Merge pull request from GHSA-34jh-p97f-mpxf

* [1.26] Strip Proxy-Authorization header on redirects

* Set release date

CHANGES.rst

@@ -1,6 +1,11 @@
 Changes
 =======
 
+1.26.19 (2024-06-17)
+==================
+
+- Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``.
+
 1.26.18 (2023-10-17)
 --------------------
 

src/urllib3/util/retry.py

@@ -235,7 +235,9 @@ class Retry(object):
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
 
     #: Default headers to be used for ``remove_headers_on_redirect``
-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+        ["Cookie", "Authorization", "Proxy-Authorization"]
+    )
 
     #: Maximum backoff time.
     DEFAULT_BACKOFF_MAX = 120

test/test_retry.py

@@ -293,7 +293,11 @@ def test_retry_method_not_in_whitelist(self):
     def test_retry_default_remove_headers_on_redirect(self):
         retry = Retry()
 
-        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
+        assert retry.remove_headers_on_redirect == {
+            "authorization",
+            "proxy-authorization",
+            "cookie",
+        }
 
     def test_retry_set_remove_headers_on_redirect(self):
         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])

test/test_retry_deprecated.py

@@ -295,7 +295,11 @@ def test_retry_method_not_in_whitelist(self):
     def test_retry_default_remove_headers_on_redirect(self):
         retry = Retry()
 
-        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
+        assert retry.remove_headers_on_redirect == {
+            "authorization",
+            "proxy-authorization",
+            "cookie",
+        }
 
     def test_retry_set_remove_headers_on_redirect(self):
         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])

test/with_dummyserver/test_poolmanager.py

@@ -142,21 +142,30 @@ def test_redirect_cross_host_remove_headers(self):
                 "GET",
                 "%s/redirect" % self.base_url,
                 fields={"target": "%s/headers" % self.base_url_alt},
-                headers={"Authorization": "foo", "Cookie": "foo=bar"},
+                headers={
+                    "Authorization": "foo",
+                    "Proxy-Authorization": "bar",
+                    "Cookie": "foo=bar",
+                },
             )
 
             assert r.status == 200
 
             data = json.loads(r.data.decode("utf-8"))
 
             assert "Authorization" not in data
+            assert "Proxy-Authorization" not in data
             assert "Cookie" not in data
 
             r = http.request(
                 "GET",
                 "%s/redirect" % self.base_url,
                 fields={"target": "%s/headers" % self.base_url_alt},
-                headers={"authorization": "foo", "cookie": "foo=bar"},
+                headers={
+                    "authorization": "foo",
+                    "proxy-authorization": "baz",
+                    "cookie": "foo=bar",
+                },
             )
 
             assert r.status == 200
@@ -165,6 +174,8 @@ def test_redirect_cross_host_remove_headers(self):
 
             assert "authorization" not in data
             assert "Authorization" not in data
+            assert "proxy-authorization" not in data
+            assert "Proxy-Authorization" not in data
             assert "cookie" not in data
             assert "Cookie" not in data
 
@@ -174,7 +185,11 @@ def test_redirect_cross_host_no_remove_headers(self):
                 "GET",
                 "%s/redirect" % self.base_url,
                 fields={"target": "%s/headers" % self.base_url_alt},
-                headers={"Authorization": "foo", "Cookie": "foo=bar"},
+                headers={
+                    "Authorization": "foo",
+                    "Proxy-Authorization": "bar",
+                    "Cookie": "foo=bar",
+                },
                 retries=Retry(remove_headers_on_redirect=[]),
             )
 
@@ -183,6 +198,7 @@ def test_redirect_cross_host_no_remove_headers(self):
             data = json.loads(r.data.decode("utf-8"))
 
             assert data["Authorization"] == "foo"
+            assert data["Proxy-Authorization"] == "bar"
             assert data["Cookie"] == "foo=bar"
 
     def test_redirect_cross_host_set_removed_headers(self):
@@ -194,6 +210,7 @@ def test_redirect_cross_host_set_removed_headers(self):
                 headers={
                     "X-API-Secret": "foo",
                     "Authorization": "bar",
+                    "Proxy-Authorization": "baz",
                     "Cookie": "foo=bar",
                 },
                 retries=Retry(remove_headers_on_redirect=["X-API-Secret"]),
@@ -205,6 +222,7 @@ def test_redirect_cross_host_set_removed_headers(self):
 
             assert "X-API-Secret" not in data
             assert data["Authorization"] == "bar"
+            assert data["Proxy-Authorization"] == "baz"
             assert data["Cookie"] == "foo=bar"
 
             r = http.request(
@@ -213,6 +231,7 @@ def test_redirect_cross_host_set_removed_headers(self):
                 fields={"target": "%s/headers" % self.base_url_alt},
                 headers={
                     "x-api-secret": "foo",
+                    "proxy-authorization": "baz",
                     "authorization": "bar",
                     "cookie": "foo=bar",
                 },
@@ -226,6 +245,7 @@ def test_redirect_cross_host_set_removed_headers(self):
             assert "x-api-secret" not in data
             assert "X-API-Secret" not in data
             assert data["Authorization"] == "bar"
+            assert data["Proxy-Authorization"] == "baz"
             assert data["Cookie"] == "foo=bar"
 
     def test_redirect_without_preload_releases_connection(self):