diff options
| author | taca <taca> | 2012-04-29 16:11:17 +0000 |
|---|---|---|
| committer | taca <taca> | 2012-04-29 16:11:17 +0000 |
| commit | d7c787de3b69b312c7f01b510e39f091e384de14 (patch) | |
| tree | 4537c36b784cfec8fb6433af79f1d7a77f636150 /www/w3c-httpd | |
| parent | fe4e6eac9e49efccfa9f9c5199d1ffe87e6cb918 (diff) | |
| download | pkgsrc-d7c787de3b69b312c7f01b510e39f091e384de14.tar.gz | |
Update ruby-mechanize to 2.4.
=== 2.4
* Security fix:
Mechanize#auth and Mechanize#basic_auth allowed disclosure of passwords to
malicious servers and have been removed.
In prior versions of mechanize only one set of HTTP authentication
credentials were allowed for all connections. If a mechanize instance
connected to more than one server then a malicious server detecting
mechanize could ask for HTTP Basic authentication. This would expose the
username and password intended only for one server.
Mechanize#auth and Mechanize#basic_auth now warn when used.
To fix the warning switch to Mechanize#add_auth which requires at the URI
the credentials are intended for, the username and the password.
Optionally an HTTP authentication realm or NTLM domain may be provided.
* Minor enhancement
* Improved exception messages for 401 Unauthorized responses. Mechanize now
tells you if you were missing credentials, had an incorrect password, etc.
Diffstat (limited to 'www/w3c-httpd')
0 files changed, 0 insertions, 0 deletions