Release notes
*Sourced from [httpie's releases](https://github.com/jakubroztocil/httpie/releases).*
> ## HTTPie 1.0.3
> Fixed CVE-2019-10751 — the way the output filename is generated for `--download` requests without `--output` resulting in a redirect has been changed to only consider the initial URL as the base for the generated filename, and not the final one. This fixes a potential security issue under the following scenario:
>
> 1. A `--download` request with no explicit `--output` is made (e.g., `$ http -d example.org/file.txt`), instructing HTTPie to [generate the output filename](https://httpie.org/doc#downloaded-filename) from the `Content-Disposition` response header, or from the URL if the header is not provided.
> 2. The server handling the request has been modified by an attacker and instead of the expected response the URL returns a redirect to another URL, e.g., `attacker.example.org/.bash_profile`, whose response does not provide a `Content-Disposition` header (i.e., the base for the generated filename becomes `.bash_profile` instead of `file.txt`).
> 3. Your current directory doesn’t already contain `.bash_profile` (i.e., no unique suffix is added to the generated filename).
> 4. You don’t notice the potentially unexpected output filename as reported by HTTPie in the console output (e.g., `Downloading 100.00 B to ".bash_profile"`).
>
> ## HTTPie 1.0.2
> * Fixed tests for installation with pyOpenSSL.
>
> ## HTTPie 1.0.1
> * Removed external URL calls from tests.
>
> ## HTTPie 1.0.0
>
> * Added ``--style=auto`` which follows the terminal ANSI color styles.
> * Added support for selecting TLS 1.3 via ``--ssl=tls1.3``
> (available once implemented in upstream libraries).
> * Added ``true``/``false`` as valid values for ``--verify``
> (in addition to ``yes``/``no``) and the boolean value is case-insensitive.
> * Changed the default ``--style`` from ``solarized`` to ``auto`` (on Windows it stays ``fruity``).
> * Fixed default headers being incorrectly case-sensitive.
> * Removed Python 2.6 support.
Changelog
*Sourced from [httpie's changelog](https://github.com/jakubroztocil/httpie/blob/master/CHANGELOG.rst).*
> `1.0.3`_ (2019-08-26)
> ---------------------
>
> * Fixed CVE-2019-10751 — the way the output filename is generated for
> ``--download`` requests without ``--output`` resulting in a redirect has
> been changed to only consider the initial URL as the base for the generated
> filename, and not the final one. This fixes a potential security issue under
> the following scenario:
>
> 1. A ``--download`` request with no explicit ``--output`` is made (e.g.,
> ``$ http -d example.org/file.txt``), instructing httpie to
> `generate the output filename `_
> from the ``Content-Disposition`` response header, or from the URL if the header
> is not provided.
> 2. The server handling the request has been modified by an attacker and
> instead of the expected response the URL returns a redirect to another
> URL, e.g., ``attacker.example.org/.bash_profile``, whose response does
> not provide a ``Content-Disposition`` header (i.e., the base for the
> generated filename becomes ``.bash_profile`` instead of ``file.txt``).
> 3. Your current directory doesn’t already contain ``.bash_profile``
> (i.e., no unique suffix is added to the generated filename).
> 4. You don’t notice the potentially unexpected output filename
> as reported by httpie in the console output
> (e.g., ``Downloading 100.00 B to ".bash_profile"``).
>
> Reported by Raul Onitza and Giulio Comi.
>
>
> `1.0.2`_ (2018-11-14)
> -------------------------
>
> * Fixed tests for installation with pyOpenSSL.
>
>
> `1.0.1`_ (2018-11-14)
> -------------------------
>
> * Removed external URL calls from tests.
>
>
> `1.0.0`_ (2018-11-02)
> -------------------------
>
> * Added ``--style=auto`` which follows the terminal ANSI color styles.
> * Added support for selecting TLS 1.3 via ``--ssl=tls1.3``
> (available once implemented in upstream libraries).
> * Added ``true``/``false`` as valid values for ``--verify``
> (in addition to ``yes``/``no``) and the boolean value is case-insensitive.
> * Changed the default ``--style`` from ``solarized`` to ``auto`` (on Windows it stays ``fruity``).
> * Fixed default headers being incorrectly case-sensitive.
> ... (truncated)
Commits
- [`747be30`](https://github.com/jakubroztocil/httpie/commit/747be30d2efda1b4287a84f1f27f4328621b222c) 1.0.3
- [`88a9583`](https://github.com/jakubroztocil/httpie/commit/88a9583f4c0682fc4d26525380d82802eb242784) Update CHANGELOG.rst
- [`fd6e879`](https://github.com/jakubroztocil/httpie/commit/fd6e87914ca70f0825f47d226c1454e9a9a191bc) README
- [`6dee493`](https://github.com/jakubroztocil/httpie/commit/6dee49357d793f0112ad806a480b53f2c2d1e627) Fix comments
- [`df36d62`](https://github.com/jakubroztocil/httpie/commit/df36d6255df5793129b02ac82f1010171bd8a0a8) Changed the way the output filename is generated
- [`e92b831`](https://github.com/jakubroztocil/httpie/commit/e92b831e6e044a366d1907761fcc63a254a021a7) Create FUNDING.yml
- [`fd44f1a`](https://github.com/jakubroztocil/httpie/commit/fd44f1af93ce1d2c84f324b8474d2d075b5a7b13) Updated Readme to fix a typo ([#767](https://github-redirect.dependabot.com/jakubroztocil/httpie/issues/767))
- [`b630954`](https://github.com/jakubroztocil/httpie/commit/b6309547d535287dd11429ba11a999414149b7fd) Add a bash here string example
- [`3a46149`](https://github.com/jakubroztocil/httpie/commit/3a46149de1e58ce72563c4011bfee64781bc4af3) Fix several ResourceWarning: unclosed file ([#741](https://github-redirect.dependabot.com/jakubroztocil/httpie/issues/741))
- [`b7c8bf0`](https://github.com/jakubroztocil/httpie/commit/b7c8bf08002b48b5c82df61f5aec09a556f91b74) Add animation by [@loranallensmith](https://github.com/loranallensmith)
- Additional commits viewable in [compare view](https://github.com/jakubroztocil/httpie/compare/0.9.9...1.0.3)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/pybites/codetips/network/alerts).
