Safety vulnerability ID: 37405
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Httpie 1.0.3 fixes CVE-2019-10751. The way the output filename is generated for ``--download`` requests without ``--output`` resulting in a redirect has been changed to only consider the initial URL as the base for the generated filename, and not the final one. See: <https://github.com/jakubroztocil/httpie/releases/tag/1.0.3>.
Latest version: 3.2.4
HTTPie: modern, user-friendly command-line HTTP client for the API era.
-------------------------
* Fixed CVE-2019-10751 — the way the output filename is generated for
``--download`` requests without ``--output`` resulting in a redirect has
been changed to only consider the initial URL as the base for the generated
filename, and not the final one. This fixes a potential security issue under
the following scenario:
1. A ``--download`` request with no explicit ``--output`` is made (e.g.,
``$ http -d example.org/file.txt``), instructing httpie to
`generate the output filename <https://httpie.org/docdownloaded-file-name>`_
from the ``Content-Disposition`` response, or from the URL if the header
is not provided.
2. The server handling the request has been modified by an attacker and
instead of the expected response the URL returns a redirect to another
URL, e.g., ``attacker.example.org/.bash_profile``, whose response does
not provide a ``Content-Disposition`` header (i.e., the base for the
generated filename becomes ``.bash_profile`` instead of ``file.txt``).
3. Your current directory doesn’t already contain ``.bash_profile``
(i.e., no unique suffix is added to the generated filename).
4. You don’t notice the potentially unexpected output filename
as reported by httpie in the console output
(e.g., ``Downloading 100.00 B to ".bash_profile"``).
Reported by Raul Onitza and Giulio Comi.
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application