search

psf / requests

A simple, yet elegant, HTTP library.
https://requests.readthedocs.io/en/latest/
Apache License 2.0
52.2k stars 9.34k forks source link

auth headers lost when requests process redirected requests #6741

Closed dengshaochun closed 5 months ago

dengshaochun commented 5 months ago

auth headers lost when requests process redirected requests

def print_request_info(response, *args, **kwargs):
    request = response.request
    print(f"Request URL: {request.url}")
    print(f"Request Headers: {request.headers}")
    print(f"Request Data: {request.body}")
    print(f"Response Status Code: {response.status_code}")
    print(f"Response Headers: {response.headers}")
    print(f"Response Text: {response.text}")

response = requests.put(
                self.url,
                headers=headers,
                data=json_data,
                auth=self.auth,
                timeout=100,
                hooks={"response": print_request_info},
            )

Expected Result

request headers

{'User-Agent': 'python-requests/2.27.1', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'format': 'json', 'Expect': '100-continue', 'strip_outer_array': 'true', 'Content-Length': '2305', 'Authorization': 'Basic xxxxx'}

Response Status Code: 307

redirected headers

{'User-Agent': 'python-requests/2.27.1', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'format': 'json', 'Expect': '100-continue', 'strip_outer_array': 'true', 'Content-Length': '2305'}

Actual Result

redirected headers contains Authorization

Reproduction Steps

import requests

System Information

$ python -m requests.help
{
  "chardet": {
    "version": null
  },
  "charset_normalizer": {
    "version": "2.0.12"
  },
  "cryptography": {
    "version": ""
  },
  "idna": {
    "version": "3.3"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.6.8"
  },
  "platform": {
    "release": "5.4.119-1-tlinux4-0010.1",
    "system": "Linux"
  },
  "pyOpenSSL": {
    "openssl_version": "",
    "version": null
  },
  "requests": {
    "version": "2.27.1"
  },
  "system_ssl": {
    "version": "100020bf"
  },
  "urllib3": {
    "version": "1.26.9"
  },
  "using_charset_normalizer": true,
  "using_pyopenssl": false
}
nateprewitt commented 5 months ago

Hi @dengshaochun, this is intended behavior. Requests will not forward potentially sensitive auth tokens to redirected hosts. This is to prevent leaking auth information to unintended endpoints. The best course of action in this case is to fix the URI provided to Requests to prevent redirection.