Skip to content

bpo-33661: Clear Authorization header when redirect to cross-site #11292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

bpo-33661: Clear Authorization header when redirect to cross-site #11292

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a4875a2
bpo-33661: Clear Authorization header when redirect to cross-site
kyoshidajp Dec 22, 2018
9068ef0
bpo-33661: Clear Cookie header when redirect to cross-site
kyoshidajp Dec 29, 2018
93ca55e
Merge branch 'main' into bpo-33661
kyoshidajp Jun 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions Lib/test/test_urllib2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1326,6 +1326,36 @@ def request(conn, method, url, *pos, **kw):
fp = urllib.request.urlopen("http://python.org/path")
self.assertEqual(fp.geturl(), "http://python.org/path?query")

def test_redirect_to_cross_domain_with_sensitive_header(self):
from_url = "http://example.com/index.html"
to_url = "http://cracker.com/index.html"
h = urllib.request.HTTPRedirectHandler()
o = h.parent = MockOpener()
req = Request(from_url)
req.add_header("Authorization", "Basic foo")
req.add_header("Cookie", "bar")
req.timeout = socket._GLOBAL_DEFAULT_TIMEOUT
h.http_error_302(req, MockFile(), 302, "",
MockHeaders({"location": to_url}))

self.assertNotIn("Authorization", o.req.headers)
self.assertNotIn("Cookie", o.req.headers)

def test_redirect_to_same_domain_with_sensitive_header(self):
from_url = "http://example.com/index.html"
to_url = "http://example.com/index.html"
h = urllib.request.HTTPRedirectHandler()
o = h.parent = MockOpener()
req = Request(from_url)
req.add_header("Authorization", "Basic foo")
req.add_header("Cookie", "bar")
req.timeout = socket._GLOBAL_DEFAULT_TIMEOUT
h.http_error_302(req, MockFile(), 302, "",
MockHeaders({"location": to_url}))

self.assertIn("Authorization", o.req.headers)
self.assertIn("Cookie", o.req.headers)

def test_redirect_encoding(self):
# Some characters in the redirect target may need special handling,
# but most ASCII characters should be treated as already encoded
Expand Down
9 changes: 8 additions & 1 deletion Lib/urllib/request.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -678,11 +678,18 @@ def redirect_request(self, req, fp, code, msg, headers, newurl):
CONTENT_HEADERS = ("content-length", "content-type")
newheaders = {k: v for k, v in req.headers.items()
if k.lower() not in CONTENT_HEADERS}
return Request(newurl,
newrequest = Request(newurl,
headers=newheaders,
origin_req_host=req.origin_req_host,
unverifiable=True)

SENSITIVE_HEADERS = ("authorization", "cookie")
if newrequest.host != req.host:
newrequest.headers = {k: v for k, v in newrequest.headers.items()
if k.lower() not in SENSITIVE_HEADERS}

return newrequest

# Implementation note: To avoid the server sending us into an
# infinite loop, the request object needs to track what URLs we
# have already seen. Do this by adding a handler-specific
Expand Down