Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with urllib3 using requests 2.31.0 #19

Closed
weslambert opened this issue Jun 1, 2023 · 5 comments
Closed

Issue with urllib3 using requests 2.31.0 #19

weslambert opened this issue Jun 1, 2023 · 5 comments

Comments

@weslambert
Copy link

weslambert commented Jun 1, 2023
edited

Thanks for all of your work on this project!

Since Requests v2.3.0, Requests has been vulnerable to potentially leaking Proxy-Authorization headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how rebuild_proxies is used to recompute and reattach the Proxy-Authorization header to requests when redirected. Note this behavior has only been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. https://username:password@proxy:8080).

Version 2.31.0 is now available to patch the issue.

As of requests 2.30.0, it appears that urllib3 2.x is required:

https://requests.readthedocs.io/en/latest/community/updates/

2.30.0 (2023-05-03)
Dependencies - ⚠️ Added support for urllib3 2.0. ⚠️

This may contain minor breaking changes so we advise careful testing and reviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html prior to upgrading.

Users who wish to stay on urllib3 1.x can pin to urllib3<2.

Using the current version that is specified as a dependency for whoisit causes a conflict.

Would it be possible to update the dependency?

Thanks!
Wes
@meeb meeb closed this as completed in 48da2c6 Jun 1, 2023
@meeb
Copy link
Owner

meeb commented Jun 1, 2023

Sure, done. Note though that the whoisit PyPI package just has a requirement of requests without a pinned version. Bumping the required version in the Pipfile (to resolve this issue) doesn't change the package in any way and most people who install the package from PyPI are unaffected by this. Thanks for the issue!

@weslambert
Copy link
Author

Thanks for resolving the issue so quickly!

@weslambert
Copy link
Author

weslambert commented Jun 1, 2023
edited

As an update, I think there might be another issue with urllib3 2.x with DEFAULT_CIPHERS being removed. Should the ssl module and ssl.create_default_context() be used to set the value?

For example, something like the following in utils.py. I haven't tested it.

import ssl
ssl_context = ssl.create_default_context()
< Optionally set ciphers >
ssl_context.set_ciphers('...')
<>
request.packages.urllib3.util.ssl_.DEFAULT_CIPHERS = ssl_context.get_ciphers()

Let me know what you think and if I should create a separate issue.

Thanks!
Wes

@meeb
Copy link
Owner

meeb commented Jun 2, 2023

Ah, yes that will require an additional patch. Looks like it will need to be moved to a requests adapter. Feel free to create an new issue.

@weslambert
Copy link
Author

Will do. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@meeb @weslambert