Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package ghc-http-client for openSUSE:Factory
checked in at 2021-04-26 16:39:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ghc-http-client (Old)
and /work/SRC/openSUSE:Factory/.ghc-http-client.new.12324 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghc-http-client"
Mon Apr 26 16:39:34 2021 rev:43 rq:888406 version:0.7.8
Changes:
--------
--- /work/SRC/openSUSE:Factory/ghc-http-client/ghc-http-client.changes
2021-03-10 08:56:53.862866837 +0100
+++
/work/SRC/openSUSE:Factory/.ghc-http-client.new.12324/ghc-http-client.changes
2021-04-26 16:40:31.810164824 +0200
@@ -1,0 +2,16 @@
+Thu Apr 22 10:05:02 UTC 2021 - [email protected]
+
+- Update http-client to version 0.7.8.
+ ## 0.7.8
+
+ * Include the original `Request` in the `Response`. Expose it via
`getOriginalRequest`.
+
+-------------------------------------------------------------------
+Wed Apr 14 17:26:45 UTC 2021 - [email protected]
+
+- Update http-client to version 0.7.7.
+ ## 0.7.7
+
+ * Allow secure cookies for localhost without HTTPS
[#460](https://github.com/snoyberg/http-client/pull/460)
+
+-------------------------------------------------------------------
Old:
----
http-client-0.7.6.tar.gz
New:
----
http-client-0.7.8.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ghc-http-client.spec ++++++
--- /var/tmp/diff_new_pack.tUBgxx/_old 2021-04-26 16:40:32.254165553 +0200
+++ /var/tmp/diff_new_pack.tUBgxx/_new 2021-04-26 16:40:32.258165560 +0200
@@ -19,7 +19,7 @@
%global pkg_name http-client
%bcond_with tests
Name: ghc-%{pkg_name}
-Version: 0.7.6
+Version: 0.7.8
Release: 0
Summary: An HTTP client engine
License: MIT
@@ -37,6 +37,7 @@
BuildRequires: ghc-exceptions-devel
BuildRequires: ghc-filepath-devel
BuildRequires: ghc-http-types-devel
+BuildRequires: ghc-iproute-devel
BuildRequires: ghc-mime-types-devel
BuildRequires: ghc-network-devel
BuildRequires: ghc-network-uri-devel
++++++ http-client-0.7.6.tar.gz -> http-client-0.7.8.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/http-client-0.7.6/ChangeLog.md
new/http-client-0.7.8/ChangeLog.md
--- old/http-client-0.7.6/ChangeLog.md 2021-02-21 07:16:45.000000000 +0100
+++ new/http-client-0.7.8/ChangeLog.md 2021-04-21 13:33:33.000000000 +0200
@@ -1,5 +1,13 @@
# Changelog for http-client
+## 0.7.8
+
+* Include the original `Request` in the `Response`. Expose it via
`getOriginalRequest`.
+
+## 0.7.7
+
+* Allow secure cookies for localhost without HTTPS
[#460](https://github.com/snoyberg/http-client/pull/460)
+
## 0.7.6
* Add `applyBearerAuth` function
[#457](https://github.com/snoyberg/http-client/pull/457/files)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/http-client-0.7.6/Network/HTTP/Client/Cookies.hs
new/http-client-0.7.8/Network/HTTP/Client/Cookies.hs
--- old/http-client-0.7.6/Network/HTTP/Client/Cookies.hs 2021-02-21
07:16:45.000000000 +0100
+++ new/http-client-0.7.8/Network/HTTP/Client/Cookies.hs 2021-04-21
13:33:33.000000000 +0200
@@ -14,6 +14,7 @@
, removeExistingCookieFromCookieJar
, domainMatches
, isIpAddress
+ , isPotentiallyTrustworthyOrigin
, defaultPath
) where
@@ -29,6 +30,8 @@
import qualified Network.PublicSuffixList.Lookup as PSL
import Data.Text.Encoding (decodeUtf8With)
import Data.Text.Encoding.Error (lenientDecode)
+import qualified Data.IP as IP
+import Text.Read (readMaybe)
import Network.HTTP.Client.Types as Req
@@ -111,6 +114,37 @@
isPublicSuffix :: BS.ByteString -> Bool
isPublicSuffix = PSL.isSuffix . decodeUtf8With lenientDecode
+-- | Algorithm described in \"Secure Contexts\", Section 3.1, \"Is origin
potentially trustworthy?\"
+--
+-- Note per RFC6265 section 5.4 user agent is free to define the meaning of
"secure" protocol.
+--
+-- See:
+-- https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
+isPotentiallyTrustworthyOrigin :: Bool -- ^ True if HTTPS
+ -> BS.ByteString -- ^ Host
+ -> Bool -- ^ Whether or not the origin
is potentially trustworthy
+isPotentiallyTrustworthyOrigin secure host
+ | secure = True -- step 3
+ | isLoopbackAddr4 = True -- step 4, part 1
+ | isLoopbackAddr6 = True -- step 4, part 2
+ | isLoopbackHostname = True -- step 5
+ | otherwise = False
+ where isLoopbackHostname =
+ host == "localhost"
+ || host == "localhost."
