| Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 1 | From fb0d391138df48e93c44a2087ea796cca5e229c0 Mon Sep 17 00:00:00 2001 |
| 2 | From: Bruce Merry <bmerry@ska.ac.za> |
| 3 | Date: Thu, 28 Jun 2018 16:38:42 +0200 |
| 4 | Subject: [PATCH 1/2] Strip Authorization header whenever root URL changes |
| 5 | |
| 6 | Previously the header was stripped only if the hostname changed, but in |
| 7 | an https -> http redirect that can leak the credentials on the wire |
| 8 | (#4716). Based on with RFC 7235 section 2.2, the header is now stripped |
| 9 | if the "canonical root URL" (scheme+authority) has changed, by checking |
| 10 | scheme, hostname and port. |
| 11 | |
| 12 | Upstream-Status: Backport |
| 13 | |
| 14 | Fix CVE-2018-18074 |
| 15 | |
| 16 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> |
| 17 | --- |
| 18 | requests/sessions.py | 4 +++- |
| 19 | tests/test_requests.py | 12 +++++++++++- |
| 20 | 2 files changed, 14 insertions(+), 2 deletions(-) |
| 21 | |
| 22 | diff --git a/requests/sessions.py b/requests/sessions.py |
| 23 | index ba13526..2969d83 100644 |
| 24 | --- a/requests/sessions.py |
| 25 | +++ b/requests/sessions.py |
| 26 | @@ -242,7 +242,9 @@ class SessionRedirectMixin(object): |
| 27 | original_parsed = urlparse(response.request.url) |
| 28 | redirect_parsed = urlparse(url) |
| 29 | |
| 30 | - if (original_parsed.hostname != redirect_parsed.hostname): |
| 31 | + if (original_parsed.hostname != redirect_parsed.hostname |
| 32 | + or original_parsed.port != redirect_parsed.port |
| 33 | + or original_parsed.scheme != redirect_parsed.scheme): |
| 34 | del headers['Authorization'] |
| 35 | |
| 36 | # .netrc might have more auth for us on our new host. |
| 37 | diff --git a/tests/test_requests.py b/tests/test_requests.py |
| 38 | index fcddb1d..e0e801a 100644 |
| 39 | --- a/tests/test_requests.py |
| 40 | +++ b/tests/test_requests.py |
| 41 | @@ -1575,7 +1575,17 @@ class TestRequests: |
| 42 | auth=('user', 'pass'), |
| 43 | ) |
| 44 | assert r.history[0].request.headers['Authorization'] |
| 45 | - assert not r.request.headers.get('Authorization', '') |
| 46 | + assert 'Authorization' not in r.request.headers |
| 47 | + |
| 48 | + def test_auth_is_stripped_on_scheme_redirect(self, httpbin, httpbin_secure, httpbin_ca_bundle): |
| 49 | + r = requests.get( |
| 50 | + httpbin_secure('redirect-to'), |
| 51 | + params={'url': httpbin('get')}, |
| 52 | + auth=('user', 'pass'), |
| 53 | + verify=httpbin_ca_bundle |
| 54 | + ) |
| 55 | + assert r.history[0].request.headers['Authorization'] |
| 56 | + assert 'Authorization' not in r.request.headers |
| 57 | |
| 58 | def test_auth_is_retained_for_redirect_on_host(self, httpbin): |
| 59 | r = requests.get(httpbin('redirect/1'), auth=('user', 'pass')) |
| 60 | -- |
| 61 | 2.7.4 |
| 62 | |