When :class:~scrapy.downloadermiddlewares.httpproxy.HttpProxyMiddleware
processes a request with :reqmeta:proxy metadata, and that
:reqmeta:proxy metadata includes proxy credentials,
:class:~scrapy.downloadermiddlewares.httpproxy.HttpProxyMiddleware sets
the Proxy-Authentication header, but only if that header is not already
set.
There are third-party proxy-rotation downloader middlewares that set
different :reqmeta:proxy metadata every time they process a request.
Because of request retries and redirects, the same request can be processed
by downloader middlewares more than once, including both
:class:~scrapy.downloadermiddlewares.httpproxy.HttpProxyMiddleware and
any third-party proxy-rotation downloader middleware.
These third-party proxy-rotation downloader middlewares could change the
:reqmeta:proxy metadata of a request to a new value, but fail to remove
the Proxy-Authentication header from the previous value of the
:reqmeta:proxy metadata, causing the credentials of one proxy to be sent
to a different proxy.
To prevent the unintended leaking of proxy credentials, the behavior of
:class:~scrapy.downloadermiddlewares.httpproxy.HttpProxyMiddleware is now
as follows when processing a request:
If the request being processed defines :reqmeta:proxy metadata that
includes credentials, the Proxy-Authorization header is always
updated to feature those credentials.
If the request being processed defines :reqmeta:proxy metadata
without credentials, the Proxy-Authorization header is removed
unless it was originally defined for the same proxy URL.
To remove proxy credentials while keeping the same proxy URL, remove
the Proxy-Authorization header.
If the request has no :reqmeta:proxy metadata, or that metadata is a
falsy value (e.g. None), the Proxy-Authorization header is
removed.
It is no longer possible to set a proxy URL through the
:reqmeta:proxy metadata but set the credentials through the
Proxy-Authorization header. Set proxy credentials through the
:reqmeta:proxy metadata instead.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/TurboWay/spiderman/network/alerts).
Bumps scrapy from 2.6.0 to 2.6.2.
Release notes
Sourced from scrapy's releases.
Changelog
Sourced from scrapy's changelog.
... (truncated)
Commits
aecbccbBump version: 2.6.1 → 2.6.2af7dd16Merge pull request from GHSA-9x8m-2xpf-crp34205609Fixed intersphinx referencese3e69d1Pin documentation requirements (#5536)54bfb96Cover #5525 in the 2.6.2 release notes (#5535)4ef7182If TWISTED_REACTOR is None, reuse any pre-installed reactor (#5528)1c1cd5dUpdate the 2.6.2 release notes84c29a2Unset the release date of still-unreleased 2.6.2 (#5503)b9b9422Merge pull request #5482 from alexpdev/parse_help_msg915c288editDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/TurboWay/spiderman/network/alerts).