Hello community, here is the log from the commit of package ghc-http-client for openSUSE:Factory checked in at 2019-02-24 17:18:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghc-http-client (Old) and /work/SRC/openSUSE:Factory/.ghc-http-client.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghc-http-client" Sun Feb 24 17:18:40 2019 rev:30 rq:678028 version:0.6.1.1 Changes: -------- --- /work/SRC/openSUSE:Factory/ghc-http-client/ghc-http-client.changes 2019-01-25 22:43:23.187226637 +0100 +++ /work/SRC/openSUSE:Factory/.ghc-http-client.new.28833/ghc-http-client.changes 2019-02-24 17:18:42.812415141 +0100 @@ -1,0 +2,8 @@ +Thu Feb 21 07:46:57 UTC 2019 - psim...@suse.com + +- Update http-client to version 0.6.1.1. + ## 0.6.1.1 + + * Ensure that `Int` parsing doesn't overflow [#383](https://github.com/snoyberg/http-client/issues/383) + +------------------------------------------------------------------- Old: ---- http-client-0.6.1.tar.gz New: ---- http-client-0.6.1.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghc-http-client.spec ++++++ --- /var/tmp/diff_new_pack.GjoMoP/_old 2019-02-24 17:18:43.296415056 +0100 +++ /var/tmp/diff_new_pack.GjoMoP/_new 2019-02-24 17:18:43.296415056 +0100 @@ -19,7 +19,7 @@ %global pkg_name http-client %bcond_with tests Name: ghc-%{pkg_name} -Version: 0.6.1 +Version: 0.6.1.1 Release: 0 Summary: An HTTP client engine License: MIT ++++++ http-client-0.6.1.tar.gz -> http-client-0.6.1.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/http-client-0.6.1/ChangeLog.md new/http-client-0.6.1.1/ChangeLog.md --- old/http-client-0.6.1/ChangeLog.md 2019-01-14 09:10:16.000000000 +0100 +++ new/http-client-0.6.1.1/ChangeLog.md 2019-02-20 10:37:43.000000000 +0100 @@ -1,5 +1,9 @@ # Changelog for http-client +## 0.6.1.1 + +* Ensure that `Int` parsing doesn't overflow [#383](https://github.com/snoyberg/http-client/issues/383) + ## 0.6.1 * Add `setUriEither` to `Network.HTTP.Client.Internal` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/http-client-0.6.1/Network/HTTP/Client/Request.hs new/http-client-0.6.1.1/Network/HTTP/Client/Request.hs --- old/http-client-0.6.1/Network/HTTP/Client/Request.hs 2019-01-14 09:10:16.000000000 +0100 +++ new/http-client-0.6.1.1/Network/HTTP/Client/Request.hs 2019-02-20 10:34:27.000000000 +0100 @@ -263,7 +263,7 @@ ':':rest -> maybe (Left "Invalid port") return - (readDec rest) + (readPositiveInt rest) -- Otherwise, use the default port _ -> case sec of False {- HTTP -} -> return 80 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/http-client-0.6.1/Network/HTTP/Client/Response.hs new/http-client-0.6.1.1/Network/HTTP/Client/Response.hs --- old/http-client-0.6.1/Network/HTTP/Client/Response.hs 2018-04-15 08:19:48.000000000 +0200 +++ new/http-client-0.6.1.1/Network/HTTP/Client/Response.hs 2019-02-20 10:34:44.000000000 +0100 @@ -87,7 +87,7 @@ getResponse timeout' req@(Request {..}) mconn cont = do let conn = managedResource mconn StatusHeaders s version hs <- parseStatusHeaders conn timeout' cont - let mcl = lookup "content-length" hs >>= readDec . S8.unpack + let mcl = lookup "content-length" hs >>= readPositiveInt . S8.unpack isChunked = ("transfer-encoding", CI.mk "chunked") `elem` map (second CI.mk) hs -- should we put this connection back into the connection manager? diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/http-client-0.6.1/Network/HTTP/Client/Util.hs new/http-client-0.6.1.1/Network/HTTP/Client/Util.hs --- old/http-client-0.6.1/Network/HTTP/Client/Util.hs 2018-04-09 15:40:11.000000000 +0200 +++ new/http-client-0.6.1.1/Network/HTTP/Client/Util.hs 2019-02-20 10:37:06.000000000 +0100 @@ -1,15 +1,15 @@ {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE ScopedTypeVariables #-} module Network.HTTP.Client.Util - ( readDec + ( readPositiveInt ) where -import qualified Data.Text as T -import qualified Data.Text.Read +import Text.Read (readMaybe) +import Control.Monad (guard) -readDec :: Integral i => String -> Maybe i -readDec s = - case Data.Text.Read.decimal $ T.pack s of - Right (i, t) - | T.null t -> Just i - _ -> Nothing +-- | Read a positive 'Int', accounting for overflow +readPositiveInt :: String -> Maybe Int +readPositiveInt s = do + i <- readMaybe s + guard $ i >= 0 + Just i diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/http-client-0.6.1/Network/HTTP/Client.hs new/http-client-0.6.1.1/Network/HTTP/Client.hs --- old/http-client-0.6.1/Network/HTTP/Client.hs 2018-07-01 03:15:12.000000000 +0200 +++ new/http-client-0.6.1.1/Network/HTTP/Client.hs 2019-02-20 10:21:29.000000000 +0100 @@ -40,7 +40,7 @@ -- application which will make a large number of requests to different hosts, -- and will never make more than one connection to a single host, then sharing -- a 'Manager' will result in idle connections being kept open longer than --- necessary. In such a situation, it makes sense to use 'withManager' around +-- necessary. In such a situation, it makes sense to use 'newManager' before -- each new request, to avoid running out of file descriptors. (Note that the -- 'managerIdleConnectionCount' setting mitigates the risk of leaking too many -- file descriptors.) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/http-client-0.6.1/http-client.cabal new/http-client-0.6.1.1/http-client.cabal --- old/http-client-0.6.1/http-client.cabal 2019-01-14 09:10:16.000000000 +0100 +++ new/http-client-0.6.1.1/http-client.cabal 2019-02-20 10:37:17.000000000 +0100 @@ -1,5 +1,5 @@ name: http-client -version: 0.6.1 +version: 0.6.1.1 synopsis: An HTTP client engine description: Hackage documentation generation is not reliable. For up to date documentation, please see: <http://www.stackage.org/package/http-client>. homepage: https://github.com/snoyberg/http-client diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/http-client-0.6.1/test-nonet/Network/HTTP/ClientSpec.hs new/http-client-0.6.1.1/test-nonet/Network/HTTP/ClientSpec.hs --- old/http-client-0.6.1/test-nonet/Network/HTTP/ClientSpec.hs 2018-03-04 18:07:33.000000000 +0100 +++ new/http-client-0.6.1.1/test-nonet/Network/HTTP/ClientSpec.hs 2019-02-20 10:24:08.000000000 +0100 @@ -254,3 +254,8 @@ ok <- readIORef okRef unless ok $ throwIO (ErrorCall "already closed") + + it "does not allow port overflow #383" $ do + case parseRequest "https://o_O:18446744072699450606" of + Left _ -> pure () :: IO () + Right req -> error $ "Invalid request: " ++ show req