Message 332381 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	kyoshidajp
Recipients	Ivan.Pozdeev, alex, artem.smotrakov, jwilk, kyoshidajp, orsenthil
Date	2018-12-23.02:03:56
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1545530637.0.0.0770528567349.issue33661@roundup.psfhosted.org>
In-reply-to

Content
Hi, I agree with this suggestion. First, section 6.4. "Redirection 3xx" of RFC 7231 doesn't explicitly explain whether to send all headers (including Authorization). I have confirmed that some third-party-library, tool, Programing Language and web browser did NOT forward the Authorization header at redirect. - urllib3 (after 1.23, PR: https://github.com/urllib3/urllib3/pull/1346) - curl (after 7.58.0, ref: https://curl.haxx.se/docs/CVE-2018-1000007.html) - net/http package of Golang (ref: https://github.com/golang/go/blob/release-branch.go1.11/src/net/http/client.go#L41-L46) - Safari Version 12.0.2 (13606.3.4.1.4) - Google Chrome Version 71.0.3578.98 (Official Build) (64-bit) In other words, these are being on the safe side. Actually, HTTPBasicAuthHandler of urllib2 doesn't forward the Authorization header at redirect. If this suggestion is rejected, I think that it should be changed.

Hi,

I agree with this suggestion.

First, section 6.4. "Redirection 3xx" of RFC 7231 doesn't explicitly explain whether to send all headers (including Authorization).

I have confirmed that some third-party-library, tool, Programing Language and web browser did NOT forward the Authorization header at redirect.

- urllib3 (after 1.23, PR: https://github.com/urllib3/urllib3/pull/1346)
- curl (after 7.58.0, ref: https://curl.haxx.se/docs/CVE-2018-1000007.html)
- net/http package of Golang (ref: https://github.com/golang/go/blob/release-branch.go1.11/src/net/http/client.go#L41-L46)
- Safari Version 12.0.2 (13606.3.4.1.4)
- Google Chrome Version 71.0.3578.98 (Official Build) (64-bit)

In other words, these are being on the safe side.

Actually, HTTPBasicAuthHandler of urllib2 doesn't forward the Authorization header at redirect. If this suggestion is rejected, I think that it should be changed.

History
Date	User	Action	Args
2018-12-23 02:03:58	kyoshidajp	set	recipients: + kyoshidajp, orsenthil, jwilk, alex, Ivan.Pozdeev, artem.smotrakov
2018-12-23 02:03:56	kyoshidajp	set	messageid: <1545530637.0.0.0770528567349.issue33661@roundup.psfhosted.org>
2018-12-23 02:03:56	kyoshidajp	link	issue33661 messages
2018-12-23 02:03:56	kyoshidajp	create