| From 7a334cc96ee16186e26943d7777bfbefddecaf08 Mon Sep 17 00:00:00 2001 |
| From: Nate Prewitt <nate.prewitt@gmail.com> |
| Date: Mon, 22 May 2023 08:08:57 -0700 |
| Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q |
| |
| --- |
| requests/sessions.py | 4 +++- |
| tests/test_requests.py | 20 ++++++++++++++++++++ |
| 2 files changed, 23 insertions(+), 1 deletion(-) |
| |
| diff --git a/requests/sessions.py b/requests/sessions.py |
| index e8e2d609a78d..6e73925ae937 100644 |
| --- a/requests/sessions.py |
| +++ b/requests/sessions.py |
| @@ -306,7 +306,9 @@ class SessionRedirectMixin(object): |
| except KeyError: |
| username, password = None, None |
| |
| - if username and password: |
| + # urllib3 handles proxy authorization for us in the standard adapter. |
| + # Avoid appending this to TLS tunneled requests where it may be leaked. |
| + if not scheme.startswith('https') and username and password: |
| headers['Proxy-Authorization'] = _basic_auth_str(username, password) |
| |
| return new_proxies |
| diff --git a/tests/test_requests.py b/tests/test_requests.py |
| index e730f7648b4d..66ee3f5fdd41 100644 |
| --- a/tests/test_requests.py |
| +++ b/tests/test_requests.py |
| @@ -551,6 +551,26 @@ class TestRequests: |
| with pytest.raises(InvalidProxyURL): |
| requests.get(httpbin(), proxies={'http': 'http:///example.com:8080'}) |
| |
| + |
| + @pytest.mark.parametrize( |
| + "url,has_proxy_auth", |
| + ( |
| + ('http://example.com', True), |
| + ('https://example.com', False), |
| + ), |
| + ) |
| + def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth): |
| + session = requests.Session() |
| + proxies = { |
| + 'http': 'http://test:pass@localhost:8080', |
| + 'https': 'http://test:pass@localhost:8090', |
| + } |
| + req = requests.Request('GET', url) |
| + prep = req.prepare() |
| + session.rebuild_proxies(prep, proxies) |
| + |
| + assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth |
| + |
| def test_basicauth_with_netrc(self, httpbin): |
| auth = ('user', 'pass') |
| wrong_auth = ('wronguser', 'wrongpass') |
| -- |
| 2.44.0.769.g3c40516874-goog |
| |