Package: python3-requests
Version: 2.0.0-1
Tags: security
If site A redirects to site B, and user had a password for site A in
their ~/.netrc, then requests would send authorization information both
to site A and to site B.
I've attached a netrc file and a pair of test scripts that should help
reproducing the bug.
--
Jakub Wilk
#!/usr/bin/python3
import http.server
import io
class RequestHandler(http.server.BaseHTTPRequestHandler):
def do_GET(self):
if self.path.startswith('/redirect/'):
self.send_response(303)
self.send_header('Location', self.path[10:])
self.end_headers()
else:
self.send_response(200)
self.end_headers()
s = 'host: {}\n'.format(self.headers.get('Host'))
self.wfile.write(s.encode())
s = 'auth: {}\n'.format(self.headers.get('Authorization'))
self.wfile.write(s.encode())
if __name__ == '__main__':
http.server.test(RequestHandler)
# vim:ts=4 sw=4 et
#!/usr/bin/python3
import requests
response = requests.get("http://localhost:8000/redirect/http://127.0.0.42:8000/";)
print(response.text)
machine localhost
login eggs password ham
