Skip to content

Commit 40b6d16

Browse files
pquentinpquentin
authored
Merge pull request from GHSA-34jh-p97f-mpxf
* [1.26] Strip Proxy-Authorization header on redirects * Set release date
1 parent 29cfd02 commit 40b6d16

File tree

5 files changed

+41
-6
lines changed

5 files changed

+41
-6
lines changed

CHANGES.rst

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,11 @@
11
Changes
22
=======
33

4+
1.26.19 (2024-06-17)
5+
==================
6+
7+
- Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``.
8+
49
1.26.18 (2023-10-17)
510
--------------------
611

src/urllib3/util/retry.py

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -235,7 +235,9 @@ class Retry(object):
235235
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
236236

237237
#: Default headers to be used for ``remove_headers_on_redirect``
238-
DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
238+
DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
239+
["Cookie", "Authorization", "Proxy-Authorization"]
240+
)
239241

240242
#: Maximum backoff time.
241243
DEFAULT_BACKOFF_MAX = 120

test/test_retry.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -293,7 +293,11 @@ def test_retry_method_not_in_whitelist(self):
293293
def test_retry_default_remove_headers_on_redirect(self):
294294
retry = Retry()
295295

296-
assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
296+
assert retry.remove_headers_on_redirect == {
297+
"authorization",
298+
"proxy-authorization",
299+
"cookie",
300+
}
297301

298302
def test_retry_set_remove_headers_on_redirect(self):
299303
retry = Retry(remove_headers_on_redirect=["X-API-Secret"])

test/test_retry_deprecated.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -295,7 +295,11 @@ def test_retry_method_not_in_whitelist(self):
295295
def test_retry_default_remove_headers_on_redirect(self):
296296
retry = Retry()
297297

298-
assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
298+
assert retry.remove_headers_on_redirect == {
299+
"authorization",
300+
"proxy-authorization",
301+
"cookie",
302+
}
299303

300304
def test_retry_set_remove_headers_on_redirect(self):
301305
retry = Retry(remove_headers_on_redirect=["X-API-Secret"])

test/with_dummyserver/test_poolmanager.py

Lines changed: 23 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -142,21 +142,30 @@ def test_redirect_cross_host_remove_headers(self):
142142
"GET",
143143
"%s/redirect" % self.base_url,
144144
fields={"target": "%s/headers" % self.base_url_alt},
145-
headers={"Authorization": "foo", "Cookie": "foo=bar"},
145+
headers={
146+
"Authorization": "foo",
147+
"Proxy-Authorization": "bar",
148+
"Cookie": "foo=bar",
149+
},
146150
)
147151

148152
assert r.status == 200
149153

150154
data = json.loads(r.data.decode("utf-8"))
151155

152156
assert "Authorization" not in data
157+
assert "Proxy-Authorization" not in data
153158
assert "Cookie" not in data
154159

155160
r = http.request(
156161
"GET",
157162
"%s/redirect" % self.base_url,
158163
fields={"target": "%s/headers" % self.base_url_alt},
159-
headers={"authorization": "foo", "cookie": "foo=bar"},
164+
headers={
165+
"authorization": "foo",
166+
"proxy-authorization": "baz",
167+
"cookie": "foo=bar",
168+
},
160169
)
161170

162171
assert r.status == 200
@@ -165,6 +174,8 @@ def test_redirect_cross_host_remove_headers(self):
165174

166175
assert "authorization" not in data
167176
assert "Authorization" not in data
177+
assert "proxy-authorization" not in data
178+
assert "Proxy-Authorization" not in data
168179
assert "cookie" not in data
169180
assert "Cookie" not in data
170181

@@ -174,7 +185,11 @@ def test_redirect_cross_host_no_remove_headers(self):
174185
"GET",
175186
"%s/redirect" % self.base_url,
176187
fields={"target": "%s/headers" % self.base_url_alt},
177-
headers={"Authorization": "foo", "Cookie": "foo=bar"},
188+
headers={
189+
"Authorization": "foo",
190+
"Proxy-Authorization": "bar",
191+
"Cookie": "foo=bar",
192+
},
178193
retries=Retry(remove_headers_on_redirect=[]),
179194
)
180195

@@ -183,6 +198,7 @@ def test_redirect_cross_host_no_remove_headers(self):
183198
data = json.loads(r.data.decode("utf-8"))
184199

185200
assert data["Authorization"] == "foo"
201+
assert data["Proxy-Authorization"] == "bar"
186202
assert data["Cookie"] == "foo=bar"
187203

188204
def test_redirect_cross_host_set_removed_headers(self):
@@ -194,6 +210,7 @@ def test_redirect_cross_host_set_removed_headers(self):
194210
headers={
195211
"X-API-Secret": "foo",
196212
"Authorization": "bar",
213+
"Proxy-Authorization": "baz",
197214
"Cookie": "foo=bar",
198215
},
199216
retries=Retry(remove_headers_on_redirect=["X-API-Secret"]),
@@ -205,6 +222,7 @@ def test_redirect_cross_host_set_removed_headers(self):
205222

206223
assert "X-API-Secret" not in data
207224
assert data["Authorization"] == "bar"
225+
assert data["Proxy-Authorization"] == "baz"
208226
assert data["Cookie"] == "foo=bar"
209227

210228
r = http.request(
@@ -213,6 +231,7 @@ def test_redirect_cross_host_set_removed_headers(self):
213231
fields={"target": "%s/headers" % self.base_url_alt},
214232
headers={
215233
"x-api-secret": "foo",
234+
"proxy-authorization": "baz",
216235
"authorization": "bar",
217236
"cookie": "foo=bar",
218237
},
@@ -226,6 +245,7 @@ def test_redirect_cross_host_set_removed_headers(self):
226245
assert "x-api-secret" not in data
227246
assert "X-API-Secret" not in data
228247
assert data["Authorization"] == "bar"
248+
assert data["Proxy-Authorization"] == "baz"
229249
assert data["Cookie"] == "foo=bar"
230250

231251
def test_redirect_without_preload_releases_connection(self):

0 commit comments

Comments
 (0)