Commit bda20ba
![meili-bors[bot]](https://avatars.githubusercontent.com/in/132382?v=4&size=40){kind=avatar}
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
Merge #193
193: Bump scrapy from 2.5.1 to 2.6.1 r=bidoubiwa a=dependabot[bot]
Bumps [scrapy](https://github.com/scrapy/scrapy) from 2.5.1 to 2.6.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/scrapy/scrapy/releases">scrapy's releases</a>.</em></p>
<blockquote>
<h2>2.6.1</h2>
<p>Fixes a regression introduced in 2.6.0 that would unset the request method when following redirects.</p>
<h2>2.6.0</h2>
<ul>
<li><strong>Security fixes for cookie handling</strong> (see details below)</li>
<li>Python 3.10 support</li>
<li><a href="https://docs.scrapy.org/en/latest/topics/asyncio.html">asyncio support</a> is no longer considered experimental, and works out-of-the-box on Windows regardless of your Python version</li>
<li>Feed exports now support <a href="https://docs.python.org/3/library/pathlib.html#pathlib.Path"><code>pathlib.Path</code></a> output paths and per-feed item filtering and post-processing</li>
</ul>
<p><a href="https://docs.scrapy.org/en/latest/news.html#scrapy-2-6-0-2022-03-01">See the full changelog</a></p>
<h3>Security bug fixes</h3>
<ul>
<li>
<p>When a <a href="https://docs.scrapy.org/en/latest/topics/request-response.html#scrapy.http.Request"><code>Request</code></a> object with cookies defined gets a redirect response causing a new <a href="https://docs.scrapy.org/en/latest/topics/request-response.html#scrapy.http.Request"><code>Request</code></a> object to be scheduled, the cookies defined in the original <a href="https://docs.scrapy.org/en/latest/topics/request-response.html#scrapy.http.Request"><code>Request</code></a> object are no longer copied into the new <a href="https://docs.scrapy.org/en/latest/topics/request-response.html#scrapy.http.Request"><code>Request</code></a> object.</p>
<p>If you manually set the <code>Cookie</code> header on a <a href="https://docs.scrapy.org/en/latest/topics/request-response.html#scrapy.http.Request"><code>Request</code></a> object and the domain name of the redirect URL is not an exact match for the domain of the URL of the original <a href="https://docs.scrapy.org/en/latest/topics/request-response.html#scrapy.http.Request"><code>Request</code></a> object, your <code>Cookie</code> header is now dropped from the new <a href="https://docs.scrapy.org/en/latest/topics/request-response.html#scrapy.http.Request"><code>Request</code></a> object.</p>
<p>The old behavior could be exploited by an attacker to gain access to your cookies. Please, see the <a href="https://github.com/scrapy/scrapy/security/advisories/GHSA-cjvr-mfj7-j4j8">cjvr-mfj7-j4j8 security advisory</a> for more
information.</p>
<p><strong>Note:</strong> It is still possible to enable the sharing of cookies between different domains with a shared domain suffix (e.g. <code>example.com</code> and any subdomain) by defining the shared domain suffix (e.g. <code>example.com</code>) as the cookie domain when defining your cookies. See the documentation of the <a href="https://docs.scrapy.org/en/latest/topics/request-response.html#scrapy.http.Request"><code>Request</code></a> class for more information.</p>
</li>
<li>
<p>When the domain of a cookie, either received in the <code>Set-Cookie</code> header of a response or defined in a <a href="https://docs.scrapy.org/en/latest/topics/request-response.html#scrapy.http.Request"><code>Request</code></a> object, is set to a <code>public suffix <https://publicsuffix.org/></code>_, the cookie is now ignored unless the cookie domain is the same as the request domain.</p>
<p>The old behavior could be exploited by an attacker to inject cookies from a controlled domain into your cookiejar that could be sent to other domains not controlled by the attacker. Please, see the <a href="https://github.com/scrapy/scrapy/security/advisories/GHSA-mfjm-vh54-3f96">mfjm-vh54-3f96 security advisory</a> for more information.</p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/scrapy/scrapy/blob/master/docs/news.rst">scrapy's changelog</a>.</em></p>
<blockquote>
<h2>Scrapy 2.6.1 (2022-03-01)</h2>
<p>Fixes a regression introduced in 2.6.0 that would unset the request method when
following redirects.</p>
<p>.. _release-2.6.0:</p>
<h2>Scrapy 2.6.0 (2022-03-01)</h2>
<p>Highlights:</p>
<ul>
<li>
<p>:ref:<code>Security fixes for cookie handling <2.6-security-fixes></code></p>
</li>
<li>
<p>Python 3.10 support</p>
</li>
<li>
<p>:ref:<code>asyncio support <using-asyncio></code> is no longer considered
experimental, and works out-of-the-box on Windows regardless of your Python
version</p>
</li>
<li>
<p>Feed exports now support :class:<code>pathlib.Path</code> output paths and per-feed
:ref:<code>item filtering <item-filter></code> and
:ref:<code>post-processing <post-processing></code></p>
</li>
</ul>
<p>.. _2.6-security-fixes:</p>
<p>Security bug fixes</p>
<pre><code>
- When a :class:`~scrapy.http.Request` object with cookies defined gets a
redirect response causing a new :class:`~scrapy.http.Request` object to be
scheduled, the cookies defined in the original
:class:`~scrapy.http.Request` object are no longer copied into the new
:class:`~scrapy.http.Request` object.
