Path to this page:
Subject: CVS commit: pkgsrc/www/py-aiohttp
From: Adam Ciarcinski
Date: 2021-02-26 07:21:52
Message id: 20210226062152.21B23FA95@cvs.NetBSD.org
Log Message:
py-aiohttp: updated to 3.7.4
3.7.4 (2021-02-25)
Bugfixes
(SECURITY BUG) Started preventing open redirects in the \
aiohttp.web.normalize_path_middleware middleware. For more details, see \
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg.
Thanks to Beast Glatisant for finding the first instance of this issue and \
Jelmer Vernooij for reporting and tracking it down in aiohttp.
Fix interpretation difference of the pure-Python and the Cython-based HTTP \
parsers construct a yarl.URL object for HTTP request-target.
Before this fix, the Python parser would turn the URI's absolute-path for \
//some-path into / while the Cython code preserved it as //some-path. Now, both \
do the latter.
Files: