From 2e6a170805a8c2ea675a2a586828d7f5b53e856f Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Fri, 13 Oct 2023 09:29:29 +0200 Subject: [PATCH] CVE-2023-43804 --- src/urllib3/util/retry.py | 2 +- test/test_retry.py | 2 +- test/test_retry_deprecated.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py index 3398323..f727602 100644 --- a/src/urllib3/util/retry.py +++ b/src/urllib3/util/retry.py @@ -235,7 +235,7 @@ class Retry(object): RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) #: Default headers to be used for ``remove_headers_on_redirect`` - DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) + DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) #: Maximum backoff time. DEFAULT_BACKOFF_MAX = 120 diff --git a/test/test_retry.py b/test/test_retry.py index f170e57..d7c216b 100644 --- a/test/test_retry.py +++ b/test/test_retry.py @@ -293,7 +293,7 @@ class TestRetry(object): def test_retry_default_remove_headers_on_redirect(self): retry = Retry() - assert list(retry.remove_headers_on_redirect) == ["authorization"] + assert retry.remove_headers_on_redirect == {"authorization", "cookie"} def test_retry_set_remove_headers_on_redirect(self): retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py index 20e9810..d7905cd 100644 --- a/test/test_retry_deprecated.py +++ b/test/test_retry_deprecated.py @@ -295,7 +295,7 @@ class TestRetry(object): def test_retry_default_remove_headers_on_redirect(self): retry = Retry() - assert list(retry.remove_headers_on_redirect) == ["authorization"] + assert retry.remove_headers_on_redirect == {"authorization", "cookie"} def test_retry_set_remove_headers_on_redirect(self): retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) -- 2.41.0