<pre><code>If you manually set the ``Cookie`` header on a
:class:`~scrapy.http.Request` object and the domain name of the redirect
URL is not an exact match for the domain of the URL of the original
:class:`~scrapy.http.Request` object, your ``Cookie`` header is now dropped
from the new :class:`~scrapy.http.Request` object.
The old behavior could be exploited by an attacker to gain access to your
cookies. Please, see the `cjvr-mfj7-j4j8 security advisory`_ for more
information.
.. _cjvr-mfj7-j4j8 security advisory: GHSA-cjvr-mfj7-j4j8
.. note:: It is still possible to enable the sharing of cookies between
</code></pre>
<p></tr></table>
</code></pre></p>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/scrapy/scrapy/commit/23537a0f9580bfb28ac5d8b88f37df47e838f463"><code>23537a0</code></a> Bump version: 2.6.0 → 2.6.1</li>
<li><a href="https://github.com/scrapy/scrapy/commit/fab3e907297abd89106fb040c1c0c6a24b9522a2"><code>fab3e90</code></a> Cover 2.6.1 in the release notes</li>
<li><a href="https://github.com/scrapy/scrapy/commit/d60636d0de94c5a08c25d1d6820faed0b45506b7"><code>d60636d</code></a> Fix redirect handling regression</li>
<li><a href="https://github.com/scrapy/scrapy/commit/84853c4fa6eb30bdcba0f70b4426994d731509fe"><code>84853c4</code></a> bandit: allow-list B324 for the time being</li>
<li><a href="https://github.com/scrapy/scrapy/commit/6b63e7c14758fdc59f37cb6c2c9b88abebe8606f"><code>6b63e7c</code></a> Bump version: 2.5.0 → 2.6.0</li>
<li><a href="https://github.com/scrapy/scrapy/commit/e865c4430e58a4faa0e0766b23830f8423d6167a"><code>e865c44</code></a> Merge pull request from GHSA-mfjm-vh54-3f96</li>
<li><a href="https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a"><code>8ce01b3</code></a> Merge pull request from GHSA-cjvr-mfj7-j4j8</li>
<li><a href="https://github.com/scrapy/scrapy/commit/aa0306a167ef34b23cc2ec407a48359a4b5a8d0a"><code>aa0306a</code></a> Cover 2.6.0 in the release notes (<a href="https://github-redirect.dependabot.com/scrapy/scrapy/issues/5399">#5399</a>)</li>
<li><a href="https://github.com/scrapy/scrapy/commit/08557e09db4bcb109eb78e9058622ab5cef77415"><code>08557e0</code></a> Pin old markupsafe when we pin old mitmproxy (<a href="https://github-redirect.dependabot.com/scrapy/scrapy/issues/5427">#5427</a>)</li>
<li><a href="https://github.com/scrapy/scrapy/commit/3b42ccfebadd72d9b455f6526ab63835b72b1558"><code>3b42ccf</code></a> Add a link to Discord (<a href="https://github-redirect.dependabot.com/scrapy/scrapy/issues/5422">#5422</a>)</li>
<li>Additional commits viewable in <a href="https://github.com/scrapy/scrapy/compare/2.5.1...2.6.1">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
You can trigger a rebase of this PR by commenting ``@dependabot` rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- ``@dependabot` rebase` will rebase this PR
- ``@dependabot` recreate` will recreate this PR, overwriting any edits that have been made to it
- ``@dependabot` merge` will merge this PR after your CI passes on it
- ``@dependabot` squash and merge` will squash and merge this PR after your CI passes on it
- ``@dependabot` cancel merge` will cancel a previously requested merge and block automerging
- ``@dependabot` reopen` will reopen this PR if it is closed
- ``@dependabot` close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- ``@dependabot` ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- ``@dependabot` ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- ``@dependabot` ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
</details>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>2 files changed
+112
-115
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
7 | | - | |
| 7 | + | |
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
| |||
0 commit comments