2.9.0 / 2023-04-07

2.9.0 / 2023-04-07

Requirements

• Mechanize now requires Ruby 2.6 or newer.

Improvement

• Mechanize can now parse frozen strings. (#610)

2.8.5 / 2022-06-09

2.8.5 / 2022-06-09

Security

Fixes low-severity CVE-2022-31033, "Authorization header leak on port redirect." See GHSA-64qm-hrgp-pgr9 for more details.

2.8.4 / 2022-01-17

2.8.4 / 2022-01-17

Fix

• Mechanize::CookieJar#load calls Psych.safe_load when using Psych >= 3.1

2.8.3 / 2021-11-11

2.8.3 / 2021-11-11

Update

• Update the "Linux Firefox" user agent string to rev94 (#587) Thank you, @ncs1!

2.8.2 / 2021-08-06

2.8.2 / 2021-08-06

Dependencies

• Update dependency on Addressable from ~>2.7 to ~>2.8. (#584) @yidingww

2.8.1 / 2021-05-09

2.8.1 / 2021-05-09

Fix

• Gracefully handle parsing errors that contain an invalid byte sequence. Previously, if libxml2 registered a parsing error that itself contained invalid encoding, an exception might be raised. (#553)

2.8.0 / 2021-04-01

2.8.0 / 2021-04-01

• Requirements

  • Mechanize now requires Ruby 2.5 or newer.
  • Move from ntlm-http to rubyntlm gem. (#495, #574)

• New Features

  • Page::Link#uri now handles non-ASCII hrefs. (#569) @terryyin
  • FileConnection supports Windows drive letters (#483)
  • Credential headers 'Authorization' and 'Cookie' are deleted on cross-origin redirects. (#538) @kyoshidajp
  • ContentDispositionParser handles ISO8601 date headers, to be robust with websites that ignore RFC2183. (#554) @reitermarkus

• Bug fix

  • POST headers 'Content-Length', 'Content-MD5', and 'Content-Type' are deleted in a case-insensitive manner on redirects. Previously these headers were treated as case-sensitive.

2.7.7 / 2021-02-01

2.7.7 / 2021-02-01

• Security fixes for CVE-2021-21289

  Mechanize >= v2.0, < v2.7.7 allows for OS commands to be injected into several classes'
  methods via implicit use of Ruby's Kernel.open method. Exploitation is possible only if
  untrusted input is used as a local filename and passed to any of these calls:

  • Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
  • Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
  • Mechanize#download: since v2.2 (see dc91667)
  • Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
  • Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
  • Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)

  See GHSA-qrqm-fpv6-6r8g for more
  information.

  Also see #547, #548. Thank you, @kyoshidajp!

• New Features

  • Support for Ruby 3.0 by adding webrick as a runtime dependency. (#557) @pvalena

• Bug fix

  • Ignore input fields with blank names (#542, #536)