40 lines
1.8 KiB
Diff
40 lines
1.8 KiB
Diff
From 5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc Mon Sep 17 00:00:00 2001
|
|
From: illia-v <illia-v@users.noreply.github.com>
|
|
Subject: [PATCH] CVE-2026-44431: Remove sensitive headers in proxy pools too
|
|
|
|
Sensitive headers (Authorization, Cookie, Proxy-Authorization) were
|
|
already stripped when PoolManager handled cross-host redirects, but not
|
|
when a pool obtained via ProxyManager.connection_from_url() handled
|
|
redirects directly through connectionpool.urlopen(). This adds the same
|
|
header-stripping logic to connectionpool.py.
|
|
|
|
Upstream fix: https://github.com/urllib3/urllib3/commit/5ec0de49
|
|
---
|
|
src/urllib3/connectionpool.py | 11 +++++++++++
|
|
1 file changed, 11 insertions(+)
|
|
|
|
diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
|
|
index 5f66cd25..2b3a7f1c 100644
|
|
--- a/src/urllib3/connectionpool.py
|
|
+++ b/src/urllib3/connectionpool.py
|
|
@@ -690,6 +690,17 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
|
|
body = None
|
|
headers = HTTPHeaderDict(headers)._prepare_for_method_change()
|
|
|
|
+ # Strip headers marked as unsafe to forward to the redirected location.
|
|
+ # Check remove_headers_on_redirect to avoid a potential network call within
|
|
+ # self.is_same_host() which may use socket.gethostbyname() in the future.
|
|
+ if (retries.remove_headers_on_redirect
|
|
+ and not self.is_same_host(redirect_location)):
|
|
+ if not isinstance(headers, HTTPHeaderDict):
|
|
+ headers = HTTPHeaderDict(headers or {})
|
|
+ for header in list(six.iterkeys(headers)):
|
|
+ if header.lower() in retries.remove_headers_on_redirect:
|
|
+ headers.pop(header, None)
|
|
+
|
|
try:
|
|
retries = retries.increment(method, url, response=response, _pool=self)
|
|
except MaxRetryError:
|
|
--
|
|
2.52.0
|