Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

requests: Do not leak header modifications when calling request. #947

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

rweickelt
Copy link

The requests() function takes a headers dict argument (call-by-reference). This object is then modified in the function. For instance the host is added and authentication information. Such behavior is not expected. It is also problematic:

  • Modifications of the header dictionary will be visible on the caller site.
  • When reusing the same (supposedly read-only) headers object for differenct calls, the second call will apparently re-use wrong headers from the previous call and may fail.

This patch should also fix #839. Unfortunately the copy operation does not preserve the key order and we have to touch the existing test cases.

The requests() function takes a headers dict argument
(call-by-reference). This object is then modified in the function. For
instance the host is added and authentication information. Such behavior
is not expected. It is also problematic:

- Modifications of the header dictionary will be visible on the caller
  site.
- When reusing the same (supposedly read-only) headers object for
  differenct calls, the second call will apparently re-use wrong headers
  from the previous call and may fail.

This patch should also fix micropython#839. Unfortunately the copy operation does
not preserve the key order and we have to touch the existing test cases.

Signed-off-by: Richard Weickelt <[email protected]>
@rweickelt rweickelt marked this pull request as ready for review December 11, 2024 23:33
@projectgus projectgus self-requested a review January 7, 2025 00:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

SECURITY: Requests module leaks passwords & usernames for HTTP Basic Auth
1 participant