Requests

------------------

This is the first release that follows our new release process. For
more, see [our
documentation](https://requests.readthedocs.io/en/latest/community/release-process/).

**Bugfixes**

- Updated urllib3 to 1.10.4, resolving several bugs involving chunked
transfer encoding and response framing.

------------------

**Bugfixes**

- Fix regression where compressed data that was sent as chunked data
was not properly decompressed. (\2561)

------------------

**Bugfixes**

- Remove VendorAlias import machinery introduced in v2.5.2.
- Simplify the PreparedRequest.prepare API: We no longer require the
user to pass an empty list to the hooks keyword argument. (c.f.
\2552)
- Resolve redirects now receives and forwards all of the original
arguments to the adapter. (\2503)
- Handle UnicodeDecodeErrors when trying to deal with a unicode URL
that cannot be encoded in ASCII. (\2540)
- Populate the parsed path of the URI field when performing Digest
Authentication. (\2426)
- Copy a PreparedRequest's CookieJar more reliably when it is not an
instance of RequestsCookieJar. (\2527)

------------------

**Bugfixes**

- CVE-2015-2296: Fix handling of cookies on redirect. Previously a
cookie without a host value set would use the hostname for the
redirected URL exposing requests users to session fixation attacks
and potentially cookie stealing. This was disclosed privately by
Matthew Daley of [BugFuzz](https://bugfuzz.com). This affects all
versions of requests from v2.1.0 to v2.5.3 (inclusive on both ends).
- Fix error when requests is an `install_requires` dependency and
`python setup.py test` is run. (\2462)
- Fix error when urllib3 is unbundled and requests continues to use
the vendored import location.
- Include fixes to `urllib3`'s header handling.
- Requests' handling of unvendored dependencies is now more
restrictive.

**Features and Improvements**

- Support bytearrays when passed as parameters in the `files`
argument. (\2468)
- Avoid data duplication when creating a request with `str`, `bytes`,
or `bytearray` input to the `files` argument.

------------------

**Bugfixes**

- Revert changes to our vendored certificate bundle. For more context
see (\2455, \2456, and <https://bugs.python.org/issue23476>)

------------------

**Features and Improvements**

- Add sha256 fingerprint support.
([shazow/urllib3\540](https://github.com/shazow/urllib3/pull/540))
- Improve the performance of headers.
([shazow/urllib3\544](https://github.com/shazow/urllib3/pull/544))

**Bugfixes**

- Copy pip's import machinery. When downstream redistributors remove
requests.packages.urllib3 the import machinery will continue to let
those same symbols work. Example usage in requests' documentation
and 3rd-party libraries relying on the vendored copies of urllib3
will work without having to fallback to the system urllib3.
- Attempt to quote parts of the URL on redirect if unquoting and then
quoting fails. (\2356)
- Fix filename type check for multipart form-data uploads. (\2411)
- Properly handle the case where a server issuing digest
authentication challenges provides both auth and auth-int
qop-values. (\2408)
- Fix a socket leak.
([shazow/urllib3\549](https://github.com/shazow/urllib3/pull/549))
- Fix multiple `Set-Cookie` headers properly.
([shazow/urllib3\534](https://github.com/shazow/urllib3/pull/534))
- Disable the built-in hostname verification.
([shazow/urllib3\526](https://github.com/shazow/urllib3/pull/526))
- Fix the behaviour of decoding an exhausted stream.
([shazow/urllib3\535](https://github.com/shazow/urllib3/pull/535))

**Security**

- Pulled in an updated `cacert.pem`.
- Drop RC4 from the default cipher list.
([shazow/urllib3\551](https://github.com/shazow/urllib3/pull/551))