From 88313c734876b90c266d183d07d26338a14bc54c Mon Sep 17 00:00:00 2001 From: Nate Prewitt Date: Mon, 22 May 2023 08:08:57 -0700 Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q --- requests/sessions.py | 4 +++- tests/test_requests.py | 20 ++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/requests/sessions.py b/requests/sessions.py index 45ab8a5..db9c594 100644 --- a/requests/sessions.py +++ b/requests/sessions.py @@ -306,7 +306,9 @@ class SessionRedirectMixin(object): except KeyError: username, password = None, None - if username and password: + # urllib3 handles proxy authorization for us in the standard adapter. + # Avoid appending this to TLS tunneled requests where it may be leaked. + if not scheme.startswith('https') and username and password: headers['Proxy-Authorization'] = _basic_auth_str(username, password) return new_proxies diff --git a/tests/test_requests.py b/tests/test_requests.py index 5e721cb..c70706f 100644 --- a/tests/test_requests.py +++ b/tests/test_requests.py @@ -551,6 +551,26 @@ class TestRequests: with pytest.raises(InvalidProxyURL): requests.get(httpbin(), proxies={'http': 'http:///example.com:8080'}) + + @pytest.mark.parametrize( + "url,has_proxy_auth", + ( + ('http://example.com', True), + ('https://example.com', False), + ), + ) + def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth): + session = requests.Session() + proxies = { + 'http': 'http://test:pass@localhost:8080', + 'https': 'http://test:pass@localhost:8090', + } + req = requests.Request('GET', url) + prep = req.prepare() + session.rebuild_proxies(prep, proxies) + + assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth + def test_basicauth_with_netrc(self, httpbin): auth = ('user', 'pass') wrong_auth = ('wronguser', 'wrongpass') -- 2.40.1