dependabot[bot] opened a new pull request #6: Bump httpie from 0.9.3 to 1.0.3
URL: https://github.com/apache/incubator-flagon-tap/pull/6
 
 
   Bumps [httpie](https://github.com/jakubroztocil/httpie) from 0.9.3 to 1.0.3.
   <details>
   <summary>Release notes</summary>
   
   *Sourced from [httpie's 
releases](https://github.com/jakubroztocil/httpie/releases).*
   
   > ## HTTPie 1.0.3
   > Fixed CVE-2019-10751 — the way the output filename is generated for 
`--download` requests without `--output` resulting in a redirect has been 
changed to only consider the initial URL as the base for the generated 
filename, and not the final one. This fixes a potential security issue under 
the following scenario:
   > 
   > 1. A `--download` request with no explicit `--output` is made (e.g., `$ 
http -d  example.org/file.txt`), instructing HTTPie to [generate the output 
filename](https://httpie.org/doc#downloaded-filename) from the 
`Content-Disposition` response header, or from the URL if the header is not 
provided.
   > 2. The server handling the request has been modified by an attacker and 
instead of the expected response the URL returns a redirect to another URL, 
e.g., `attacker.example.org/.bash_profile`, whose response does not provide  a 
`Content-Disposition` header (i.e., the base for the  generated filename 
becomes `.bash_profile` instead of `file.txt`).
   > 3. Your current directory doesn’t already contain `.bash_profile` (i.e., 
no unique suffix is added to the generated filename).
   > 4. You don’t notice the potentially unexpected output filename as reported 
by HTTPie in the console output (e.g., `Downloading 100.00 B to 
".bash_profile"`).
   > 
   > ## HTTPie 1.0.2
   > * Fixed tests for installation with pyOpenSSL.
   > 
   > ## HTTPie 1.0.1
   > * Removed external URL calls from tests.
   > 
   > ## HTTPie 1.0.0
   > 
   > * Added ``--style=auto`` which follows the terminal ANSI color styles.
   > * Added support for selecting TLS 1.3 via ``--ssl=tls1.3``
   >   (available once implemented in upstream libraries).
   > * Added ``true``/``false`` as valid values for ``--verify``
   >   (in addition to ``yes``/``no``) and the boolean value is 
case-insensitive.
   > * Changed the default ``--style`` from ``solarized`` to ``auto`` (on 
Windows it stays ``fruity``).
   > * Fixed default headers being incorrectly case-sensitive.
   > * Removed Python 2.6 support.
   > 
   > ## HTTPie 0.9.9
   > * Only README changes.
   > 
   > ## HTTPie 0.9.8
   > - Extended auth plugin API.
   > - Added exit status code `7` for plugin errors.
   > - Added support for `curses`-less Python installations.
   > - Fixed `REQUEST_ITEM` arg incorrectly being reported as required.
   > - Improved `CTRL-C` interrupt handling.
   > - Added the standard exit status code `130` for keyboard interrupts.
   > 
   > ## HTTPie 0.9.6
   > - Added Python 3 as a dependency for Homebrew installations
   >   to ensure some of the newer HTTP features work out of the box
   >   for macOS users (starting with HTTPie 0.9.4.).
   > - Added the ability to unset a request header with `Header:`, and send an
   >   empty value with `Header;`.
   > - Added `--default-scheme <URL_SCHEME>` to enable things like
   >   `$ alias https='http --default-scheme=https`.
   > - Added `-I` as a shortcut for `--ignore-stdin`.
   > - Added fish shell completion (located in `extras/httpie-completion.fish`
   >   in the Github repo).
   > - Updated `requests` to 2.10.0 so that SOCKS support can be added via
   >   `pip install requests[socks]`.
   > - Changed the default JSON `Accept` header from `application/json`
   ></tr></table> ... (truncated)
   </details>
   <details>
   <summary>Changelog</summary>
   
   *Sourced from [httpie's 
changelog](https://github.com/jakubroztocil/httpie/blob/master/CHANGELOG.rst).*
   
