CVE-2014-1830

Advisory

Requests before 2.3.0 exposes Authorization or Proxy-Authorization headers on redirect. This fixes CVE-2014-1830.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

++++++++++++++++++**API Changes**- New ``Response`` property ``is_redirect``, which is true when the library could have processed this response as a redirection (whether or not it actually did).- The ``timeout`` parameter now affects requests with both ``stream=True`` and ``stream=False`` equally.- The change in v2.0.0 to mandate explicit proxy schemes has been reverted. Proxy schemes now default to ``http://``.- The ``CaseInsensitiveDict`` used for HTTP headers now behaves like a normal dictionary when references as string or viewed in the interpreter.**Bugfixes**- No longer expose Authorization or Proxy-Authorization headers on redirect. Fix CVE-2014-1829 and CVE-2014-1830 respectively.- Authorization is re-evaluated each redirect.- On redirect, pass url as native strings.- Fall-back to autodetected encoding for JSON when Unicode detection fails.- Headers set to ``None`` on the ``Session`` are now correctly not sent.- Correctly honor ``decode_unicode`` even if it wasn't used earlier in the same response.- Stop advertising ``compress`` as a supported Content-Encoding.- The ``Response.history`` parameter is now always a list.- Many, many ``urllib3`` bugfixes.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1830
• https://github.com/kennethreitz/requests/issues/1885
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108
• http://www.debian.org/security/2015/dsa-3146
• http://www.mandriva.com/security/advisories?name=MDVSA-2015:133
• http://advisories.mageia.org/MGASA-2014-0409.html
• http://lists.opensuse.org/opensuse-updates/2016-01/msg00095.html