diff --git a/CHANGELOG.rst b/CHANGELOG.rst index e40df2f3f0..d9e811e8fd 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,12 +6,32 @@ This document records all notable changes to `HTTPie `_. This project adheres to `Semantic Versioning `_. -`1.0.3-dev`_ (unreleased) +`1.0.3`_ (2019-08-26) ------------------------- -* Changed the way the output filename is generated for ``--download`` requests - without ``--output`` and with a redirect — now only the initial URL is - considered, not the final one. Thanks to Raul Onitza of Snyk for bringing this up. +* Fixed CVE-2019-10751 — the way the output filename is generated for + ``--download`` requests without ``--output`` resulting in a redirect has + been changed to only consider the initial URL as the base for the generated + filename, and not the final one. This fixes a potential security issue under + the following scenario: + + 1. A ``--download`` request with no explicit ``--output`` is made (e.g., + ``$ http -d example.org/file.txt``), instructing httpie to + `generate the output filename `_ + from the ``Content-Disposition`` response, or from the URL if the header + is not provided. + 2. The server handling the request has been modified by an attacker and + instead of the expected response the URL returns a redirect to another + URL, e.g., ``attacker.example.org/.bash_profile``, whose response does + not provide a ``Content-Disposition`` header (i.e., the base for the + generated filename becomes ``.bash_profile`` instead of ``file.txt``). + 3. Your current directory doesn’t already contain ``.bash_profile`` + (i.e., no unique suffix is added to the generated filename). + 4. You don’t notice the potentially unexpected output filename + as reported by httpie in the console output + (e.g., ``Downloading 100.00 B to ".bash_profile"``). + + Reported by Raul Onitza and Giulio Comi. `1.0.2`_ (2018-11-14) @@ -363,4 +383,4 @@ This project adheres to `Semantic Versioning `_. .. _1.0.0: https://github.com/jakubroztocil/httpie/compare/0.9.9...1.0.0 .. _1.0.1: https://github.com/jakubroztocil/httpie/compare/1.0.0...1.0.1 .. _1.0.2: https://github.com/jakubroztocil/httpie/compare/1.0.1...1.0.2 -.. _1.0.3-dev: https://github.com/jakubroztocil/httpie/compare/1.0.2...master +.. _1.0.3: https://github.com/jakubroztocil/httpie/compare/1.0.2...1.0.3 diff --git a/Makefile b/Makefile index c477abe827..85ebafb562 100644 --- a/Makefile +++ b/Makefile @@ -93,9 +93,8 @@ publish-no-test: @echo $(TAG)Testing wheel build an installation$(END) @echo "$(VERSION)" @echo "$(VERSION)" | grep -q "dev" && echo '!!!Not publishing dev version!!!' && exit 1 || echo ok - python setup.py register - python setup.py sdist upload - python setup.py bdist_wheel upload + python setup.py sdist bdist_wheel + twine upload dist/* @echo diff --git a/httpie/__init__.py b/httpie/__init__.py index 6ff7658c58..121cc76dbd 100644 --- a/httpie/__init__.py +++ b/httpie/__init__.py @@ -2,7 +2,7 @@ HTTPie - a CLI, cURL-like tool for humans. """ -__version__ = '1.0.3-dev' +__version__ = '1.0.3' __author__ = 'Jakub Roztocil' __licence__ = 'BSD' diff --git a/requirements-dev.txt b/requirements-dev.txt index 3384c15230..e0ccd39ce1 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -6,3 +6,4 @@ pytest-httpbin>=0.0.6 docutils wheel pycodestyle +twine