Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

requests: Do not leak header modifications when calling request() #946

Closed

Conversation

rweickelt
Copy link

The requests() function takes a headers dict argument (call-by-reference). This object is then modified in the function. For instance the host is added and authentication information. Such behavior is not expected. It is also problematic:

  • Modifications of the header dictionary will be visible on the caller site.
  • When reusing the same (supposedly read-only) headers object for differenct calls, the second call will apparently re-use wrong headers from the previous call and may fail.

This patch should also fix #839.

@rweickelt rweickelt force-pushed the fix/requests-reuses-headers branch 2 times, most recently from 64ca392 to 5221e20 Compare December 11, 2024 21:29
The requests() function takes a headers dict argument
(call-by-reference). This object is then modified in the function. For
instance the host is added and authentication information. Such behavior
is not expected. It is also problematic:

- Modifications of the header dictionary will be visible on the caller
  site.
- When reusing the same (supposedly read-only) headers object for
  differenct calls, the second call will apparently re-use wrong headers
  from the previous call and may fail.

This patch should also fix micropython#839.

Signed-off-by: Richard Weickelt <richard@weickelt.de>
@rweickelt rweickelt force-pushed the fix/requests-reuses-headers branch from 5221e20 to 44b0968 Compare December 11, 2024 21:45
@rweickelt rweickelt closed this Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

SECURITY: Requests module leaks passwords & usernames for HTTP Basic Auth
1 participant