Unintended leak of Proxy-Authorization header in requests
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Xqt
	Sep 21 2023, 12:03 PM

Description

See https://github.com/wikimedia/pywikibot/security/dependabot/5

"requests >= 2.31.0"
should be required but we have

'requests>=2.21.0, <2.28.0; python_version < "3.7"',
'requests>=2.21.0; python_version>="3.7"',

where 2.21.0 is the version in toolforge

As a workaround redirects must be discarded.

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
requirements: require requests >= 2.31.0 due to security issues	pywikibot/core	master	+1 -1
requirements: require requests >= 2.31.0 due to security issues	pywikibot/core	master	+3 -12
[fix] Set 'allow_redirects' keyword argument of requests.Session to False	pywikibot/core	master	+8 -1

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved	Release	Xqt	T378891 Pywikibot 10 release dependencies
		Resolved		Xqt	T347031 Unintended leak of Proxy-Authorization header in requests

Event Timeline

Xqt created this task.Sep 21 2023, 12:03 PM

Restricted Application added subscribers: pywikibot-bugs-list, Aklapper. · View Herald TranscriptSep 21 2023, 12:03 PM

Xqt triaged this task as High priority.Sep 21 2023, 12:03 PM

Xqt changed the task status from Open to In Progress.Sep 21 2023, 12:09 PM

Xqt claimed this task.

Change 959734 had a related patch set uploaded (by Xqt; author: Xqt):

[pywikibot/core@master] [fix] Set 'allow_redirects' keyword argument of requests.Session to False

https://gerrit.wikimedia.org/r/959734

gerritbot added a project: Patch-For-Review.Sep 21 2023, 12:52 PM

Xqt closed this task as Resolved.Sep 21 2023, 1:06 PM

Xqt updated the task description. (Show Details)Sep 21 2023, 1:11 PM

The proposed workaround leads to a lot of problems with site_detect_tests, generate_family_file_tests, site_obsoletesites_tests, http_tests and data_ingestion_tests and in summary it is not appropriate for Pywikibot. In adition the requests response code 3xx must be evaluated and a new request to the redirected destination must be done.

See https://integration.wikimedia.org/ci/job/pywikibot-core-tox-deeptest-py36-docker/2780/consoleFull

Change 959734 abandoned by Xqt:

[pywikibot/core@master] [fix] Set 'allow_redirects' keyword argument of requests.Session to False

Reason:

A lot of tests fails. See task.

https://gerrit.wikimedia.org/r/959734

Xqt mentioned this in T347026: Drop support for Python 3.6.Sep 22 2023, 8:03 AM

Xqt added a subtask: T347026: Drop support for Python 3.6.

Maintenance_bot removed a project: Patch-For-Review.Sep 22 2023, 8:10 AM

Xqt removed Xqt as the assignee of this task.Dec 5 2023, 6:29 AM

Xqt closed subtask T347026: Drop support for Python 3.6 as Resolved.Dec 6 2023, 2:00 AM

Xqt added a parent task: T378891: Pywikibot 10 release dependencies.Nov 4 2024, 3:29 PM

We now have requests 2.31.0 on tools-bastion-13 6.1.0-21-cloud-amd64:

Python 3.11.2 (main, Aug 26 2024, 07:20:54) [GCC 12.2.0] on linux
>>> from importlib.metadata import version
>>> version('requests')
'2.31.0'

Xqt removed a subtask: T347026: Drop support for Python 3.6.Nov 4 2024, 3:37 PM

Change #1101467 had a related patch set uploaded (by Xqt; author: Xqt):

[pywikibot/core@master] requirements: require requests >= 2.31.0 due to security issues

https://gerrit.wikimedia.org/r/1101467

gerritbot added a project: Patch-For-Review.Dec 9 2024, 10:04 AM

Xqt claimed this task.Dec 9 2024, 10:05 AM

Change #1101467 merged by jenkins-bot:

[pywikibot/core@master] requirements: require requests >= 2.31.0 due to security issues

https://gerrit.wikimedia.org/r/1101467

Xqt closed this task as Resolved.Dec 9 2024, 10:21 AM

Maintenance_bot removed a project: Patch-For-Review.Dec 9 2024, 10:30 AM

Change #1101492 had a related patch set uploaded (by Xqt; author: Xqt):

[pywikibot/core@master] requirements: require requests >= 2.31.0 due to security issues

https://gerrit.wikimedia.org/r/1101492

Change #1101492 merged by Xqt:

[pywikibot/core@master] requirements: require requests >= 2.31.0 due to security issues

https://gerrit.wikimedia.org/r/1101492

Maintenance_bot removed a project: Patch-For-Review.Dec 9 2024, 11:31 AM

Unintended leak of Proxy-Authorization header in requestsClosed, ResolvedPublicActions

Description

Details

Related ObjectsSearch...

Event Timeline

Unintended leak of Proxy-Authorization header in requests
Closed, ResolvedPublic
Actions

Related Objects
Search...