+ || BS.isSuffixOf ".localhost" host
+ || BS.isSuffixOf ".localhost." host
+ isLoopbackAddr4 =
+ fmap (take 1 . IP.fromIPv4) (readMaybe (S8.unpack host)) == Just
[127]
+ isLoopbackAddr6 =
+ fmap IP.toHostAddress6 maddr6 == Just (0, 0, 0, 1)
+ maddr6 = do
+ (c1, rest1) <- S8.uncons host
+ (rest2, c2) <- S8.unsnoc rest1
+ case [c1, c2] of
+ "[]" -> readMaybe (S8.unpack rest2)
+ _ -> Nothing
+
-- | This corresponds to the eviction algorithm described in Section 5.3
\"Storage Model\"
evictExpiredCookies :: CookieJar -- ^ Input cookie jar
-> UTCTime -- ^ Value that should be used as \"now\"
@@ -143,7 +177,7 @@
condition2 = pathMatches (Req.path request) (cookie_path
cookie)
condition3
| not (cookie_secure_only cookie) = True
- | otherwise = Req.secure request
+ | otherwise = isPotentiallyTrustworthyOrigin (Req.secure
request) (Req.host request)
condition4
| not (cookie_http_only cookie) = True
| otherwise = is_http_api
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/http-client-0.7.6/Network/HTTP/Client/Response.hs
new/http-client-0.7.8/Network/HTTP/Client/Response.hs
--- old/http-client-0.7.6/Network/HTTP/Client/Response.hs 2021-02-21
07:16:45.000000000 +0100
+++ new/http-client-0.7.8/Network/HTTP/Client/Response.hs 2021-04-21
13:33:33.000000000 +0200
@@ -4,6 +4,7 @@
( getRedirectedRequest
, getResponse
, lbsResponse
+ , getOriginalRequest
) where
import Data.ByteString (ByteString)
@@ -123,6 +124,7 @@
, responseBody = body
, responseCookieJar = Data.Monoid.mempty
, responseClose' = ResponseClose (cleanup False)
+ , responseOriginalRequest = req {requestBody = ""}
}
-- | Does this response have no body?
@@ -133,3 +135,11 @@
hasNoBody _ 204 = True
hasNoBody _ 304 = True
hasNoBody _ i = 100 <= i && i < 200
+
+-- | Retrieve the orignal 'Request' from a 'Response'
+--
+-- Note that the 'requestBody' is not available and always set to empty.
+--
+-- @since 0.7.8
+getOriginalRequest :: Response a -> Request
+getOriginalRequest = responseOriginalRequest
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/http-client-0.7.6/Network/HTTP/Client/Types.hs
new/http-client-0.7.8/Network/HTTP/Client/Types.hs
--- old/http-client-0.7.6/Network/HTTP/Client/Types.hs 2021-02-21
07:16:45.000000000 +0100
+++ new/http-client-0.7.8/Network/HTTP/Client/Types.hs 2021-04-21
13:33:33.000000000 +0200
@@ -690,6 +690,12 @@
-- be impossible.
--
-- Since 0.1.0
+ , responseOriginalRequest :: Request
+ -- ^ Holds original @Request@ related to this @Response@ (with an empty
body).
+ -- This field is intentionally not exported directly, but made availble
+ -- via @getOriginalRequest@ instead.
+ --
+ -- Since 0.7.8
}
deriving (Show, T.Typeable, Functor, Data.Foldable.Foldable,
Data.Traversable.Traversable)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/http-client-0.7.6/Network/HTTP/Client.hs
new/http-client-0.7.8/Network/HTTP/Client.hs
--- old/http-client-0.7.6/Network/HTTP/Client.hs 2021-02-21
07:16:45.000000000 +0100
+++ new/http-client-0.7.8/Network/HTTP/Client.hs 2021-04-21
13:33:33.000000000 +0200
@@ -181,6 +181,7 @@
, responseHeaders
, responseBody
, responseCookieJar
+ , getOriginalRequest
, throwErrorStatusCodes
-- ** Response body
, BodyReader
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/http-client-0.7.6/http-client.cabal
new/http-client-0.7.8/http-client.cabal
--- old/http-client-0.7.6/http-client.cabal 2021-02-21 07:16:45.000000000
+0100
+++ new/http-client-0.7.8/http-client.cabal 2021-04-21 13:33:33.000000000
+0200
@@ -1,5 +1,5 @@
name: http-client
-version: 0.7.6
+version: 0.7.8
synopsis: An HTTP client engine
description: Hackage documentation generation is not reliable. For up
to date documentation, please see:
<http://www.stackage.org/package/http-client>.
homepage: https://github.com/snoyberg/http-client
@@ -58,6 +58,7 @@
, mime-types
, ghc-prim
, stm >= 2.3
+ , iproute >= 1.7.5
if flag(network-uri)
build-depends: network >= 2.6, network-uri >= 2.6
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/http-client-0.7.6/test-nonet/Network/HTTP/Client/CookieSpec.hs
new/http-client-0.7.8/test-nonet/Network/HTTP/Client/CookieSpec.hs
--- old/http-client-0.7.6/test-nonet/Network/HTTP/Client/CookieSpec.hs
2021-02-21 07:16:45.000000000 +0100
+++ new/http-client-0.7.8/test-nonet/Network/HTTP/Client/CookieSpec.hs
2021-04-21 13:33:33.000000000 +0200
@@ -61,3 +61,16 @@
when countsForEquiv $ cky `equivCookie` f cky `shouldBe` False
check `mapM_` modifications
+
+ it "isPotentiallyTrustworthyOrigin" $ do
+ isPotentiallyTrustworthyOrigin True "" `shouldBe` True
+ let untrusty = ["example", "example.", "example.com", "foolocalhost",
"1.1.1.1", "::1", "[::2]"]
+ trusty =
+ [ "127.0.0.1", "127.0.0.2", "127.127.127.127"
+ , "[::1]", "[0:0:0:0:0:0:0:1]"
+ , "localhost", "localhost."
+ , "a.b.c.localhost", "a.b.c.localhost."
+ ]
+ or (map (isPotentiallyTrustworthyOrigin False) untrusty) `shouldBe` False
+ and (map (isPotentiallyTrustworthyOrigin False) trusty) `shouldBe` True
+
