From 78ad1c94dd79a88fc856efa5502d602d8fa46fb0 Mon Sep 17 00:00:00 2001
From: Marius Gedminas <marius@gedmin.as>
Date: Sat, 3 Nov 2018 10:57:12 +0200
Subject: [PATCH] Require a recent Requests version

Requests versions <= 2.19.1 are vulnerable to CVE-2018-18074:

> The Requests package through 2.19.1 before 2018-09-14 for Python sends
> an HTTP Authorization header to an http URI upon receiving a
> same-hostname https-to-http redirect, which makes it easier for remote
> attackers to discover credentials by sniffing the network.

Thank you, GitHub security alerts, for bringing this to my attention.
---
 requirements.txt | 2 +-
 setup.py         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 2e457754..20b72eea 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1,5 @@
 # required:
-requests<2.15,>=2.4
+requests >= 2.20.0
 pyxdg
 dnspython
 # optional:
diff --git a/setup.py b/setup.py
index a2088801..e65cd525 100755
--- a/setup.py
+++ b/setup.py
@@ -501,7 +501,7 @@ args = dict(
     },
     # Requirements, usable with setuptools or the new Python packaging module.
     install_requires = [
-        'requests<2.15,>=2.4',
+        'requests >= 2.20.0',
         'dnspython',
         'pyxdg',
     ],