Page MenuHomePhabricator

Unintended leak of Proxy-Authorization header in requests
Open, HighPublic

Description

See https://github.com/wikimedia/pywikibot/security/dependabot/5

"requests >= 2.31.0"
should be required but we have

'requests>=2.21.0, <2.28.0; python_version < "3.7"',
'requests>=2.21.0; python_version>="3.7"',

where 2.21.0 is the version in toolforge

As a workaround redirects must be discarded.

Event Timeline

Xqt triaged this task as High priority.Sep 21 2023, 12:03 PM
Xqt changed the task status from Open to In Progress.Sep 21 2023, 12:09 PM
Xqt claimed this task.

Change 959734 had a related patch set uploaded (by Xqt; author: Xqt):

[pywikibot/core@master] [fix] Set 'allow_redirects' keyword argument of requests.Session to False

https://gerrit.wikimedia.org/r/959734

The proposed workaround leads to a lot of problems with site_detect_tests, generate_family_file_tests, site_obsoletesites_tests, http_tests and data_ingestion_tests and in summary it is not appropriate for Pywikibot. In adition the requests response code 3xx must be evaluated and a new request to the redirected destination must be done.

See https://integration.wikimedia.org/ci/job/pywikibot-core-tox-deeptest-py36-docker/2780/consoleFull

Change 959734 abandoned by Xqt:

[pywikibot/core@master] [fix] Set 'allow_redirects' keyword argument of requests.Session to False

Reason:

A lot of tests fails. See task.

https://gerrit.wikimedia.org/r/959734

Xqt removed Xqt as the assignee of this task.Dec 5 2023, 6:29 AM