From 5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc Mon Sep 17 00:00:00 2001
From: illia-v <illia-v@users.noreply.github.com>
Subject: [PATCH] CVE-2026-44431: Remove sensitive headers in proxy pools too

Sensitive headers (Authorization, Cookie, Proxy-Authorization) were
already stripped when PoolManager handled cross-host redirects, but not
when a pool obtained via ProxyManager.connection_from_url() handled
redirects directly through connectionpool.urlopen(). This adds the same
header-stripping logic to connectionpool.py.

Upstream fix: https://github.com/urllib3/urllib3/commit/5ec0de49
---
 src/urllib3/connectionpool.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
index 5f66cd25..2b3a7f1c 100644
--- a/src/urllib3/connectionpool.py
+++ b/src/urllib3/connectionpool.py
@@ -690,6 +690,17 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
                 body = None
                 headers = HTTPHeaderDict(headers)._prepare_for_method_change()

+            # Strip headers marked as unsafe to forward to the redirected location.
+            # Check remove_headers_on_redirect to avoid a potential network call within
+            # self.is_same_host() which may use socket.gethostbyname() in the future.
+            if (retries.remove_headers_on_redirect
+                    and not self.is_same_host(redirect_location)):
+                if not isinstance(headers, HTTPHeaderDict):
+                    headers = HTTPHeaderDict(headers or {})
+                for header in list(six.iterkeys(headers)):
+                    if header.lower() in retries.remove_headers_on_redirect:
+                        headers.pop(header, None)
+
             try:
                 retries = retries.increment(method, url, response=response, _pool=self)
             except MaxRetryError:
--
2.52.0