CVE-2014-1829

Advisory

Requests before 2.3.0 exposes Authorization or Proxy-Authorization headers on redirect. See: CVE-2014-1829.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

++++++++++++++++++

**API Changes**

- New ``Response`` property ``is_redirect``, which is true when the
library could have processed this response as a redirection (whether
or not it actually did).
- The ``timeout`` parameter now affects requests with both ``stream=True`` and
``stream=False`` equally.
- The change in v2.0.0 to mandate explicit proxy schemes has been reverted.
Proxy schemes now default to ``http://``.
- The ``CaseInsensitiveDict`` used for HTTP headers now behaves like a normal
dictionary when references as string or viewed in the interpreter.

**Bugfixes**

- No longer expose Authorization or Proxy-Authorization headers on redirect.
Fix CVE-2014-1829 and CVE-2014-1830 respectively.
- Authorization is re-evaluated each redirect.
- On redirect, pass url as native strings.
- Fall-back to autodetected encoding for JSON when Unicode detection fails.
- Headers set to ``None`` on the ``Session`` are now correctly not sent.
- Correctly honor ``decode_unicode`` even if it wasn't used earlier in the same
response.
- Stop advertising ``compress`` as a supported Content-Encoding.
- The ``Response.history`` parameter is now always a list.
- Many, many ``urllib3`` bugfixes.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1829
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108
• https://github.com/kennethreitz/requests/issues/1885
• http://www.ubuntu.com/usn/USN-2382-1
• http://www.debian.org/security/2015/dsa-3146
• http://www.mandriva.com/security/advisories?name=MDVSA-2015:133
• http://advisories.mageia.org/MGASA-2014-0409.html