2.8.0 / 2021-04-01

2.8.0 / 2021-04-01

• Requirements

  • Mechanize now requires Ruby 2.5 or newer.
  • Move from ntlm-http to rubyntlm gem. (#495, #574)

• New Features

  • Page::Link#uri now handles non-ASCII hrefs. (#569) @terryyin
  • FileConnection supports Windows drive letters (#483)
  • Credential headers 'Authorization' and 'Cookie' are deleted on cross-origin redirects. (#538) @kyoshidajp
  • ContentDispositionParser handles ISO8601 date headers, to be robust with websites that ignore RFC2183. (#554) @reitermarkus

• Bug fix

  • POST headers 'Content-Length', 'Content-MD5', and 'Content-Type' are deleted in a case-insensitive manner on redirects. Previously these headers were treated as case-sensitive.

2.7.7 / 2021-02-01

2.7.7 / 2021-02-01

• Security fixes for CVE-2021-21289

  Mechanize >= v2.0, < v2.7.7 allows for OS commands to be injected into several classes'
  methods via implicit use of Ruby's Kernel.open method. Exploitation is possible only if
  untrusted input is used as a local filename and passed to any of these calls:

  • Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
  • Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
  • Mechanize#download: since v2.2 (see dc91667)
  • Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
  • Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
  • Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)

  See GHSA-qrqm-fpv6-6r8g for more
  information.

  Also see #547, #548. Thank you, @kyoshidajp!

• New Features

  • Support for Ruby 3.0 by adding webrick as a runtime dependency. (#557) @pvalena

• Bug fix

  • Ignore input fields with blank names (#542, #536)