| From cd0128c0becd8729d0f8733bf42fbd333d51f833 Mon Sep 17 00:00:00 2001 |
| From: Nate Prewitt <nate.prewitt@gmail.com> |
| Date: Mon, 5 Jun 2023 09:31:36 +0000 |
| Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q |
| |
| CVE: CVE-2023-32681 |
| |
| Upstream-Status: Backport [https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5] |
| |
| Signed-off-by: Narpat Mali <narpat.mali@windriver.com> |
| --- |
| requests/sessions.py | 4 +++- |
| tests/test_requests.py | 20 ++++++++++++++++++++ |
| 2 files changed, 23 insertions(+), 1 deletion(-) |
| |
| diff --git a/requests/sessions.py b/requests/sessions.py |
| index 3f59cab..648cffa 100644 |
| --- a/requests/sessions.py |
| +++ b/requests/sessions.py |
| @@ -293,7 +293,9 @@ class SessionRedirectMixin(object): |
| except KeyError: |
| username, password = None, None |
| |
| - if username and password: |
| + # urllib3 handles proxy authorization for us in the standard adapter. |
| + # Avoid appending this to TLS tunneled requests where it may be leaked. |
| + if not scheme.startswith('https') and username and password: |
| headers['Proxy-Authorization'] = _basic_auth_str(username, password) |
| |
| return new_proxies |
| diff --git a/tests/test_requests.py b/tests/test_requests.py |
| index 29b3aca..6a37777 100644 |
| --- a/tests/test_requests.py |
| +++ b/tests/test_requests.py |
| @@ -601,6 +601,26 @@ class TestRequests: |
| |
| assert sent_headers.get("Proxy-Authorization") == proxy_auth_value |
| |
| + |
| + @pytest.mark.parametrize( |
| + "url,has_proxy_auth", |
| + ( |
| + ('http://example.com', True), |
| + ('https://example.com', False), |
| + ), |
| + ) |
| + def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth): |
| + session = requests.Session() |
| + proxies = { |
| + 'http': 'http://test:pass@localhost:8080', |
| + 'https': 'http://test:pass@localhost:8090', |
| + } |
| + req = requests.Request('GET', url) |
| + prep = req.prepare() |
| + session.rebuild_proxies(prep, proxies) |
| + |
| + assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth |
| + |
| def test_basicauth_with_netrc(self, httpbin): |
| auth = ('user', 'pass') |
| wrong_auth = ('wronguser', 'wrongpass') |
| -- |
| 2.40.0 |