From 90da7b0eeef49a141ea91360dd919c3739e96445 Mon Sep 17 00:00:00 2001 From: Illia Volochii Date: Wed, 3 Jun 2026 15:55:18 +0200 Subject: [PATCH] CVE-2026-44431 * Remove sensitive headers in proxy pools too * Add a changelog entry * Check retries history in tests Co-authored-by: Copilot --------- Co-authored-by: Copilot --- changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst | 3 +++ src/urllib3/connectionpool.py | 12 ++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst diff --git a/changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst b/changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst new file mode 100644 index 0000000..bac765e --- /dev/null +++ b/changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst @@ -0,0 +1,3 @@ +Fixed HTTP pools created using ``ProxyManager.connection_from_url`` to strip +sensitive headers specified in ``Retry.remove_headers_on_redirect`` when +redirecting to a different host. diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py index 8f9ebb5..923a5d9 100644 --- a/src/urllib3/connectionpool.py +++ b/src/urllib3/connectionpool.py @@ -807,6 +807,18 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods): body = None headers = HTTPHeaderDict(headers)._prepare_for_method_change() + # Strip headers marked as unsafe to forward to the redirected location. + # Check remove_headers_on_redirect to avoid a potential network call within + # self.is_same_host() which may use socket.gethostbyname() in the future. + if retries.remove_headers_on_redirect and not self.is_same_host( + redirect_location + ): + new_headers = headers.copy() # type: ignore[union-attr] + for header in headers: + if header.lower() in retries.remove_headers_on_redirect: + new_headers.pop(header, None) + headers = new_headers + try: retries = retries.increment(method, url, response=response, _pool=self) except MaxRetryError: -- 2.54.0