pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/www/py-httpie py-httpie: updated to 1.0.3



details:   https://anonhg.NetBSD.org/pkgsrc/rev/50bab0bee558
branches:  trunk
changeset: 400322:50bab0bee558
user:      adam <adam%pkgsrc.org@localhost>
date:      Tue Aug 27 06:01:23 2019 +0000

description:
py-httpie: updated to 1.0.3

1.0.3:
* Fixed CVE-2019-10751 ? the way the output filename is generated for
  --download requests without --output resulting in a redirect has
  been changed to only consider the initial URL as the base for the generated
  filename, and not the final one. This fixes a potential security issue under
  the following scenario:

  1. A --download request with no explicit --output is made (e.g.,
     $ http -d example.org/file.txt), instructing httpie to
     generate the output filename <https://httpie.org/doc#downloaded-file-name>_
     from the Content-Disposition response, or from the URL if the header
     is not provided.
  2. The server handling the request has been modified by an attacker and
     instead of the expected response the URL returns a redirect to another
     URL, e.g., attacker.example.org/.bash_profile, whose response does
     not provide  a Content-Disposition header (i.e., the base for the
     generated filename becomes .bash_profile instead of file.txt).
  3. Your current directory doesn?t already contain .bash_profile
     (i.e., no unique suffix is added to the generated filename).
  4. You don?t notice the potentially unexpected output filename
     as reported by httpie in the console output
     (e.g., Downloading 100.00 B to ".bash_profile").

diffstat:

 www/py-httpie/Makefile |  10 +++++-----
 www/py-httpie/distinfo |  10 +++++-----
 2 files changed, 10 insertions(+), 10 deletions(-)

diffs (45 lines):

diff -r 2217f22cd616 -r 50bab0bee558 www/py-httpie/Makefile
--- a/www/py-httpie/Makefile    Tue Aug 27 05:38:43 2019 +0000
+++ b/www/py-httpie/Makefile    Tue Aug 27 06:01:23 2019 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.7 2018/11/30 11:28:55 adam Exp $
+# $NetBSD: Makefile,v 1.8 2019/08/27 06:01:23 adam Exp $
 
-DISTNAME=      httpie-1.0.2
+DISTNAME=      httpie-1.0.3
 PKGNAME=       ${PYPKGPREFIX}-${EGG_NAME}
 CATEGORIES=    www python
 MASTER_SITES=  ${MASTER_SITE_PYPI:=h/httpie/}
@@ -13,14 +13,14 @@
 DEPENDS+=      ${PYPKGPREFIX}-curses-[0-9]*:../../devel/py-curses
 DEPENDS+=      ${PYPKGPREFIX}-pygments>=2.1.3:../../textproc/py-pygments
 DEPENDS+=      ${PYPKGPREFIX}-requests>=2.18.4:../../devel/py-requests
-# Tests are not included as of 1.0.2
-TEST_DEPENDS+= ${PYPKGPREFIX}-test-httpbin-[0-9]*:../../www/py-test-httpbin
+# Tests are not included as of 1.0.3
+#TEST_DEPENDS+=        ${PYPKGPREFIX}-test-httpbin-[0-9]*:../../www/py-test-httpbin
 
 USE_LANGUAGES= # none
 
 post-install:
        cd ${DESTDIR}${PREFIX}/bin && \
-               ${MV} http http-${PYVERSSUFFIX} || ${TRUE}
+       ${MV} http http-${PYVERSSUFFIX} || ${TRUE}
 
 .include "../../lang/python/egg.mk"
 .include "../../mk/bsd.pkg.mk"
diff -r 2217f22cd616 -r 50bab0bee558 www/py-httpie/distinfo
--- a/www/py-httpie/distinfo    Tue Aug 27 05:38:43 2019 +0000
+++ b/www/py-httpie/distinfo    Tue Aug 27 06:01:23 2019 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.8 2018/11/30 11:28:55 adam Exp $
+$NetBSD: distinfo,v 1.9 2019/08/27 06:01:23 adam Exp $
 
-SHA1 (httpie-1.0.2.tar.gz) = 28b9c57c10f20a38b985d87de856ffc4042deae3
-RMD160 (httpie-1.0.2.tar.gz) = dde8e550fa2083eddb69512310a5ec1f52d9a86a
-SHA512 (httpie-1.0.2.tar.gz) = cc0f2b8928d68bdd0c4eba96f499365d294429e909d91538c48f5028a55ca4a7ba41abdb94ef851459799f437457639b43ba408bb6336702d6042e7e5d5a9cbf
-Size (httpie-1.0.2.tar.gz) = 85245 bytes
+SHA1 (httpie-1.0.3.tar.gz) = 476fde8aa1827f7dd65c3a114e80023450df0bff
+RMD160 (httpie-1.0.3.tar.gz) = ce5d7149dcca76a93c8f4d9a8d19c7560b8463ca
+SHA512 (httpie-1.0.3.tar.gz) = b51779e0ec8f24108ee3f4bf690dc9dfddafff42509d1aa3d13ac12d65a93e02aad9644dc10134ebdbebf949b250cb288650a4dad3d382143e9ad3b9b0ac8c16
+Size (httpie-1.0.3.tar.gz) = 86725 bytes



Home | Main Index | Thread Index | Old Index