==========
Change Log
==========

This document records all notable changes to `HTTPie <http://httpie.org>`_.
This project adheres to `Semantic Versioning <http://semver.org/>`_.


`1.0.3`_ (2019-08-26)
-------------------------

* Fixed CVE-2019-10751 — the way the output filename is generated for
  ``--download`` requests without ``--output`` resulting in a redirect has
  been changed to only consider the initial URL as the base for the generated
  filename, and not the final one. This fixes a potential security issue under
  the following scenario:

  1. A ``--download`` request with no explicit ``--output`` is made (e.g.,
     ``$ http -d example.org/file.txt``), instructing httpie to
     `generate the output filename <https://httpie.org/doc#downloaded-filename>`_
     from the ``Content-Disposition`` response, or from the URL if the header
     is not provided.
  2. The server handling the request has been modified by an attacker and
     instead of the expected response the URL returns a redirect to another
     URL, e.g., ``attacker.example.org/.bash_profile``, whose response does
     not provide  a ``Content-Disposition`` header (i.e., the base for the
     generated filename becomes ``.bash_profile`` instead of ``file.txt``).
  3. Your current directory doesn’t already contain ``.bash_profile``
     (i.e., no unique suffix is added to the generated filename).
  4. You don’t notice the potentially unexpected output filename
     as reported by httpie in the console output
     (e.g., ``Downloading 100.00 B to ".bash_profile"``).

  Reported by Raul Onitza and Giulio Comi.


`1.0.2`_ (2018-11-14)
-------------------------

* Fixed tests for installation with pyOpenSSL.


`1.0.1`_ (2018-11-14)
-------------------------

* Removed external URL calls from tests.


`1.0.0`_ (2018-11-02)
-------------------------

* Added ``--style=auto`` which follows the terminal ANSI color styles.
* Added support for selecting TLS 1.3 via ``--ssl=tls1.3``
  (available once implemented in upstream libraries).
* Added ``true``/``false`` as valid values for ``--verify``
  (in addition to ``yes``/``no``) and the boolean value is case-insensitive.
* Changed the default ``--style`` from ``solarized`` to ``auto`` (on Windows it stays ``fruity``).
* Fixed default headers being incorrectly case-sensitive.
* Removed Python 2.6 support.



`0.9.9`_ (2016-12-08)
---------------------

* Fixed README.


`0.9.8`_ (2016-12-08)
---------------------

* Extended auth plugin API.
* Added exit status code ``7`` for plugin errors.
* Added support for ``curses``-less Python installations.
* Fixed ``REQUEST_ITEM`` arg incorrectly being reported as required.
* Improved ``CTRL-C`` interrupt handling.
* Added the standard exit status code ``130`` for keyboard interrupts.


`0.9.6`_ (2016-08-13)
---------------------

* Added Python 3 as a dependency for Homebrew installations
  to ensure some of the newer HTTP features work out of the box
  for macOS users (starting with HTTPie 0.9.4.).
* Added the ability to unset a request header with ``Header:``, and send an
  empty value with ``Header;``.
* Added ``--default-scheme <URL_SCHEME>`` to enable things like
  ``$ alias https='http --default-scheme=https``.
* Added ``-I`` as a shortcut for ``--ignore-stdin``.
* Added fish shell completion (located in ``extras/httpie-completion.fish``
  in the Github repo).
* Updated ``requests`` to 2.10.0 so that SOCKS support can be added via
  ``pip install requests[socks]``.
* Changed the default JSON ``Accept`` header from ``application/json``
  to ``application/json, */*``.
* Changed the pre-processing of request HTTP headers so that any leading
  and trailing whitespace is removed.


`0.9.4`_ (2016-07-01)
---------------------

* Added ``Content-Type`` of files uploaded in ``multipart/form-data`` requests
* Added ``--ssl=<PROTOCOL>`` to specify the desired SSL/TLS protocol version
  to use for HTTPS requests.
* Added JSON detection with ``--json, -j`` to work around incorrect
  ``Content-Type``
* Added ``--all`` to show intermediate responses such as redirects (with ``--follow``)
* Added ``--history-print, -P WHAT`` to specify formatting of intermediate responses
* Added ``--max-redirects=N`` (default 30)
* Added ``-A`` as short name for ``--auth-type``
* Added ``-F`` as short name for ``--follow``
* Removed the ``implicit_content_type`` config option
  (use ``"default_options": ["--form"]`` instead)
* Redirected ``stdout`` doesn't trigger an error anymore when ``--output FILE``
  is set
* Changed the default ``--style`` back to ``solarized`` for better support
  of light and dark terminals
* Improved ``--debug`` output
* Fixed ``--session`` when used with ``--download``
* Fixed ``--download`` to trim too long filenames before saving the file
* Fixed the handling of ``Content-Type`` with multiple ``+subtype`` parts
* Removed the XML formatter as the implementation suffered from multiple issues