Bumps httpie from 0.9.9 to 1.0.3.
Release notes
*Sourced from [httpie's releases](https://github.com/jakubroztocil/httpie/releases).* > ## HTTPie 1.0.3 > Fixed CVE-2019-10751 — the way the output filename is generated for `--download` requests without `--output` resulting in a redirect has been changed to only consider the initial URL as the base for the generated filename, and not the final one. This fixes a potential security issue under the following scenario: > > 1. A `--download` request with no explicit `--output` is made (e.g., `$ http -d example.org/file.txt`), instructing HTTPie to [generate the output filename](https://httpie.org/doc#downloaded-filename) from the `Content-Disposition` response header, or from the URL if the header is not provided. > 2. The server handling the request has been modified by an attacker and instead of the expected response the URL returns a redirect to another URL, e.g., `attacker.example.org/.bash_profile`, whose response does not provide a `Content-Disposition` header (i.e., the base for the generated filename becomes `.bash_profile` instead of `file.txt`). > 3. Your current directory doesn’t already contain `.bash_profile` (i.e., no unique suffix is added to the generated filename). > 4. You don’t notice the potentially unexpected output filename as reported by HTTPie in the console output (e.g., `Downloading 100.00 B to ".bash_profile"`). > > ## HTTPie 1.0.2 > * Fixed tests for installation with pyOpenSSL. > > ## HTTPie 1.0.1 > * Removed external URL calls from tests. > > ## HTTPie 1.0.0 > > * Added ``--style=auto`` which follows the terminal ANSI color styles. > * Added support for selecting TLS 1.3 via ``--ssl=tls1.3`` > (available once implemented in upstream libraries). > * Added ``true``/``false`` as valid values for ``--verify`` > (in addition to ``yes``/``no``) and the boolean value is case-insensitive. > * Changed the default ``--style`` from ``solarized`` to ``auto`` (on Windows it stays ``fruity``). > * Fixed default headers being incorrectly case-sensitive. > * Removed Python 2.6 support.Changelog
*Sourced from [httpie's changelog](https://github.com/jakubroztocil/httpie/blob/master/CHANGELOG.rst).* > `1.0.3`_ (2019-08-26) > --------------------- > > * Fixed CVE-2019-10751 — the way the output filename is generated for > ``--download`` requests without ``--output`` resulting in a redirect has > been changed to only consider the initial URL as the base for the generated > filename, and not the final one. This fixes a potential security issue under > the following scenario: > > 1. A ``--download`` request with no explicit ``--output`` is made (e.g., > ``$ http -d example.org/file.txt``), instructing httpie to > `generate the output filenameCommits
- [`747be30`](https://github.com/jakubroztocil/httpie/commit/747be30d2efda1b4287a84f1f27f4328621b222c) 1.0.3 - [`88a9583`](https://github.com/jakubroztocil/httpie/commit/88a9583f4c0682fc4d26525380d82802eb242784) Update CHANGELOG.rst - [`fd6e879`](https://github.com/jakubroztocil/httpie/commit/fd6e87914ca70f0825f47d226c1454e9a9a191bc) README - [`6dee493`](https://github.com/jakubroztocil/httpie/commit/6dee49357d793f0112ad806a480b53f2c2d1e627) Fix comments - [`df36d62`](https://github.com/jakubroztocil/httpie/commit/df36d6255df5793129b02ac82f1010171bd8a0a8) Changed the way the output filename is generated - [`e92b831`](https://github.com/jakubroztocil/httpie/commit/e92b831e6e044a366d1907761fcc63a254a021a7) Create FUNDING.yml - [`fd44f1a`](https://github.com/jakubroztocil/httpie/commit/fd44f1af93ce1d2c84f324b8474d2d075b5a7b13) Updated Readme to fix a typo ([#767](https://github-redirect.dependabot.com/jakubroztocil/httpie/issues/767)) - [`b630954`](https://github.com/jakubroztocil/httpie/commit/b6309547d535287dd11429ba11a999414149b7fd) Add a bash here string example - [`3a46149`](https://github.com/jakubroztocil/httpie/commit/3a46149de1e58ce72563c4011bfee64781bc4af3) Fix several ResourceWarning: unclosed file ([#741](https://github-redirect.dependabot.com/jakubroztocil/httpie/issues/741)) - [`b7c8bf0`](https://github.com/jakubroztocil/httpie/commit/b7c8bf08002b48b5c82df61f5aec09a556f91b74) Add animation by [@loranallensmith](https://github.com/loranallensmith) - Additional commits viewable in [compare view](https://github.com/jakubroztocil/httpie/compare/0.9.9...1.0.3)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/pybites/codetips/network/alerts).