search

pwsm / httplib2

Automatically exported from code.google.com/p/httplib2
0 stars 0 forks source link

Credentials can leak in HTTP redirects #204

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 

Credentials that are set with the add_credentials() method are not restricted 
to one domain.  After authentication was required, the "authorization" header 
will remain being used in future requests.

This means that whenever the client goes off domain, the credentials will leak 
(even when a domain is set for the credentials)

::: To reproduce
Run the script below and sniff the traffic (see below for a dump)

#!/usr/bin/python2.6

import httplib2
h = httplib2.Http()
h.add_credentials('name', 'password', 'uth.heinen.ws')
resp, content = h.request("http://uth.heinen.ws?test=5&aa", "GET")
print content

::: Possible fix
In case of a redirect, but perhaps for every request, you can iterate over the 
authentication classes and force them to either add or to strip  credentials 
from the request (e.g. 'authorization' header).  

::: Traffic dump

GET /?test=5&aa HTTP/1.1
Host: uth.heinen.ws
accept-encoding: gzip, deflate
user-agent: Python-httplib2/0.7.2 (gzip)

HTTP/1.0 401 OK
Server: Foo
Connection: close
Content-Type: text/html; charset=utf-8
Location: http://uth.heinen.ws/?test=5&step=2
WWW-Authenticate: Basic realm="TEST"

::: Request/response 2

GET /?test=5&aa HTTP/1.1
Host: uth.heinen.ws
accept-encoding: gzip, deflate
authorization: Basic bmFtZTpwYXNzd29yZA==
user-agent: Python-httplib2/0.7.2 (gzip)

HTTP/1.0 301 OK
Server: Foo
Connection: close
Content-Type: text/html; charset=utf-8
Location: http://69.60.119.186/?test=5&step=3

::: Request/response 3

:GET /?test=5&step=3 HTTP/1.1
Host: 69.60.119.186
accept-encoding: gzip, deflate
authorization: Basic bmFtZTpwYXNzd29yZA==   <--- should not be here
user-agent: Python-httplib2/0.7.2 (gzip)

HTTP/1.0 303 OK
Server: Foo
Connection: close
Content-Type: text/html; charset=utf-8
Location: http://uth.heinen.ws/?test=5&step=4

Hope this is clarifies the issue. Feel free to ping me for more information or 
additional testing.
Niels

Original issue reported on code.google.com by niels.he...@gmail.com on 15 Mar 2012 at 1:50

GoogleCodeExporter commented 8 years ago 
Fixed in 
http://code.google.com/p/httplib2/source/detail?r=f1e76fdb38ed4b9702b8b3ffadd3f4
e2fb371b9d

Original comment by joe.gregorio@gmail.com on 28 Aug 2012 at 4:22