Update dependency rmccue/requests to v1.8.0 [SECURITY] - abandoned

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
rmccue/requests (source)	require	minor	1.6.1 -> 1.8.0

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2021-29476

Impact

Unserialization of untrusted data.

Patches

The issue has been patched and users of Requests 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0.

References

Publications about the vulnerability:

• https://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress
• https://github.com/ambionics/phpggc/issues/52
• https://blog.detectify.com/2019/07/23/improving-wordpress-plugin-security/
• https://i.blackhat.com/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf
• https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
• https://2018.zeronights.ru/wp-content/uploads/materials/9%20ZN2018%20WV%20-%20PHP%20unserialize.pdf
• https://medium.com/@​knownsec404team/extend-the-attack-surface-of-php-deserialization-vulnerability-via-phar-d6455c6a1066#​3c0f

Originally fixed in WordPress 5.5.2:

• WordPress/wordpress-develop@add6bed
• https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/

Related Security Advisories:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28032
• https://nvd.nist.gov/vuln/detail/CVE-2020-28032

Notification to the Requests repo including a fix in:

• https://github.com/rmccue/Requests/pull/421 and
• https://github.com/rmccue/Requests/pull/422

For more information

If you have any questions or comments about this advisory:

• Open an issue in Request

---

Release Notes

WordPress/Requests

v1.8.0

Compare Source

IMPORTANT NOTES

Last release supporting PHP 5.2 - 5.5

Release 1.8.0 will be the last release with compatibility for PHP 5.2 - 5.5. With the next release (v2.0.0), the minimum PHP version will be bumped to 5.6.

Last release supporting PEAR distribution

Release 1.8.0 will be the last release to be distributed via PEAR. From release 2.0.0 onwards, consumers of this library will have to switch to Composer to receive updates.

Overview of changes

• [SECURITY FIX] Disable deserialization in FilteredIterator

  A Deserialization of Untrusted Data weakness was found in the FilteredIterator class.

  This security vulnerability was first reported to the WordPress project. The security fix applied to WordPress has been ported back into the library.

  GitHub security advisory: Insecure Deserialization of untrusted data

  CVE: CVE-2021-29476 - Deserialization of Untrusted Data

  Related WordPress CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28032

  (props [@​dd32][gh-dd32], [@​desrosj][gh-desrosj], [@​jrfnl][gh-jrfnl], [@​peterwilsoncc][gh-peterwilsoncc], [@​SergeyBiryukov][gh-SergeyBiryukov], [@​whyisjake][gh-whyisjake], [@​xknown][gh-xknown], #​421, #​422)

• Repository moved to WordPress\Requests

  The Requests library has been moved to the WordPress GitHub organization and can now be found under https://github.com/WordPress/Requests.

  All links in code and documentation were updated accordingly.

  Note: the Composer package name remains unchanged (rmccue/requests), as well as the documentation site (requests.ryanmccue.info).

  (props [@​dd32][gh-dd32], [@​JustinyAhin][gh-JustinyAhin], [@​jrfnl][gh-jrfnl], [@​rmccue][gh-rmccue], #​440, #​441, #​448)

• Manage "Expect" header with cURL transport

  By default, cURL adds a Expect: 100-Continue header to certain requests. This can add as much as a second delay to requests done using cURL. This is discussed on the cURL mailing list.

  To prevent this, Requests now adds an empty "Expect" header to requests that are smaller than 1 MB and use HTTP/1.1.

  (props [@​carlalexander][gh-carlalexander], [@​schlessera][gh-schlessera], [@​TimothyBJacobs][gh-TimothyBJacobs], #​453, #​454, #​469)

• Update bundled certificates as of 2021-02-12

  The bundled certificates were updated. A small subset of expired certificates are still included for legacy reasons (and support).

  (props [@​ozh][gh-ozh], [@​patmead][gh-patmead], [@​schlessera][gh-schlessera], [@​todeveni][gh-todeveni], #​385, #​398, #​451)

• Add required Content-* headers for empty POST requests

  Sends the Content-Length and Content-Type headers even for empty POST requests, as the length is expected as per RFC2616 Section 14.13:

  Content-Length header "SHOULD" be included. In practice, it is not
  used for GET nor HEAD requests, but is expected for POST requests.
  

  (props [@​dd32][gh-dd32], [@​gstrauss][gh-gstrauss], [@​jrfnl][gh-jrfnl], [@​soulseekah][gh-soulseekah], #​248, #​249, #​318, #​368)

• Ignore locale when creating the HTTP version string from a float

  The previous behavior allowed for the locale to mess up the float to string conversion resulting in a GET / HTTP/1,1 instead of GET / HTTP/1.1 request.

