Update min HTTP to 1.10.7

[pankgeorg]

Try this Pull Request!

Open Julia and type:

julia> import Pkg
julia> Pkg.activate(temp=true)
julia> Pkg.add(url="https://github.com/fonsp/Pluto.jl", rev="pankgeorg-patch-1")
julia> using Pluto

[fonsp]

This PR was about GHSA-4g68-4pxg-mw93

We looked at our codebase carefully (because we have cookie-based authentication, and access to the Pluto server would allow remote code execution). We are confident that the CVE does not affect Pluto.

The issue is with URIs.jl URI parsing (String -> URI). IIUC, the exploit relies on data from such a URI object entering:

• ⁠a response header
  • but we don't have this
• ⁠an html response
  • this is possible here, but it's html escaped (and you need the secret)

I also believe that our secret-based Auth cannot be exploited using this CVE: the header required for privileged access is Secret: --secret-here--, and not Access: true or something similar. And modifying response headers does not give privileged access.

---

Our conclusion is that it's good to merge this PR (for good practice). But we don't need to "escalate", which would mean to publish a warning on Julia forums, and to publish a Pluto release after this PR, and using our "Recommended release" system to issue a warning to all users on an old version to upgrade.