httpie v1.0.3

Version Release Notes from August 26, 2019 (over 4 years ago)

« Changelog History

httpie v1.0.3 Release Notes

Release Date: 2019-08-26 // over 4 years ago

- 🛠 Fixed CVE-2019-10751 — the way the output filename is generated for --download requests without --output resulting in a redirect has been changed to only consider the initial URL as the base for the generated filename, and not the final one. This fixes a potential security issue under the following scenario:
1. A --download request with no explicit --output is made (e.g., $ http -d example.org/file.txt), instructing httpie to generate the output filename <https://httpie.org/doc#downloaded-filename>_ from the Content-Disposition response header, or from the URL if the header is not provided.
2. The server handling the request has been modified by an attacker and instead of the expected response the URL returns a redirect to another URL, e.g., attacker.example.org/.bash_profile, whose response does not provide a Content-Disposition header (i.e., the base for the generated filename becomes .bash_profile instead of file.txt).
3. Your current directory doesn’t already contain .bash_profile (i.e., no unique suffix is added to the generated filename).
4. You don’t notice the potentially unexpected output filename as reported by httpie in the console output (e.g., Downloading 100.00 B to ".bash_profile").
Reported by Raul Onitza and Giulio Comi.

Awesome Python is part of the LibHunt network. Terms. Privacy Policy.