Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit644124e

Browse files
authored
Merge pull request fromGHSA-v845-jxx5-vc9f
1 parent740380c commit644124e

File tree

5 files changed

+35
-9
lines changed

5 files changed

+35
-9
lines changed

‎CHANGES.rst

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,8 @@
1+
2.0.6 (2023-10-02)
2+
==================
3+
4+
* Added the ``Cookie`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``.
5+
16
2.0.5 (2023-09-20)
27
==================
38

‎docs/user-guide.rst

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -238,6 +238,9 @@ the ``;`` delimited key-value pairs:
238238
print(resp.json())
239239
# {"cookies": {"id": "30", "session": "f3efe9db"}}
240240
241+
Note that the ``Cookie`` header will be stripped if the server redirects to a
242+
different host.
243+
241244
Cookies provided by the server are stored in the ``Set-Cookie`` header:
242245

243246
..code-block::python

‎src/urllib3/util/retry.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -187,7 +187,7 @@ class Retry:
187187
RETRY_AFTER_STATUS_CODES=frozenset([413,429,503])
188188

189189
#: Default headers to be used for ``remove_headers_on_redirect``
190-
DEFAULT_REMOVE_HEADERS_ON_REDIRECT=frozenset(["Authorization"])
190+
DEFAULT_REMOVE_HEADERS_ON_REDIRECT=frozenset(["Cookie","Authorization"])
191191

192192
#: Default maximum backoff time.
193193
DEFAULT_BACKOFF_MAX=120

‎test/test_retry.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -334,12 +334,12 @@ def test_retry_method_not_allowed(self) -> None:
334334
deftest_retry_default_remove_headers_on_redirect(self)->None:
335335
retry=Retry()
336336

337-
assertlist(retry.remove_headers_on_redirect)==["authorization"]
337+
assertretry.remove_headers_on_redirect=={"authorization","cookie"}
338338

339339
deftest_retry_set_remove_headers_on_redirect(self)->None:
340340
retry=Retry(remove_headers_on_redirect=["X-API-Secret"])
341341

342-
assertlist(retry.remove_headers_on_redirect)==["x-api-secret"]
342+
assertretry.remove_headers_on_redirect=={"x-api-secret"}
343343

344344
@pytest.mark.parametrize("value", ["-1","+1","1.0","\xb2"])# \xb2 = ^2
345345
deftest_parse_retry_after_invalid(self,value:str)->None:

‎test/with_dummyserver/test_poolmanager.py

Lines changed: 24 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -141,20 +141,21 @@ def test_redirect_cross_host_remove_headers(self) -> None:
141141
"GET",
142142
f"{self.base_url}/redirect",
143143
fields={"target":f"{self.base_url_alt}/headers"},
144-
headers={"Authorization":"foo"},
144+
headers={"Authorization":"foo","Cookie":"foo=bar"},
145145
)
146146

147147
assertr.status==200
148148

149149
data=r.json()
150150

151151
assert"Authorization"notindata
152+
assert"Cookie"notindata
152153

153154
r=http.request(
154155
"GET",
155156
f"{self.base_url}/redirect",
156157
fields={"target":f"{self.base_url_alt}/headers"},
157-
headers={"authorization":"foo"},
158+
headers={"authorization":"foo","cookie":"foo=bar"},
158159
)
159160

160161
assertr.status==200
@@ -163,14 +164,16 @@ def test_redirect_cross_host_remove_headers(self) -> None:
163164

164165
assert"authorization"notindata
165166
assert"Authorization"notindata
167+
assert"cookie"notindata
168+
assert"Cookie"notindata
166169

167170
deftest_redirect_cross_host_no_remove_headers(self)->None:
168171
withPoolManager()ashttp:
169172
r=http.request(
170173
"GET",
171174
f"{self.base_url}/redirect",
172175
fields={"target":f"{self.base_url_alt}/headers"},
173-
headers={"Authorization":"foo"},
176+
headers={"Authorization":"foo","Cookie":"foo=bar"},
174177
retries=Retry(remove_headers_on_redirect=[]),
175178
)
176179

@@ -179,14 +182,19 @@ def test_redirect_cross_host_no_remove_headers(self) -> None:
179182
data=r.json()
180183

181184
assertdata["Authorization"]=="foo"
185+
assertdata["Cookie"]=="foo=bar"
182186

183187
deftest_redirect_cross_host_set_removed_headers(self)->None:
184188
withPoolManager()ashttp:
185189
r=http.request(
186190
"GET",
187191
f"{self.base_url}/redirect",
188192
fields={"target":f"{self.base_url_alt}/headers"},
189-
headers={"X-API-Secret":"foo","Authorization":"bar"},
193+
headers={
194+
"X-API-Secret":"foo",
195+
"Authorization":"bar",
196+
"Cookie":"foo=bar",
197+
},
190198
retries=Retry(remove_headers_on_redirect=["X-API-Secret"]),
191199
)
192200

@@ -196,8 +204,13 @@ def test_redirect_cross_host_set_removed_headers(self) -> None:
196204

197205
assert"X-API-Secret"notindata
198206
assertdata["Authorization"]=="bar"
207+
assertdata["Cookie"]=="foo=bar"
199208

200-
headers= {"x-api-secret":"foo","authorization":"bar"}
209+
headers= {
210+
"x-api-secret":"foo",
211+
"authorization":"bar",
212+
"cookie":"foo=bar",
213+
}
201214
r=http.request(
202215
"GET",
203216
f"{self.base_url}/redirect",
@@ -213,9 +226,14 @@ def test_redirect_cross_host_set_removed_headers(self) -> None:
213226
assert"x-api-secret"notindata
214227
assert"X-API-Secret"notindata
215228
assertdata["Authorization"]=="bar"
229+
assertdata["Cookie"]=="foo=bar"
216230

217231
# Ensure the header argument itself is not modified in-place.
218-
assertheaders== {"x-api-secret":"foo","authorization":"bar"}
232+
assertheaders== {
233+
"x-api-secret":"foo",
234+
"authorization":"bar",
235+
"cookie":"foo=bar",
236+
}
219237

220238
deftest_redirect_without_preload_releases_connection(self)->None:
221239
withPoolManager(block=True,maxsize=2)ashttp:

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp