This post originated from an RSS feed registered with Ruby Buzz
by Eric Hodel.
Original Post: Mechanize 2.4 Security Fix
Feed Title: Segment7
Feed URL: http://blog.segment7.net/articles.rss
Feed Description: Posts about and around Ruby, MetaRuby, ruby2c, ZenTest and work at The Robot Co-op.
The Mechanize library is used for automating interaction with websites.
Mechanize automatically stores and sends cookies, follows redirects, and
can follow links and submit forms. Form fields can be populated and
submitted. Mechanize also keeps track of the sites that you have visited
as a history.
Changes
Security fix:
Mechanize#auth and Mechanize#basic_auth allowed disclosure of passwords to
malicious servers and have been deprecated.
In prior versions of mechanize only one set of HTTP authentication
credentials were allowed for all connections. If a mechanize instance
connected to more than one server then a malicious server detecting
mechanize could ask for HTTP Basic authentication. This would expose the
username and password intended only for one server.
Mechanize#auth and Mechanize#basic_auth now warn when used.
To fix the warning switch to Mechanize#add_auth which requires the URI
the credentials are intended for, the username and the password. Optionally
an HTTP authentication realm or NTLM domain may be provided.
Minor enhancement
Improved exception messages for 401 Unauthorized responses. Mechanize now
tells you if you were missing credentials, had an incorrect password, etc.