`0.9.3`_ (2016-01-01)
---------------------

* Changed the default color ``--style`` from ``solarized`` to ``monokai``
* Added basic Bash autocomplete support (need to be installed manually)
* Added request details to connection error messages
* Fixed ``'requests.packages.urllib3' has no attribute 'disable_warnings'``
  errors that occurred in some installations
* Fixed colors and formatting on Windows
* Fixed ``--auth`` prompt on Windows


`0.9.2`_ (2015-02-24)
---------------------

* Fixed compatibility with Requests 2.5.1
* Changed the default JSON ``Content-Type`` to ``application/json`` as UTF-8
  is the default JSON encoding


`0.9.1`_ (2015-02-07)
---------------------

* Added support for Requests transport adapter plugins
  (see `httpie-unixsocket <https://github.com/httpie/httpie-unixsocket>`_
  and `httpie-http2 <https://github.com/httpie/httpie-http2>`_)


`0.9.0`_ (2015-01-31)
---------------------

* Added ``--cert`` and ``--cert-key`` parameters to specify a client side
  certificate and private key for SSL
* Improved unicode support
* Improved terminal color depth detection via ``curses``
* To make it easier to deal with Windows paths in request items, ``\``
  now only escapes special characters (the ones that are used as key-value
  separators by HTTPie)
* Switched from ``unittest`` to ``pytest``
* Added Python `wheel` support
* Various test suite improvements
* Added ``CONTRIBUTING``
* Fixed ``User-Agent`` overwriting when used within a session
* Fixed handling of empty passwords in URL credentials
* Fixed multiple file uploads with the same form field name
* Fixed ``--output=/dev/null`` on Linux
* Miscellaneous bugfixes


`0.8.0`_ (2014-01-25)
---------------------

* Added ``field=@file.txt`` and ``field:=@file.json`` for embedding
  the contents of text and JSON files into request data
* Added curl-style shorthand for localhost
* Fixed request ``Host`` header value output so that it doesn't contain
  credentials, if included in the URL


`0.7.1`_ (2013-09-24)
---------------------

* Added ``--ignore-stdin``
* Added support for auth plugins
* Improved ``--help`` output
* Improved ``Content-Disposition`` parsing for ``--download`` mode
* Update to Requests 2.0.0


`0.6.0`_ (2013-06-03)
---------------------

* XML data is now formatted
* ``--session`` and ``--session-read-only`` now also accept paths to
  session files (eg. ``http --session=/tmp/session.json example.org``)


`0.5.1`_ (2013-05-13)
---------------------

* ``Content-*`` and ``If-*`` request headers are not stored in sessions
  anymore as they are request-specific


`0.5.0`_ (2013-04-27)
---------------------

* Added a download mode via ``--download``
* Fixes miscellaneous bugs


`0.4.1`_ (2013-02-26)
---------------------

* Fixed ``setup.py``


`0.4.0`_ (2013-02-22)
---------------------

* Added Python 3.3 compatibility
* Added Requests >= v1.0.4 compatibility
* Added support for credentials in URL
* Added ``--no-option`` for every ``--option`` to be config-friendly
* Mutually exclusive arguments can be specified multiple times. The
  last value is used


`0.3.0`_ (2012-09-21)
---------------------

* Allow output redirection on Windows
* Added configuration file
* Added persistent session support
* Renamed ``--allow-redirects`` to ``--follow``
* Improved the usability of ``http --help``
* Fixed installation on Windows with Python 3
* Fixed colorized output on Windows with Python 3
* CRLF HTTP header field separation in the output
* Added exit status code ``2`` for timed-out requests
* Added the option to separate colorizing and formatting
  (``--pretty=all``, ``--pretty=colors`` and ``--pretty=format``)
  ``--ugly`` has bee removed in favor of ``--pretty=none``


`0.2.7`_ (2012-08-07)
---------------------

* Added compatibility with Requests 0.13.6
* Added streamed terminal output. ``--stream, -S`` can be used to enable
  streaming also with ``--pretty`` and to ensure a more frequent output
  flushing
* Added support for efficient large file downloads
* Sort headers by name (unless ``--pretty=none``)
* Response body is fetched only when needed (e.g., not with ``--headers``)
* Improved content type matching
* Updated Solarized color scheme
* Windows: Added ``--output FILE`` to store output into a file
  (piping results in corrupted data on Windows)
* Proper handling of binary requests and responses
* Fixed printing of ``multipart/form-data`` requests
* Renamed ``--traceback`` to ``--debug``


`0.2.6`_ (2012-07-26)
---------------------

* The short option for ``--headers`` is now ``-h`` (``-t`` has been
  removed, for usage use ``--help``)
* Form data and URL parameters can have multiple fields with the same name
  (e.g.,``http -f url a=1 a=2``)
* Added ``--check-status`` to exit with an error on HTTP 3xx, 4xx and
  5xx (3, 4, and 5, respectively)
* If the output is piped to another program or redirected to a file,
  the default behaviour is to only print the response body
  (It can still be overwritten via the ``--print`` flag.)
* Improved highlighting of HTTP headers
* Added query string parameters (``param==value``)
* Added support for terminal colors under Windows


