[ANN] [SECURITY FIX] httpclient 2.1.3.1

< ^ > P N |<>|^_>< --- | ~ ...Help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

I posted httpclient/2.1.3.1.  httpclient/2.1.3.1 fixes a vulnerability
introduced at 2.1.3.  httpclient <= 2.1.2 and http-access2 are safe.

get_content/post_content of httpclient/2.1.3 may send secure cookies for
a https site to non-secure (non-https) site when the https site
redirects the request to a non-https site.  httpclient/2.1.3 caches
request object and reuses it for redirection.  It should not be cached
and recreated for each time as httpclient <= 2.1.2 and http-access2. See
http://dev.ctor.org/http-access2/changeset/259#file2 for more detail.

I realized this bug when I was reading open-uri story on
[ruby-core:21205].  Ruby users should use open-uri rather than using
net/http directly wherever possible.

httpclient/2.1.3 users should update to 2.1.3.1.

'httpclient' gives something like the functionality of libwww-perl (LWP)
in Ruby. 'httpclient' formerly known as 'http-access2'.


Features:

 * methods like GET/HEAD/POST/* via HTTP/1.1.
 * HTTPS(SSL), Cookies, proxy, authentication(Digest, NTLM, Basic), etc.
 * asynchronous HTTP request, streaming HTTP request.

 * by contrast with net/http in standard distribution;
   * Cookies support
   * MT-safe
   * streaming POST (POST with File/IO)
   * Digest auth
   * Negotiate/NTLM auth for WWW-Authenticate (requires net/htlm module)
   * NTLM auth for Proxy-Authenticate (requires win32/sspi module)
   * extensible with filter interface
   * you don∑t have to care HTTP/1.1 persistent connection (httpclient
     cares instead of you)

 * Not supported now
   * Cache
   * Rather advanced HTTP/1.1 usage such as Range, deflate, etc. (of
     course you can set it in header by yourself)

For more detail, see API document at http://dev.ctor.org/doc/httpclient/

Download:
  http://dev.ctor.org/download/httpclient-2.1.3.1.tar.gz
  http://dev.ctor.org/download/httpclient-2.1.3.1.zip

sha1sum:
  eb2f562835106ec8925edae523cd471fb291e055  httpclient-2.1.3.1.tar.gz
  153d4d7ef5f79ffe90872a0f77fbad60e241e203  httpclient-2.1.3.1.zip

gem is available from official repository.

Regards,
// NaHi

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)

iQEcBAEBAgAGBQJJZf3zAAoJEKYDTjohNqG5Bc0H/3L0IaK7F+Gkwrso53R5yED6
21NM1fwPcFi6dtxgK/GOOKaUm5sO6I6+aGRkJuo1mbqZJN98wZl/83JlwsbpaOC6
iPA4q2oSFuLXKwulRPBC7wJKoqOQZwgo9FD0yxM8aguzD8240eWpUU1NoKTyvnFZ
8fodqcybj+FhW/dIdn+nltOGolxGKOGSHf7yaO2Do8VW5YkFe4vYfIpH2RfH1h8y
ZzDZLSgP6MEyWwQKDY+UqqxDRmgTh5Uw+6K50y5UpHldZr2QK9U8ZPBnvJ8tljp4
0uyM8cxlOzQq8ddmvV3S8sVBbwW19guLeD26upbU8Az4o8P71gJx9eL1GJUzSRY=
=zNni
-----END PGP SIGNATURE-----