Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorization header dropped accidentally because wrong port change detection logic #4850

Closed
quickwind opened this issue Oct 29, 2018 · 3 comments
Closed

Authorization header dropped accidentally because wrong port change detection logic #4850

quickwind opened this issue Oct 29, 2018 · 3 comments

Comments

@quickwind
Copy link

quickwind commented Oct 29, 2018
edited

Summary.

Expected Result

We have a library code using requests, when we get a URL with auth, it will be redirected to cas authentication url which is exactly same schema, same hostname, but for the port, our original request explicitly gave 443, but the location returned in 302 response is without ":443" (means default 443 https), in such case we expect the redirected request should not strip the authorization header.

Actual Result

The authorization header is stripped and causing eventually 401 error.

Reproduction Steps

import requests
session = requests.Session()
session.auth = ('admin', 'password1')
response = session.get('https://example.com:443/foo')

System Information

$ python -m requests.help

{
  "chardet": {
    "version": "3.0.4"
  },
  "cryptography": {
    "version": ""
  },
  "idna": {
    "version": "2.7"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.6.5"
  },
  "platform": {
    "release": "4.15.0-36-generic",
    "system": "Linux"
  },
  "pyOpenSSL": {
    "openssl_version": "",
    "version": null
  },
  "requests": {
    "version": "2.20.0"
  },
  "system_ssl": {
    "version": "1010008f"
  },
  "urllib3": {
    "version": "1.24"
  },
  "using_pyopenssl": false
}

This command is only available on Requests v2.16.4 and greater. Otherwise,
please provide some basic information about your system (Python version,
operating system, &c).
quickwind referenced this issue Oct 29, 2018
@bmerry
Rework authorization stripping logic as discussed
857e9b7 
The exception for http->https upgrade now requires the standard HTTP(S)
ports to be used, either implicitly (no port specified) or explicitly.
@nateprewitt nateprewitt mentioned this issue Oct 29, 2018
Merged
@nateprewitt
Copy link
Member

Hi @quickwind, thanks for bringing this to our attention. I've quickly tossed together #4851 to address the problem. I'm not ecstatic about the solution, but it should resolve the issues. I'll try to give the issue some more thought in the morning and we'll work towards getting this resolved in the next bugfix release.

@quickwind
Copy link
Author

@nateprewitt Thanks for your quick response, looking forward to next patch version...

@nateprewitt
Copy link
Member

No problem @quickwind, we'll likely wait another week to see if anything else crops up and then I'll look at getting a hotfix release out. Going to close now that #4851 is merged.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 6, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nateprewitt @quickwind