- Security fixes for cookie handling (see details below)
- Python 3.10 support
- asyncio support is no longer considered experimental, and works out-of-the-box on Windows regardless of your Python version
- Feed exports now support
pathlib.Pathoutput paths and per-feed item filtering and post-processing
Security bug fixes
-
When a
Requestobject with cookies defined gets a redirect response causing a newRequestobject to be scheduled, the cookies defined in the originalRequestobject are no longer copied into the newRequestobject.If you manually set the
Cookieheader on aRequestobject and the domain name of the redirect URL is not an exact match for the domain of the URL of the originalRequestobject, yourCookieheader is now dropped from the newRequestobject.The old behavior could be exploited by an attacker to gain access to your cookies. Please, see the cjvr-mfj7-j4j8 security advisory for more
information.Note: It is still possible to enable the sharing of cookies between different domains with a shared domain suffix (e.g.
example.comand any subdomain) by defining the shared domain suffix (e.g.example.com) as the cookie domain when defining your cookies. See the documentation of theRequestclass for more information. -
When the domain of a cookie, either received in the
Set-Cookieheader of a response or defined in aRequestobject, is set to apublic suffix <https://publicsuffix.org/>_, the cookie is now ignored unless the cookie domain is the same as the request domain.The old behavior could be exploited by an attacker to inject cookies from a controlled domain into your cookiejar that could be sent to other domains not controlled by the attacker. Please, see the mfjm-vh54-3f96 security advisory for more information.