holm/httpie-cli
1
1
Fork 0
forked from extern/httpie-cli
Code Issues Pull Requests Packages Projects Releases Wiki Activity

1.0.3

Browse Source
This commit is contained in:
Jakub Roztocil 2019-08-26 12:42:34 +02:00
parent 88a9583f4c
commit 747be30d2e
4 changed files with 29 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
CHANGELOG.rst
View File

@ -6,12 +6,32 @@ This document records all notable changes to `HTTPie <http://httpie.org>`_.
This project adheres to `Semantic Versioning <http://semver.org/>`_. This project adheres to `Semantic Versioning <http://semver.org/>`_.
`1.0.3-dev`_ (unreleased) `1.0.3`_ (2019-08-26)
------------------------- -------------------------
* Changed the way the output filename is generated for ``--download`` requests * Fixed CVE-2019-10751 — the way the output filename is generated for
without ``--output`` and with a redirect — now only the initial URL is ``--download`` requests without ``--output`` resulting in a redirect has
considered, not the final one. Thanks to Raul Onitza of Snyk for bringing this up. been changed to only consider the initial URL as the base for the generated
filename, and not the final one. This fixes a potential security issue under
the following scenario:
1. A ``--download`` request with no explicit ``--output`` is made (e.g.,
``$ http -d example.org/file.txt``), instructing httpie to
`generate the output filename <https://httpie.org/doc#downloaded-file-name>`_
from the ``Content-Disposition`` response, or from the URL if the header
is not provided.
2. The server handling the request has been modified by an attacker and
instead of the expected response the URL returns a redirect to another
URL, e.g., ``attacker.example.org/.bash_profile``, whose response does
not provide a ``Content-Disposition`` header (i.e., the base for the
generated filename becomes ``.bash_profile`` instead of ``file.txt``).
3. Your current directory doesnt already contain ``.bash_profile``
(i.e., no unique suffix is added to the generated filename).
4. You dont notice the potentially unexpected output filename
as reported by httpie in the console output
(e.g., ``Downloading 100.00 B to ".bash_profile"``).
Reported by Raul Onitza and Giulio Comi.
`1.0.2`_ (2018-11-14) `1.0.2`_ (2018-11-14)
@ -363,4 +383,4 @@ This project adheres to `Semantic Versioning <http://semver.org/>`_.
.. _1.0.0: https://github.com/jakubroztocil/httpie/compare/0.9.9...1.0.0 .. _1.0.0: https://github.com/jakubroztocil/httpie/compare/0.9.9...1.0.0
.. _1.0.1: https://github.com/jakubroztocil/httpie/compare/1.0.0...1.0.1 .. _1.0.1: https://github.com/jakubroztocil/httpie/compare/1.0.0...1.0.1
.. _1.0.2: https://github.com/jakubroztocil/httpie/compare/1.0.1...1.0.2 .. _1.0.2: https://github.com/jakubroztocil/httpie/compare/1.0.1...1.0.2
.. _1.0.3-dev: https://github.com/jakubroztocil/httpie/compare/1.0.2...master .. _1.0.3: https://github.com/jakubroztocil/httpie/compare/1.0.2...1.0.3

5
Makefile
View File

@ -93,9 +93,8 @@ publish-no-test:
@echo $(TAG)Testing wheel build an installation$(END) @echo $(TAG)Testing wheel build an installation$(END)
@echo "$(VERSION)" @echo "$(VERSION)"
@echo "$(VERSION)" | grep -q "dev" && echo '!!!Not publishing dev version!!!' && exit 1 || echo ok @echo "$(VERSION)" | grep -q "dev" && echo '!!!Not publishing dev version!!!' && exit 1 || echo ok
python setup.py register python setup.py sdist bdist_wheel
python setup.py sdist upload twine upload dist/*
python setup.py bdist_wheel upload
@echo @echo

2
httpie/__init__.py
View File

@ -2,7 +2,7 @@
HTTPie - a CLI, cURL-like tool for humans. HTTPie - a CLI, cURL-like tool for humans.
""" """
__version__ = '1.0.3-dev' __version__ = '1.0.3'
__author__ = 'Jakub Roztocil' __author__ = 'Jakub Roztocil'
__licence__ = 'BSD' __licence__ = 'BSD'

1
requirements-dev.txt
View File

@ -6,3 +6,4 @@ pytest-httpbin>=0.0.6
docutils docutils
wheel wheel
pycodestyle pycodestyle
twine