Skip to content

Commit 0a26acc

Browse files
webknjazwebknjaz
committed
Bump aiohttp to v3.7.4 for a security release
1 parent 021c416 commit 0a26acc

File tree

4 files changed

+29
-16
lines changed

4 files changed

+29
-16
lines changed

CHANGES.rst

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,34 @@ Changelog
1414

1515
.. towncrier release notes start
1616
17+
3.7.3 (2021-02-25)
18+
==================
19+
20+
Bugfixes
21+
--------
22+
23+
- **(SECURITY BUG)** Started preventing open redirects in the
24+
``aiohttp.web.normalize_path_middleware`` middleware. For
25+
more details, see
26+
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg.
27+
28+
Thanks to `Beast Glatisant <https://github.com/g147>`__ for
29+
finding the first instance of this issue and `Jelmer Vernooij
30+
<https://jelmer.uk/>`__ for reporting and tracking it down
31+
in aiohttp.
32+
`#5497 <https://github.com/aio-libs/aiohttp/issues/5497>`_
33+
- Fix interpretation difference of the pure-Python and the Cython-based
34+
HTTP parsers construct a ``yarl.URL`` object for HTTP request-target.
35+
36+
Before this fix, the Python parser would turn the URI's absolute-path
37+
for ``//some-path`` into ``/`` while the Cython code preserved it as
38+
``//some-path``. Now, both do the latter.
39+
`#5498 <https://github.com/aio-libs/aiohttp/issues/5498>`_
40+
41+
42+
----
43+
44+
1745
3.7.3 (2020-11-18)
1846
==================
1947

CHANGES/5497.bugfix

Lines changed: 0 additions & 9 deletions
This file was deleted.

CHANGES/5498.bugfix

Lines changed: 0 additions & 6 deletions
This file was deleted.

aiohttp/__init__.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
__version__ = "3.7.3"
1+
__version__ = "3.7.4"
22

33
from typing import Tuple
44

0 commit comments

Comments
 (0)