[Python-modules-team] Bug#733108: python3-requests: redirect can expose netrc password
Jakub Wilk
jwilk at debian.org
Wed Dec 25 16:40:43 UTC 2013
Package: python3-requests
Version: 2.0.0-1
Tags: security
If site A redirects to site B, and user had a password for site A in
their ~/.netrc, then requests would send authorization information both
to site A and to site B.
I've attached a netrc file and a pair of test scripts that should help
reproducing the bug.
--
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testhttpserver.py
Type: text/x-python
Size: 683 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20131225/e15a37f1/attachment.py>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testhttpclient.py
Type: text/x-python
Size: 140 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20131225/e15a37f1/attachment-0001.py>
-------------- next part --------------
machine localhost
login eggs password ham
More information about the Python-modules-team
mailing list