`0.2.5`_ (2012-07-17)
---------------------

* Unicode characters in prettified JSON now don't get escaped for
  improved readability
* --auth now prompts for a password if only a username provided
* Added support for request payloads from a file path with automatic
  ``Content-Type`` (``http URL @/path``)
* Fixed missing query string when displaying the request headers via
  ``--verbose``
* Fixed Content-Type for requests with no data


`0.2.2`_ (2012-06-24)
---------------------

* The ``METHOD`` positional argument can now be omitted (defaults to
  ``GET``, or to ``POST`` with data)
* Fixed --verbose --form
* Added support for Tox


`0.2.1`_ (2012-06-13)
---------------------

* Added compatibility with ``requests-0.12.1``
* Dropped custom JSON and HTTP lexers in favor of the ones newly included
  in ``pygments-1.5``


`0.2.0`_ (2012-04-25)
---------------------

* Added Python 3 support
* Added the ability to print the HTTP request as well as the response
  (see ``--print`` and ``--verbose``)
* Added support for Digest authentication
* Added file upload support
  (``http -f POST file_field_name@/path/to/file``)
* Improved syntax highlighting for JSON
* Added support for field name escaping
* Many bug fixes


`0.1.6`_ (2012-03-04)
---------------------

* Fixed ``setup.py``


`0.1.5`_ (2012-03-04)
---------------------

* Many improvements and bug fixes


`0.1.4`_ (2012-02-28)
---------------------

* Many improvements and bug fixes


`0.1.0`_ (2012-02-25)
---------------------

* Initial public release


.. _`0.1.0`: https://github.com/jakubroztocil/httpie/commit/b966efa
.. _0.1.4: https://github.com/jakubroztocil/httpie/compare/b966efa...0.1.4
.. _0.1.5: https://github.com/jakubroztocil/httpie/compare/0.1.4...0.1.5
.. _0.1.6: https://github.com/jakubroztocil/httpie/compare/0.1.5...0.1.6
.. _0.2.0: https://github.com/jakubroztocil/httpie/compare/0.1.6...0.2.0
.. _0.2.1: https://github.com/jakubroztocil/httpie/compare/0.2.0...0.2.1
.. _0.2.2: https://github.com/jakubroztocil/httpie/compare/0.2.1...0.2.2
.. _0.2.5: https://github.com/jakubroztocil/httpie/compare/0.2.2...0.2.5
.. _0.2.6: https://github.com/jakubroztocil/httpie/compare/0.2.5...0.2.6
.. _0.2.7: https://github.com/jakubroztocil/httpie/compare/0.2.5...0.2.7
.. _0.3.0: https://github.com/jakubroztocil/httpie/compare/0.2.7...0.3.0
.. _0.4.0: https://github.com/jakubroztocil/httpie/compare/0.3.0...0.4.0
.. _0.4.1: https://github.com/jakubroztocil/httpie/compare/0.4.0...0.4.1
.. _0.5.0: https://github.com/jakubroztocil/httpie/compare/0.4.1...0.5.0
.. _0.5.1: https://github.com/jakubroztocil/httpie/compare/0.5.0...0.5.1
.. _0.6.0: https://github.com/jakubroztocil/httpie/compare/0.5.1...0.6.0
.. _0.7.1: https://github.com/jakubroztocil/httpie/compare/0.6.0...0.7.1
.. _0.8.0: https://github.com/jakubroztocil/httpie/compare/0.7.1...0.8.0
.. _0.9.0: https://github.com/jakubroztocil/httpie/compare/0.8.0...0.9.0
.. _0.9.1: https://github.com/jakubroztocil/httpie/compare/0.9.0...0.9.1
.. _0.9.2: https://github.com/jakubroztocil/httpie/compare/0.9.1...0.9.2
.. _0.9.3: https://github.com/jakubroztocil/httpie/compare/0.9.2...0.9.3
.. _0.9.4: https://github.com/jakubroztocil/httpie/compare/0.9.3...0.9.4
.. _0.9.6: https://github.com/jakubroztocil/httpie/compare/0.9.4...0.9.6
.. _0.9.8: https://github.com/jakubroztocil/httpie/compare/0.9.6...0.9.8
.. _0.9.9: https://github.com/jakubroztocil/httpie/compare/0.9.8...0.9.9
.. _1.0.0: https://github.com/jakubroztocil/httpie/compare/0.9.9...1.0.0
.. _1.0.1: https://github.com/jakubroztocil/httpie/compare/1.0.0...1.0.1
.. _1.0.2: https://github.com/jakubroztocil/httpie/compare/1.0.1...1.0.2
.. _1.0.3: https://github.com/jakubroztocil/httpie/compare/1.0.2...1.0.3