Mechanize 2.4 Security Fix Released

The Mechanize library is used for automating interaction with websites.
Mechanize automatically stores and sends cookies, follows redirects,
and can follow links and submit forms. Form fields can be populated and
submitted. Mechanize also keeps track of the sites that you have
visited as
a history.

=== Changes

  • Security fix:

    Mechanize#auth and Mechanize#basic_auth allowed disclosure of
    passwords to
    malicious servers and have been deprecated.

    In prior versions of mechanize only one set of HTTP authentication
    credentials were allowed for all connections. If a mechanize instance
    connected to more than one server then a malicious server detecting
    mechanize could ask for HTTP Basic authentication. This would expose
    the
    username and password intended only for one server.

    Mechanize#auth and Mechanize#basic_auth now warn when used.

    To fix the warning switch to Mechanize#add_auth which requires the URI
    the credentials are intended for, the username and the password.
    Optionally an HTTP authentication realm or NTLM domain may be
    provided.

    See http://mechanize.rubyforge.org/Mechanize.html#method-i-add_auth
    for complete
    details.

  • Minor enhancement

    • Improved exception messages for 401 Unauthorized responses.
      Mechanize now
      tells you if you were missing credentials, had an incorrect
      password, etc.