable in [compare view](https://github.com/jakubroztocil/httpie/compare/0.9.9...1.0.3)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/bushig/webmtube/network/alerts).
dependabot[bot] commented 2 years ago

Superseded by #35.