   > `1.0.3`_ (2019-08-26)
   > ---------------------
   > 
   > * Fixed CVE-2019-10751 — the way the output filename is generated for
   >   ``--download`` requests without ``--output`` resulting in a redirect has
   >   been changed to only consider the initial URL as the base for the 
generated
   >   filename, and not the final one. This fixes a potential security issue 
under
   >   the following scenario:
   > 
   >   1. A ``--download`` request with no explicit ``--output`` is made (e.g.,
   >      ``$ http -d example.org/file.txt``), instructing httpie to
   >      `generate the output filename 
<https://httpie.org/doc#downloaded-filename>`_
   >      from the ``Content-Disposition`` response header, or from the URL if 
the header
   >      is not provided.
   >   2. The server handling the request has been modified by an attacker and
   >      instead of the expected response the URL returns a redirect to another
   >      URL, e.g., ``attacker.example.org/.bash_profile``, whose response does
   >      not provide  a ``Content-Disposition`` header (i.e., the base for the
   >      generated filename becomes ``.bash_profile`` instead of ``file.txt``).
   >   3. Your current directory doesn’t already contain ``.bash_profile``
   >      (i.e., no unique suffix is added to the generated filename).
   >   4. You don’t notice the potentially unexpected output filename
   >      as reported by httpie in the console output
   >      (e.g., ``Downloading 100.00 B to ".bash_profile"``).
   > 
   >   Reported by Raul Onitza and Giulio Comi.
   > 
   > 
   > `1.0.2`_ (2018-11-14)
   > -------------------------
   > 
   > * Fixed tests for installation with pyOpenSSL.
   > 
   > 
   > `1.0.1`_ (2018-11-14)
   > -------------------------
   > 
   > * Removed external URL calls from tests.
   > 
   > 
   > `1.0.0`_ (2018-11-02)
   > -------------------------
   > 
   > * Added ``--style=auto`` which follows the terminal ANSI color styles.
   > * Added support for selecting TLS 1.3 via ``--ssl=tls1.3``
   >   (available once implemented in upstream libraries).
   > * Added ``true``/``false`` as valid values for ``--verify``
   >   (in addition to ``yes``/``no``) and the boolean value is 
case-insensitive.
   > * Changed the default ``--style`` from ``solarized`` to ``auto`` (on 
Windows it stays ``fruity``).
   > * Fixed default headers being incorrectly case-sensitive.
   ></tr></table> ... (truncated)
   </details>
   <details>
   <summary>Commits</summary>
   
   - 
[`747be30`](https://github.com/jakubroztocil/httpie/commit/747be30d2efda1b4287a84f1f27f4328621b222c)
 1.0.3
   - 
[`88a9583`](https://github.com/jakubroztocil/httpie/commit/88a9583f4c0682fc4d26525380d82802eb242784)
 Update CHANGELOG.rst
   - 
[`fd6e879`](https://github.com/jakubroztocil/httpie/commit/fd6e87914ca70f0825f47d226c1454e9a9a191bc)
 README
   - 
[`6dee493`](https://github.com/jakubroztocil/httpie/commit/6dee49357d793f0112ad806a480b53f2c2d1e627)
 Fix comments
   - 
[`df36d62`](https://github.com/jakubroztocil/httpie/commit/df36d6255df5793129b02ac82f1010171bd8a0a8)
 Changed the way the output filename is generated
   - 
[`e92b831`](https://github.com/jakubroztocil/httpie/commit/e92b831e6e044a366d1907761fcc63a254a021a7)
 Create FUNDING.yml
   - 
[`fd44f1a`](https://github.com/jakubroztocil/httpie/commit/fd44f1af93ce1d2c84f324b8474d2d075b5a7b13)
 Updated Readme to fix a typo 
([#767](https://github-redirect.dependabot.com/jakubroztocil/httpie/issues/767))
   - 
[`b630954`](https://github.com/jakubroztocil/httpie/commit/b6309547d535287dd11429ba11a999414149b7fd)
 Add a bash here string example
   - 
[`3a46149`](https://github.com/jakubroztocil/httpie/commit/3a46149de1e58ce72563c4011bfee64781bc4af3)
 Fix several ResourceWarning: unclosed file 
([#741](https://github-redirect.dependabot.com/jakubroztocil/httpie/issues/741))
   - 
[`b7c8bf0`](https://github.com/jakubroztocil/httpie/commit/b7c8bf08002b48b5c82df61f5aec09a556f91b74)
 Add animation by [@&#8203;loranallensmith](https://github.com/loranallensmith)
   - Additional commits viewable in [compare 
view](https://github.com/jakubroztocil/httpie/compare/0.9.3...1.0.3)
   </details>
   <br />
   
   [![Dependabot compatibility 
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=httpie&package-manager=pip&previous-version=0.9.3&new-version=1.0.3)](https://help.github.com/articles/configuring-automated-security-fixes)
   
   Dependabot will resolve any conflicts with this PR as long as you don't 
alter it yourself. You can also trigger a rebase manually by commenting 
`@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   <details>
   <summary>Dependabot commands and options</summary>
   <br />
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that 
have been made to it
   - `@dependabot merge` will merge this PR after your CI passes on it
   - `@dependabot squash and merge` will squash and merge this PR after your CI 
passes on it
   - `@dependabot cancel merge` will cancel a previously requested merge and 
block automerging
   - `@dependabot reopen` will reopen this PR if it is closed
   - `@dependabot ignore this [patch|minor|major] version` will close this PR 
and stop Dependabot creating any more for this minor/major version (unless you 
reopen the PR or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop 
Dependabot creating any more for this dependency (unless you reopen the PR or 
upgrade to it yourself)
   - `@dependabot use these labels` will set the current labels as the default 
for future PRs for this repo and language
   - `@dependabot use these reviewers` will set the current reviewers as the 
default for future PRs for this repo and language
   - `@dependabot use these assignees` will set the current assignees as the 
default for future PRs for this repo and language
   - `@dependabot use this milestone` will set the current milestone as the 
default for future PRs for this repo and language
   
   You can disable automated security fix PRs for this repo from the [Security 
Alerts page](https://github.com/apache/incubator-flagon-tap/network/alerts).
   
   </details>

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to