rpms/python-urllib3
7
0
Fork 0
Code Issues Pull Requests Releases Activity
81bb5e162b
python-urllib3/CVE-2026-44431.patch
Tomáš Hrnčiar 81bb5e162b Security fix for CVE-2026-44431 and CVE-2026-44432 
- Resolves: RHEL-184816
- Resolves: RHEL-185123
2026-06-16 15:15:44 +02:00

58 lines
2.2 KiB
Diff
Raw Blame History

From 90da7b0eeef49a141ea91360dd919c3739e96445 Mon Sep 17 00:00:00 2001
From: Illia Volochii <illia.volochii@gmail.com>
Date: Wed, 3 Jun 2026 15:55:18 +0200
Subject: [PATCH] CVE-2026-44431
* Remove sensitive headers in proxy pools too
* Add a changelog entry
* Check retries history in tests
Co-authored-by: Copilot <copilot@github.com>
---------
Co-authored-by: Copilot <copilot@github.com>
---
changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst | 3 +++
src/urllib3/connectionpool.py | 12 ++++++++++++
2 files changed, 15 insertions(+)
create mode 100644 changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst
diff --git a/changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst b/changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst
new file mode 100644
index 0000000..bac765e
--- /dev/null
+++ b/changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst
@@ -0,0 +1,3 @@
+Fixed HTTP pools created using ``ProxyManager.connection_from_url`` to strip
+sensitive headers specified in ``Retry.remove_headers_on_redirect`` when
+redirecting to a different host.
diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
index 8f9ebb5..923a5d9 100644
--- a/src/urllib3/connectionpool.py
+++ b/src/urllib3/connectionpool.py
@@ -807,6 +807,18 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
body = None
headers = HTTPHeaderDict(headers)._prepare_for_method_change()
+ # Strip headers marked as unsafe to forward to the redirected location.
+ # Check remove_headers_on_redirect to avoid a potential network call within
+ # self.is_same_host() which may use socket.gethostbyname() in the future.
+ if retries.remove_headers_on_redirect and not self.is_same_host(
+ redirect_location
+ ):
+ new_headers = headers.copy() # type: ignore[union-attr]
+ for header in headers:
+ if header.lower() in retries.remove_headers_on_redirect:
+ new_headers.pop(header, None)
+ headers = new_headers
+
try:
retries = retries.increment(method, url, response=response, _pool=self)
except MaxRetryError:
--
2.54.0
Reference in New Issue View Git Blame Copy Permalink