[issue33661] urllib may leak sensitive HTTP headers to a third-party web site
Katsuhiko YOSHIDA
report at bugs.python.org
Sat Dec 22 21:03:57 EST 2018
Katsuhiko YOSHIDA <claddvd at gmail.com> added the comment:
Hi,
I agree with this suggestion.
First, section 6.4. "Redirection 3xx" of RFC 7231 doesn't explicitly explain whether to send all headers (including Authorization).
I have confirmed that some third-party-library, tool, Programing Language and web browser did NOT forward the Authorization header at redirect.
- urllib3 (after 1.23, PR: https://github.com/urllib3/urllib3/pull/1346)
- curl (after 7.58.0, ref: https://curl.haxx.se/docs/CVE-2018-1000007.html)
- net/http package of Golang (ref: https://github.com/golang/go/blob/release-branch.go1.11/src/net/http/client.go#L41-L46)
- Safari Version 12.0.2 (13606.3.4.1.4)
- Google Chrome Version 71.0.3578.98 (Official Build) (64-bit)
In other words, these are being on the safe side.
Actually, HTTPBasicAuthHandler of urllib2 doesn't forward the Authorization header at redirect. If this suggestion is rejected, I think that it should be changed.
----------
keywords: +patch
nosy: +kyoshidajp
pull_requests: +10522
stage: -> patch review
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue33661>
_______________________________________
More information about the Python-bugs-list
mailing list