Credentials can leak in HTTP redirects
Closed this issue · 1 comments
GoogleCodeExporter commented
Credentials that are set with the add_credentials() method are not restricted
to one domain. After authentication was required, the "authorization" header
will remain being used in future requests.
This means that whenever the client goes off domain, the credentials will leak
(even when a domain is set for the credentials)
::: To reproduce
Run the script below and sniff the traffic (see below for a dump)
#!/usr/bin/python2.6
import httplib2
h = httplib2.Http()
h.add_credentials('name', 'password', 'uth.heinen.ws')
resp, content = h.request("http://uth.heinen.ws?test=5&aa", "GET")
print content
::: Possible fix
In case of a redirect, but perhaps for every request, you can iterate over the
authentication classes and force them to either add or to strip credentials
from the request (e.g. 'authorization' header).
::: Traffic dump
GET /?test=5&aa HTTP/1.1
Host: uth.heinen.ws
accept-encoding: gzip, deflate
user-agent: Python-httplib2/0.7.2 (gzip)
HTTP/1.0 401 OK
Server: Foo
Connection: close
Content-Type: text/html; charset=utf-8
Location: http://uth.heinen.ws/?test=5&step=2
WWW-Authenticate: Basic realm="TEST"
::: Request/response 2
GET /?test=5&aa HTTP/1.1
Host: uth.heinen.ws
accept-encoding: gzip, deflate
authorization: Basic bmFtZTpwYXNzd29yZA==
user-agent: Python-httplib2/0.7.2 (gzip)
HTTP/1.0 301 OK
Server: Foo
Connection: close
Content-Type: text/html; charset=utf-8
Location: http://69.60.119.186/?test=5&step=3
::: Request/response 3
:GET /?test=5&step=3 HTTP/1.1
Host: 69.60.119.186
accept-encoding: gzip, deflate
authorization: Basic bmFtZTpwYXNzd29yZA== <--- should not be here
user-agent: Python-httplib2/0.7.2 (gzip)
HTTP/1.0 303 OK
Server: Foo
Connection: close
Content-Type: text/html; charset=utf-8
Location: http://uth.heinen.ws/?test=5&step=4
Hope this is clarifies the issue. Feel free to ping me for more information or
additional testing.
Niels
Original issue reported on code.google.com by niels.he...@gmail.com
on 15 Mar 2012 at 1:50
GoogleCodeExporter commented
Fixed in
http://code.google.com/p/httplib2/source/detail?r=f1e76fdb38ed4b9702b8b3ffadd3f4
e2fb371b9d
Original comment by joe.gregorio@gmail.com
on 28 Aug 2012 at 4:22
- Changed state: Fixed