Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Authorization header regardless of case when redirecting to cross-site #1511

Merged
merged 6 commits into from Dec 29, 2018
Merged

Remove Authorization header regardless of case when redirecting to cross-site #1511

merged 6 commits into from Dec 29, 2018

Conversation

kyoshidajp
Copy link
Contributor

Fixes #1510.

@kyoshidajp kyoshidajp changed the title Remove Authentication header regardless of case when redirecting to cross-site Remove Authorization header regardless of case when redirecting to cross-site Dec 29, 2018
@kyoshidajp kyoshidajp force-pushed the support_case_insensitive_auth_header branch from 2354489 to 933d6b3 Compare December 29, 2018 01:46
@codecov-io
Copy link

codecov-io commented Dec 29, 2018
edited

Codecov Report

Merging #1511 into master will decrease coverage by 2.35%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1511      +/-   ##
==========================================
- Coverage   67.04%   64.68%   -2.36%     
==========================================
  Files          22       22              
  Lines        2761     2897     +136     
==========================================
+ Hits         1851     1874      +23     
- Misses        910     1023     +113
Impacted Files Coverage Δ
src/urllib3/poolmanager.py 61.11% <100%> (-16.21%) ⬇️
src/urllib3/util/retry.py 56.96% <100%> (-14.23%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a252e25...8815a93. Read the comment docs.

sethmlarson
sethmlarson requested changes Dec 29, 2018
View reviewed changes
Copy link
Member

@sethmlarson sethmlarson left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for opening this, I have a few comments before merging this.

src/urllib3/util/retry.py Outdated
@@ -179,7 +179,7 @@ def __init__(self, total=10, connect=None, read=None, redirect=None, status=None
self.raise_on_status = raise_on_status
self.history = history or tuple()
self.respect_retry_after_header = respect_retry_after_header
self.remove_headers_on_redirect = remove_headers_on_redirect
self.remove_headers_on_redirect = [h.lower() for h in remove_headers_on_redirect]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should change this structure into a frozenset to protect users from adding headers not through the constructor if we're going to enforce lowercase-only.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean we should remove remove_headers_on_redirect parameter from the constructor?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, I mean converting the iterable we receive from remove_headers_on_redirect into a frozenset. Something like self.remove_headers_on_redirect = frozenset([h.lower() for h in remove_headers_on_redirect])

src/urllib3/poolmanager.py
@@ -342,8 +342,12 @@ def urlopen(self, method, url, redirect=True, **kw):
# conn.is_same_host() which may use socket.gethostbyname() in the future.
if (retries.remove_headers_on_redirect
and not conn.is_same_host(redirect_location)):
for header in retries.remove_headers_on_redirect:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's keep some of the original structure of this logic by instead looping through all the header names with six.viewkeys() (so we don't have to make a copy) and then seeing if that header name is within the remove_headers_on_redirect frozenset.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed by 4357014. But made a copy by .copy() due to getting RuntimeError: dictionary changed size during iteration if without .copy().

test/with_dummyserver/test_poolmanager.py Show resolved Hide resolved
@sethmlarson
Copy link
Member

Also don't worry about force-pushing, we squash all commits. :)

@sethmlarson
Copy link
Member

sethmlarson commented Dec 29, 2018
edited

I pushed some changes to your branch so we don't have to copy the entire set of headers, instead just the names. You might have to merge your changes if you also make changes to the same file without syncing your branch locally first.

@kyoshidajp
Copy link
Contributor Author

Thanks a lot!

@kyoshidajp
Copy link
Contributor Author

@sethmlarson Could you review again?

@sethmlarson sethmlarson merged commit adb358f into urllib3:master Dec 29, 2018
@sethmlarson
Copy link
Member

Thanks for this!

@kyoshidajp kyoshidajp deleted the support_case_insensitive_auth_header branch December 30, 2018 01:00
Dobatymo pushed a commit to Dobatymo/urllib3 that referenced this pull request Mar 16, 2022
@kyoshidajp @sethmlarson
Remove Authorization headers regardless of case on cross-origin redir…
13820cc 
…ects (urllib3#1511)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sethmlarson sethmlarson sethmlarson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@kyoshidajp @codecov-io @sethmlarson