Requests

------------------

**Bugfixes**

- Remove VendorAlias import machinery introduced in v2.5.2.
- Simplify the PreparedRequest.prepare API: We no longer require the
user to pass an empty list to the hooks keyword argument. (c.f.
\2552)
- Resolve redirects now receives and forwards all of the original
arguments to the adapter. (\2503)
- Handle UnicodeDecodeErrors when trying to deal with a unicode URL
that cannot be encoded in ASCII. (\2540)
- Populate the parsed path of the URI field when performing Digest
Authentication. (\2426)
- Copy a PreparedRequest's CookieJar more reliably when it is not an
instance of RequestsCookieJar. (\2527)

------------------

**Bugfixes**

- CVE-2015-2296: Fix handling of cookies on redirect. Previously a
cookie without a host value set would use the hostname for the
redirected URL exposing requests users to session fixation attacks
and potentially cookie stealing. This was disclosed privately by
Matthew Daley of [BugFuzz](https://bugfuzz.com). This affects all
versions of requests from v2.1.0 to v2.5.3 (inclusive on both ends).
- Fix error when requests is an `install_requires` dependency and
`python setup.py test` is run. (\2462)
- Fix error when urllib3 is unbundled and requests continues to use
the vendored import location.
- Include fixes to `urllib3`'s header handling.
- Requests' handling of unvendored dependencies is now more
restrictive.

**Features and Improvements**

- Support bytearrays when passed as parameters in the `files`
argument. (\2468)
- Avoid data duplication when creating a request with `str`, `bytes`,
or `bytearray` input to the `files` argument.

------------------

**Bugfixes**

- Revert changes to our vendored certificate bundle. For more context
see (\2455, \2456, and <https://bugs.python.org/issue23476>)

------------------

**Features and Improvements**

- Add sha256 fingerprint support.
([shazow/urllib3\540](https://github.com/shazow/urllib3/pull/540))
- Improve the performance of headers.
([shazow/urllib3\544](https://github.com/shazow/urllib3/pull/544))

**Bugfixes**

- Copy pip's import machinery. When downstream redistributors remove
requests.packages.urllib3 the import machinery will continue to let
those same symbols work. Example usage in requests' documentation
and 3rd-party libraries relying on the vendored copies of urllib3
will work without having to fallback to the system urllib3.
- Attempt to quote parts of the URL on redirect if unquoting and then
quoting fails. (\2356)
- Fix filename type check for multipart form-data uploads. (\2411)
- Properly handle the case where a server issuing digest
authentication challenges provides both auth and auth-int
qop-values. (\2408)
- Fix a socket leak.
([shazow/urllib3\549](https://github.com/shazow/urllib3/pull/549))
- Fix multiple `Set-Cookie` headers properly.
([shazow/urllib3\534](https://github.com/shazow/urllib3/pull/534))
- Disable the built-in hostname verification.
([shazow/urllib3\526](https://github.com/shazow/urllib3/pull/526))
- Fix the behaviour of decoding an exhausted stream.
([shazow/urllib3\535](https://github.com/shazow/urllib3/pull/535))

**Security**

- Pulled in an updated `cacert.pem`.
- Drop RC4 from the default cipher list.
([shazow/urllib3\551](https://github.com/shazow/urllib3/pull/551))

------------------

**Behavioural Changes**

- Only catch HTTPErrors in raise\_for\_status (\2382)

**Bugfixes**

- Handle LocationParseError from urllib3 (\2344)
- Handle file-like object filenames that are not strings (\2379)
- Unbreak HTTPDigestAuth handler. Allow new nonces to be negotiated
(\2389)

------------------

**Improvements**

- Allow usage of urllib3's Retry object with HTTPAdapters (\2216)
- The `iter_lines` method on a response now accepts a delimiter with
which to split the content (\2295)

**Behavioural Changes**

- Add deprecation warnings to functions in requests.utils that will be
removed in 3.0 (\2309)
- Sessions used by the functional API are always closed (\2326)
- Restrict requests to HTTP/1.1 and HTTP/1.0 (stop accepting HTTP/0.9)
(\2323)

**Bugfixes**

- Only parse the URL once (\2353)
- Allow Content-Length header to always be overridden (\2332)
- Properly handle files in HTTPDigestAuth (\2333)
- Cap redirect\_cache size to prevent memory abuse (\2299)
- Fix HTTPDigestAuth handling of redirects after authenticating
successfully (\2253)
- Fix crash with custom method parameter to Session.request (\2317)
- Fix how Link headers are parsed using the regular expression library
(\2271)

**Documentation**

- Add more references for interlinking (\2348)
- Update CSS for theme (\2290)
- Update width of buttons and sidebar (\2289)
- Replace references of Gittip with Gratipay (\2282)
- Add link to changelog in sidebar (\2273)