  (props [@​tonebender][gh-tonebender], [@​Zegnat][gh-Zegnat], #​335, #​339)

• Make verify => false work with fsockopen

  This allows the fsockopen transport now to ignore SSL failures when requested.

  (props [@​soulseekah][gh-soulseekah], #​310, #​311)

• Only include port number in the Host header if it differs from the default

  The code was not violating the RFC per se, but also not following standard practice of leaving the port off when it is the default port for the scheme, which could lead to connectivity issues.

  (props [@​amandato][gh-amandato], [@​dd32][gh-dd32], #​238)

• Fix PHP cross-version compatibility

  Important fixes have been made to improve cross-version compatibility of the code across all supported PHP versions.

  • Use documented order for implode() arguments.
  • Harden type handling when no domain was passed.
  • Explicitly cast $url property to string in Requests::parse_response().
  • Initialize $body property to an empty string in Requests::parse_response().
  • Ensure the stream handle is valid before trying to close it.
  • Ensure the $callback in the FilteredIterator is callable before calling it.

  (props [@​aaronjorbin][gh-aaronjorbin], [@​jrfnl][gh-jrfnl], #​346, #​370, #​425, #​426, #​456, #​457)

• Improve testing

  Lots of improvements were made to render the tests more reliable and increase the coverage.

  And to top it all off, all tests are now run against all supported PHP versions, including PHP 8.0.

  (props [@​datagutten][gh-datagutten], [@​jrfnl][gh-jrfnl], [@​schlessera][gh-schlessera], #​345, #​351, #​355, #​366, #​412, #​414, #​445, #​458, #​464)

• Improve code quality and style

  A whole swoop of changes has been made to harden the code and make it more consistent.

  The code style has been made consistent across both code and tests and is now enforced via a custom PHPCS rule set.

  The WordPress Coding Standards were chosen as the basis for the code style checks as most contributors to this library originate from the WordPress community and will be familiar with this code style.

  Main differences from the WordPress Coding Standards based on discussions and an analysis of the code styles already in use:

  • No whitespace on the inside of parentheses.
  • No Yoda conditions.

  A more detailed overview of the decisions that went into the final code style rules can be found at #​434.

  (props [@​jrfnl][gh-jrfnl], [@​KasperFranz][gh-KasperFranz], [@​ozh][gh-ozh], [@​schlessera][gh-schlessera], [@​TysonAndre][gh-TysonAndre], #​263, #​296, #​328, #​358, #​359, #​360, #​361, #​362, #​363, #​364, #​386, #​396, #​399, #​400, #​401, #​402, #​403, #​404, #​405, #​406, #​408, #​409, #​410, #​411, #​413, #​415, #​416, #​417, #​423, #​424, #​434)

• Replace Travis CI with GitHub Actions (partial)

  The entire CI setup is gradually being moved from Travis CI to GitHub Actions.

  At this point, GitHub Actions takes over the CI from PHP 5.5 onwards, leaving Travis CI as a fallback for lower PHP versions.

  This move will be completed after the planned minimum version bump to PHP 5.6+ with the next release, at which point we will get rid of all the remaining Travis CI integrations.

  (props [@​dd32][gh-dd32], [@​desrosj][gh-desrosj], [@​jrfnl][gh-jrfnl], [@​ntwb][gh-ntwb], [@​ozh][gh-ozh], [@​schlessera][gh-schlessera], [@​TimothyBJacobs][gh-TimothyBJacobs], [@​TysonAndre][gh-TysonAndre], #​280, #​298, #​302, #​303, #​352, #​353, #​354, #​356, #​388, #​397, #​428, #​436, #​439, #​461, #​467)

• Update and improve documentation

  • Use clearer and more inclusive language.
  • Update the GitHub Pages site.
  • Update content and various tweaks to the markdown.
  • Fix code blocks in README.md file.
  • Add pagination to documentation pages.

  (props [@​desrosj][gh-desrosj], [@​jrfnl][gh-jrfnl], [@​JustinyAhin][gh-JustinyAhin], [@​tnorthcutt][gh-tnorthcutt], #​334, #​367, #​387, #​443, #​462, #​465, #​468, #​471 )

v1.7.0

Compare Source

• Add support for HHVM and PHP 7

  Requests is now tested against both HHVM and PHP 7, and they are supported as
  first-party platforms.

  (props [@​rmccue][gh-rmccue], #​106, #​176)

• Transfer & connect timeouts, in seconds & milliseconds

  cURL is unable to handle timeouts under a second in DNS lookups, so we round
  those up to ensure 1-999ms isn't counted as an instant failure.

  (props [@​ozh][gh-ozh], [@​rmccue][gh-rmccue], #​97, #​216)

• Rework cookie handling to be more thorough.

  Cookies are now restricted to the same-origin by default, expiration is checked.

