From cd0128c0becd8729d0f8733bf42fbd333d51f833 Mon Sep 17 00:00:00 2001 From: Nate Prewitt Date: Mon, 5 Jun 2023 09:31:36 +0000 Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q CVE: CVE-2023-32681 Upstream-Status: Backport [https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5] Signed-off-by: Narpat Mali --- requests/sessions.py | 4 +++- tests/test_requests.py | 20 ++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/requests/sessions.py b/requests/sessions.py index 3f59cab..648cffa 100644 --- a/requests/sessions.py +++ b/requests/sessions.py @@ -293,7 +293,9 @@ class SessionRedirectMixin(object): except KeyError: username, password = None, None - if username and password: + # urllib3 handles proxy authorization for us in the standard adapter. + # Avoid appending this to TLS tunneled requests where it may be leaked. + if not scheme.startswith('https') and username and password: headers['Proxy-Authorization'] = _basic_auth_str(username, password) return new_proxies diff --git a/tests/test_requests.py b/tests/test_requests.py index 29b3aca..6a37777 100644 --- a/tests/test_requests.py +++ b/tests/test_requests.py @@ -601,6 +601,26 @@ class TestRequests: assert sent_headers.get("Proxy-Authorization") == proxy_auth_value + + @pytest.mark.parametrize( + "url,has_proxy_auth", + ( + ('http://example.com', True), + ('https://example.com', False), + ), + ) + def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth): + session = requests.Session() + proxies = { + 'http': 'http://test:pass@localhost:8080', + 'https': 'http://test:pass@localhost:8090', + } + req = requests.Request('GET', url) + prep = req.prepare() + session.rebuild_proxies(prep, proxies) + + assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth + def test_basicauth_with_netrc(self, httpbin): auth = ('user', 'pass') wrong_auth = ('wronguser', 'wrongpass') -- 2.40.0