[issue33661] urllib may leak sensitive HTTP headers to a third-party web site

2019-08-13 Thread Ashwin Ramaswami
Ashwin Ramaswami added the comment: Martin, are you okay with doing this? It seems like this issue has been the topic of a few CVEs (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20060, https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18074, https://curl.haxx.se/docs/CVE-2018-1

[issue33661] urllib may leak sensitive HTTP headers to a third-party web site

2018-12-29 Thread Katsuhiko YOSHIDA
Katsuhiko YOSHIDA added the comment: According to RFC7235 (https://tools.ietf.org/html/rfc7235#section-4.1), WWW-Authenticate header is sent from server to client. And it has not credential data. Also, Cookie2 header is already obsoleted by RFC6295 (https://tools.ietf.org/html/rfc6265). S

[issue33661] urllib may leak sensitive HTTP headers to a third-party web site

2018-12-26 Thread Katsuhiko YOSHIDA
Katsuhiko YOSHIDA added the comment: Thanks. But I think the “add_unredirected_header” is not enough. These sensitive headers should be removed only when redirecting to cross-site automatically for security like HTTPBasicAuthHandler of urllib2. In order to fulfill this requirement, I think th

[issue33661] urllib may leak sensitive HTTP headers to a third-party web site

2018-12-26 Thread Martin Panter
Martin Panter added the comment: Are you aware of the “add_unredirected_header” method? Maybe that is enough to avoid your problem. https://docs.python.org/dev/library/urllib.request.html#urllib.request.Request.add_unredirected_header -- nosy: +martin.panter title: urllib may leak sens

[issue33661] urllib may leak sensitive HTTP headers to a third-party web site

2018-12-23 Thread Emmanuel Arias
Emmanuel Arias added the comment: Hi!, Like say Katsuhiko YOSHIDA (https://github.com/python/cpython/pull/11292#issuecomment-449667371) this should be filter other sensitive header. I think that is reasonable if we think on a complete solution to this issue. Maybe this issue could be app

[issue33661] urllib may leak sensitive HTTP headers to a third-party web site

2018-12-22 Thread Karthikeyan Singaravelan
Change by Karthikeyan Singaravelan : -- nosy: +xtreak ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https:/

[issue33661] urllib may leak sensitive HTTP headers to a third-party web site

2018-12-22 Thread Katsuhiko YOSHIDA
Katsuhiko YOSHIDA added the comment: Hi, I agree with this suggestion. First, section 6.4. "Redirection 3xx" of RFC 7231 doesn't explicitly explain whether to send all headers (including Authorization). I have confirmed that some third-party-library, tool, Programing Language and web brows

[issue33661] urllib may leak sensitive HTTP headers to a third-party web site

2018-06-18 Thread Artem Smotrakov
Artem Smotrakov added the comment: If I am not missing something, section 6.4 of RFC 7231 doesn't explicitly discuss that all headers should be sent. I wish it did :) I think that an Authorization header for host A may make sense for host B if both A and B use the same database with user cre

[issue33661] urllib may leak sensitive HTTP headers to a third-party web site

2018-06-01 Thread Ivan Pozdeev
Ivan Pozdeev added the comment: It's not about "convincing" me or anyone else. It's about showing how this will be a strict improvement. I showed that the HTTP RFC allows apps to rely on the fact that they are receiving all the headers. So filtering them arbitrarily violates the HTTP standa

[issue33661] urllib may leak sensitive HTTP headers to a third-party web site

2018-06-01 Thread Jakub Wilk
Change by Jakub Wilk : -- nosy: +jwilk ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.or

[issue33661] urllib may leak sensitive HTTP headers to a third-party web site

2018-05-27 Thread Artem Smotrakov
Artem Smotrakov added the comment: Hi Ivan, Yes, unfortunately specs don't say anything about this scenario. > once you have given your credentials to a server, it is free to do whatever > it wants with them. I hope servers don't share this opinion :) > So, your proposed filtering does not

[issue33661] urllib may leak sensitive HTTP headers to a third-party web site

2018-05-27 Thread Ivan Pozdeev
Ivan Pozdeev added the comment: According to https://stackoverflow.com/questions/1969709/how-to-forward-headers-on-http-redirect , there's nothing in the specs that mention (even the possibility) of any special request header processing. According to https://tools.ietf.org/html/rfc7231#secti

[issue33661] urllib may leak sensitive HTTP headers to a third-party web site

2018-05-27 Thread Alex Gaynor
Change by Alex Gaynor : -- nosy: +orsenthil ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.pytho

[issue33661] urllib may leak sensitive HTTP headers to a third-party web site

2018-05-27 Thread Artem Smotrakov
New submission from Artem Smotrakov : After discussing it on secur...@python.org, it was decided to disclose it. Here is the original report: Hello Python Security Team, Looks like urllib may leak sensitive HTTP headers to third parties when handling redirects. Let's consider the followin