From 5fe72b64a10e9cb5c5e2b9de46401b6c7bb226e9 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Thu, 12 Oct 2023 14:27:36 +0200 Subject: [PATCH] CVE-2023-43804 --- src/urllib3/util/retry.py | 2 +- test/test_retry.py | 2 +- test/test_retry_deprecated.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py index 180e82b..63c02ee 100644 --- a/src/urllib3/util/retry.py +++ b/src/urllib3/util/retry.py @@ -217,7 +217,7 @@ class Retry(object): RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) #: Default headers to be used for ``remove_headers_on_redirect`` - DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) + DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) #: Maximum backoff time. BACKOFF_MAX = 120 diff --git a/test/test_retry.py b/test/test_retry.py index 3e71efe..e9270bb 100644 --- a/test/test_retry.py +++ b/test/test_retry.py @@ -293,7 +293,7 @@ class TestRetry(object): def test_retry_default_remove_headers_on_redirect(self): retry = Retry() - assert list(retry.remove_headers_on_redirect) == ["authorization"] + assert retry.remove_headers_on_redirect == {"authorization", "cookie"} def test_retry_set_remove_headers_on_redirect(self): retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py index eafecc4..d18f94c 100644 --- a/test/test_retry_deprecated.py +++ b/test/test_retry_deprecated.py @@ -295,7 +295,7 @@ class TestRetry(object): def test_retry_default_remove_headers_on_redirect(self): retry = Retry() - assert list(retry.remove_headers_on_redirect) == ["authorization"] + assert retry.remove_headers_on_redirect == {"authorization", "cookie"} def test_retry_set_remove_headers_on_redirect(self): retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) -- 2.41.0