CVE-2023-45803

Advisory

Urllib3-future 2.1.902 includes a fix for CVE-2023-45803: Urllib3's request body not stripped after redirect from 303 status changes request method to GET.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

====================

- Fixed an issue where streaming response did not yield data until the stream was closed.
- Unified peercert/issuercert dict output in ConnectionInfo output format when HTTP/3.
- Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.
Headers ``content-encoding, content-language, content-location, content-type, content-length, digest, last-modified`` are
also stripped in the said case.
Port of the security fix GHSA-g4mx-q9vg-27p4
- ``_TYPE_BODY`` now accept `Iterable[str]` in addition to `Iterable[bytes]`.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45803
• https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4
• https://www.rfc-editor.org/rfc/rfc9110.html#name-get
• https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
• https://lists.fedoraproject.org/archives/list/[email protected]/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/