  (props [@​catharsisjelly][gh-catharsisjelly], [@​rmccue][gh-rmccue], #​120, #​124, #​130, #​132, #​156)

• Improve testing

  Tests are now run locally to speed them up, as well as further general
  improvements to the quality of the testing suite. There are now also
  comprehensive proxy tests to ensure coverage there.

  (props [@​rmccue][gh-rmccue], #​75, #​107, #​170, #​177, #​181, #​183, #​185, #​196, #​202, #​203)

• Support custom HTTP methods

  Previously, custom HTTP methods were only supported on sockets; they are now
  supported across all transports.

  (props [@​ocean90][gh-ocean90], #​227)

• Add byte limit option

  (props [@​rmccue][gh-rmccue], #​172)

• Support a Requests_Proxy_HTTP() instance for the proxy setting.

  (props [@​ocean90][gh-ocean90], #​223)

• Add progress hook

  (props [@​rmccue][gh-rmccue], #​180)

• Add a before_redirect hook to alter redirects

  (props [@​rmccue][gh-rmccue], #​205)

• Pass cURL info to after_request

  (props [@​rmccue][gh-rmccue], #​206)

• Remove explicit autoload in Composer installation instructions

  (props [@​SlikNL][gh-SlikNL], #​86)

• Restrict CURLOPT_PROTOCOLS on defined() instead of version_compare()

  (props [@​ozh][gh-ozh], #​92)

• Fix doc - typo in "Authentication"

  (props [@​remik][gh-remik], #​99)

• Contextually check for a valid transport

  (props [@​ozh][gh-ozh], #​101)

• Follow relative redirects correctly

  (props [@​ozh][gh-ozh], #​103)

• Use cURL's version_number

  (props [@​mishan][gh-mishan], #​104)

• Removed duplicated option docs

  (props [@​staabm][gh-staabm], #​112)

• code styling fixed

  (props [@​imsaintx][gh-imsaintx], #​113)

• Fix IRI "normalization"

  (props [@​ozh][gh-ozh], #​128)

• Mention two PHP extension dependencies in the README.

  (props [@​orlitzky][gh-orlitzky], #​136)

• Ignore coverage report files

  (props [@​ozh][gh-ozh], #​148)

• drop obsolete "return" after throw

  (props [@​staabm][gh-staabm], #​150)

• Updated exception message to specify both http + https

  (props [@​beutnagel][gh-beutnagel], #​162)

• Sets stream_headers method to public to allow calling it from other
  places.

  (props [@​adri][gh-adri], #​158)

• Remove duplicated stream_get_meta_data call

  (props [@​rmccue][gh-rmccue], #​179)

• Transmits $errno from stream_socket_client in exception

  (props [@​laurentmartelli][gh-laurentmartelli], #​174)

• Correct methods to use snake_case

  (props [@​rmccue][gh-rmccue], #​184)

• Improve code quality

  (props [@​rmccue][gh-rmccue], #​186)

• Update Build Status image

  (props [@​rmccue][gh-rmccue], #​187)

• Fix/Rationalize transports (v2)

  (props [@​rmccue][gh-rmccue], #​188)

• Surface cURL errors

  (props [@​ifwe][gh-ifwe], #​194)

• Fix for memleak and curl_close() never being called

  (props [@​kwuerl][gh-kwuerl], #​200)

• addex how to install with composer

  (props [@​royopa][gh-royopa], #​164)

• Uppercase the method to ensure compatibility

  (props [@​rmccue][gh-rmccue], #​207)

• Store default certificate path

  (props [@​rmccue][gh-rmccue], #​210)

• Force closing keep-alive connections on old cURL

  (props [@​rmccue][gh-rmccue], #​211)

• Docs: Updated HTTP links with HTTPS links where applicable

  (props [@​ntwb][gh-ntwb], #​215)

• Remove the executable bit

  (props [@​ocean90][gh-ocean90], #​224)

• Change more links to HTTPS

  (props [@​rmccue][gh-rmccue], #​217)

• Bail from cURL when either curl_init() OR curl_exec() are unavailable

  (props [@​dd32][gh-dd32], #​230)

• Disable OpenSSL's internal peer_name checking when verifyname is disabled.

  (props [@​dd32][gh-dd32], #​239)

• Only include the port number in the Host header when it differs from
  default

  (props [@​dd32][gh-dd32], #​238)

• Respect port if specified for HTTPS connections

  (props [@​dd32][gh-dd32], #​237)

• Allow paths starting with a double-slash

  (props [@​rmccue][gh-rmccue], #​240)

• Fixes bug in rfc2616 #​3.6.1 implementation.

  (props [@​stephenharris][gh-stephenharris], #​236, #​3)

• CURLOPT_HTTPHEADER在php7接受空数组导致php-fpm奔溃

  (props [@​qibinghua][gh-qibinghua], #​219)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.