pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/www/ruby-mechanize

Module Name:    pkgsrc
Committed By:   taca
Date:           Sun Apr 29 16:11:17 UTC 2012

Modified Files:
        pkgsrc/www/ruby-mechanize: Makefile PLIST distinfo

Log Message:
Update ruby-mechanize to 2.4.

=== 2.4

* Security fix:

  Mechanize#auth and Mechanize#basic_auth allowed disclosure of passwords to
  malicious servers and have been removed.

  In prior versions of mechanize only one set of HTTP authentication
  credentials were allowed for all connections.  If a mechanize instance
  connected to more than one server then a malicious server detecting
  mechanize could ask for HTTP Basic authentication.  This would expose the
  username and password intended only for one server.

  Mechanize#auth and Mechanize#basic_auth now warn when used.

  To fix the warning switch to Mechanize#add_auth which requires at the URI
  the credentials are intended for, the username and the password.
  Optionally an HTTP authentication realm or NTLM domain may be provided.

* Minor enhancement
  * Improved exception messages for 401 Unauthorized responses.  Mechanize now
    tells you if you were missing credentials, had an incorrect password, etc.

To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 pkgsrc/www/ruby-mechanize/Makefile \
cvs rdiff -u -r1.6 -r1.7 pkgsrc/www/ruby-mechanize/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Home | Main Index | Thread Index | Old Index