CVE-2023-34457

Advisory

[This advisory has been limited. Please create a free account to view the full advisory.]

Affected package

Affected versions

[This affected versions has been limited. Please create a free account to view the full affected versions.]

Fixed versions

[This fixed versions has been limited. Please create a free account to view the full fixed versions.]

Vulnerability changelog

===========

Breaking changes
----------------

* To prevent malicious web servers from reading arbitrary files from the
client, files must now be opened explicitly by the user in order to
upload their contents in form submission. For example, instead of:

browser["upload"] = "/path/to/file"

you would now use:

browser["upload"] = open("/path/to/file", "rb")

This remediates
`CVE-2023-34457 <https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4>`__.
Our thanks to e-c-d for reporting and helping to fix the vulnerability!

Main changes
------------

* Added support for Python 3.11.

* Allow submitting a form with no submit element. This can be achieved by
passing ``submit=False`` to ``StatefulBrowser.submit_selected``. Thanks
alexreg!
[`480 <https://github.com/MechanicalSoup/MechanicalSoup/pull/411`__]

Resources

• https://pypi.org/project/mechanicalsoup
• https://pyup.io/changelogs/mechanicalsoup/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34457
• https://github.com/MechanicalSoup/MechanicalSoup/releases/tag/v1.3.0
• https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4
• https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e