httpie v1.0.3 Release Notes
Release Date: 2019-08-26 // over 4 years ago-
- 🛠 Fixed CVE-2019-10751 — the way the output filename is generated for
--download
requests without--output
resulting in a redirect has been changed to only consider the initial URL as the base for the generated filename, and not the final one. This fixes a potential security issue under the following scenario:
- A
--download
request with no explicit--output
is made (e.g.,$ http -d example.org/file.txt
), instructing httpie togenerate the output filename <https://httpie.org/doc#downloaded-filename>
_ from theContent-Disposition
response header, or from the URL if the header is not provided. - The server handling the request has been modified by an attacker and
instead of the expected response the URL returns a redirect to another
URL, e.g.,
attacker.example.org/.bash_profile
, whose response does not provide aContent-Disposition
header (i.e., the base for the generated filename becomes.bash_profile
instead offile.txt
). - Your current directory doesn’t already contain
.bash_profile
(i.e., no unique suffix is added to the generated filename). - You don’t notice the potentially unexpected output filename
as reported by httpie in the console output
(e.g.,
Downloading 100.00 B to ".bash_profile"
).
Reported by Raul Onitza and Giulio Comi.
- 🛠 Fixed CVE-2019-10751 — the way the output filename is generated for