Skip to content

Update requests dependency (removing mediafire backend) #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 12, 2021
Merged

Update requests dependency (removing mediafire backend) #62

merged 2 commits into from
Mar 12, 2021

Conversation

@joao-p-marques
Copy link
Contributor

@joao-p-marques joao-p-marques commented Mar 11, 2021

The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. (CVE-2018-18074)

We should abandon that old package in favour of a most recent one.

We need to remove the mediafire backend to do so.

@joao-p-marques
Fix duplicity dependencies list
6fcc9c4 
Update cryptography
Install latest version of rust on the image (needed for cryptography)
@joao-p-marques
Update requests dependency (removing mediafire backend)
bfaec1c 
The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. (CVE-2018-18074)

We should abandon that old package in favour of a most recent one.

We need to remove the mediafire backend to do so.
@joao-p-marques
Copy link
Contributor Author

joao-p-marques commented Mar 11, 2021

Issue commented upstream: https://github.com/MediaFire/mediafire-python-open-sdk/issues/36
Unfortunately, if not fixed, we might have to remove the mediafire backend... 🤷‍♂️

@joao-p-marques joao-p-marques requested a review from yajo March 11, 2021 14:52
@yajo yajo added this to the v2.0.0 milestone Mar 12, 2021
@yajo yajo added bug dependencies Pull requests that update a dependency file security and removed bug labels Mar 12, 2021
@yajo yajo merged commit 222e6a1 into master Mar 12, 2021
@yajo yajo deleted the fix-dependencies branch March 12, 2021 12:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@yajo yajo yajo approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security

Projects

None yet

Milestone

v2.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@joao-p-marques @yajo