File tree Expand file tree Collapse file tree 4 files changed +29
-16
lines changed Expand file tree Collapse file tree 4 files changed +29
-16
lines changed Original file line number Diff line number Diff line change @@ -14,6 +14,34 @@ Changelog
1414
1515.. towncrier release notes start
1616
17+
18+ ==================
19+
20+ Bugfixes
21+ --------
22+
23+ - **(SECURITY BUG) ** Started preventing open redirects in the
24+ ``aiohttp.web.normalize_path_middleware `` middleware. For
25+ more details, see
26+ https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg.
27+
28+ Thanks to `Beast Glatisant <https://github.com/g147 >`__ for
29+ finding the first instance of this issue and `Jelmer Vernooij
30+ <https://jelmer.uk/> `__ for reporting and tracking it down
31+ in aiohttp.
32+ `#5497 <https://github.com/aio-libs/aiohttp/issues/5497 >`_
33+ - Fix interpretation difference of the pure-Python and the Cython-based
34+ HTTP parsers construct a ``yarl.URL `` object for HTTP request-target.
35+
36+ Before this fix, the Python parser would turn the URI's absolute-path
37+ for ``//some-path `` into ``/ `` while the Cython code preserved it as
38+ ``//some-path ``. Now, both do the latter.
39+ `#5498 <https://github.com/aio-libs/aiohttp/issues/5498 >`_
40+
41+
42+ ----
43+
44+
17453.7.3 (2020-11-18)
1846==================
1947
Load Diff This file was deleted.
Load Diff This file was deleted.
Original file line number Diff line number Diff line change 1- __version__ = "3.7.3 "
1+ __version__ = "3.7.4 "
22
33from typing import Tuple
44
You can’t perform that action at this time.
0 commit comments