diff --git a/CHANGES.rst b/CHANGES.rst index 3a0a4f0a2d..22af7e3d33 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -1,6 +1,11 @@ Changes ======= +1.26.19 (2024-06-17) +================== + +- Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``. + 1.26.18 (2023-10-17) -------------------- diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py index 60ef6c4f3f..9a1e90d0b2 100644 --- a/src/urllib3/util/retry.py +++ b/src/urllib3/util/retry.py @@ -235,7 +235,9 @@ class Retry(object): RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) #: Default headers to be used for ``remove_headers_on_redirect`` - DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( + ["Cookie", "Authorization", "Proxy-Authorization"] + ) #: Maximum backoff time. DEFAULT_BACKOFF_MAX = 120 diff --git a/test/test_retry.py b/test/test_retry.py index 95a33e7461..36477145f5 100644 --- a/test/test_retry.py +++ b/test/test_retry.py @@ -293,7 +293,11 @@ def test_retry_method_not_in_whitelist(self): def test_retry_default_remove_headers_on_redirect(self): retry = Retry() - assert retry.remove_headers_on_redirect == {"authorization", "cookie"} + assert retry.remove_headers_on_redirect == { + "authorization", + "proxy-authorization", + "cookie", + } def test_retry_set_remove_headers_on_redirect(self): retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py index 5133a51afa..e3b69e778f 100644 --- a/test/test_retry_deprecated.py +++ b/test/test_retry_deprecated.py @@ -295,7 +295,11 @@ def test_retry_method_not_in_whitelist(self): def test_retry_default_remove_headers_on_redirect(self): retry = Retry() - assert retry.remove_headers_on_redirect == {"authorization", "cookie"} + assert retry.remove_headers_on_redirect == { + "authorization", + "proxy-authorization", + "cookie", + } def test_retry_set_remove_headers_on_redirect(self): retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py index 509daf2932..02e3de5ec6 100644 --- a/test/with_dummyserver/test_poolmanager.py +++ b/test/with_dummyserver/test_poolmanager.py @@ -142,7 +142,11 @@ def test_redirect_cross_host_remove_headers(self): "GET", "%s/redirect" % self.base_url, fields={"target": "%s/headers" % self.base_url_alt}, - headers={"Authorization": "foo", "Cookie": "foo=bar"}, + headers={ + "Authorization": "foo", + "Proxy-Authorization": "bar", + "Cookie": "foo=bar", + }, ) assert r.status == 200 @@ -150,13 +154,18 @@ def test_redirect_cross_host_remove_headers(self): data = json.loads(r.data.decode("utf-8")) assert "Authorization" not in data + assert "Proxy-Authorization" not in data assert "Cookie" not in data r = http.request( "GET", "%s/redirect" % self.base_url, fields={"target": "%s/headers" % self.base_url_alt}, - headers={"authorization": "foo", "cookie": "foo=bar"}, + headers={ + "authorization": "foo", + "proxy-authorization": "baz", + "cookie": "foo=bar", + }, ) assert r.status == 200 @@ -165,6 +174,8 @@ def test_redirect_cross_host_remove_headers(self): assert "authorization" not in data assert "Authorization" not in data + assert "proxy-authorization" not in data + assert "Proxy-Authorization" not in data assert "cookie" not in data assert "Cookie" not in data @@ -174,7 +185,11 @@ def test_redirect_cross_host_no_remove_headers(self): "GET", "%s/redirect" % self.base_url, fields={"target": "%s/headers" % self.base_url_alt}, - headers={"Authorization": "foo", "Cookie": "foo=bar"}, + headers={ + "Authorization": "foo", + "Proxy-Authorization": "bar", + "Cookie": "foo=bar", + }, retries=Retry(remove_headers_on_redirect=[]), ) @@ -183,6 +198,7 @@ def test_redirect_cross_host_no_remove_headers(self): data = json.loads(r.data.decode("utf-8")) assert data["Authorization"] == "foo" + assert data["Proxy-Authorization"] == "bar" assert data["Cookie"] == "foo=bar" def test_redirect_cross_host_set_removed_headers(self): @@ -194,6 +210,7 @@ def test_redirect_cross_host_set_removed_headers(self): headers={ "X-API-Secret": "foo", "Authorization": "bar", + "Proxy-Authorization": "baz", "Cookie": "foo=bar", }, retries=Retry(remove_headers_on_redirect=["X-API-Secret"]), @@ -205,6 +222,7 @@ def test_redirect_cross_host_set_removed_headers(self): assert "X-API-Secret" not in data assert data["Authorization"] == "bar" + assert data["Proxy-Authorization"] == "baz" assert data["Cookie"] == "foo=bar" r = http.request( @@ -213,6 +231,7 @@ def test_redirect_cross_host_set_removed_headers(self): fields={"target": "%s/headers" % self.base_url_alt}, headers={ "x-api-secret": "foo", + "proxy-authorization": "baz", "authorization": "bar", "cookie": "foo=bar", }, @@ -226,6 +245,7 @@ def test_redirect_cross_host_set_removed_headers(self): assert "x-api-secret" not in data assert "X-API-Secret" not in data assert data["Authorization"] == "bar" + assert data["Proxy-Authorization"] == "baz" assert data["Cookie"] == "foo=bar" def test_redirect_without_preload_releases_connection(self):