Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

requests: Do not leak header modifications when calling request. #947

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

requests: Do not leak header modifications when calling request. #947

wants to merge 1 commit into from

Conversation

rweickelt
Copy link

The requests() function takes a headers dict argument (call-by-reference). This object is then modified in the function. For instance the host is added and authentication information. Such behavior is not expected. It is also problematic:

  • Modifications of the header dictionary will be visible on the caller site.
  • When reusing the same (supposedly read-only) headers object for differenct calls, the second call will apparently re-use wrong headers from the previous call and may fail.

This patch should also fix #839. Unfortunately the copy operation does not preserve the key order and we have to touch the existing test cases.

@rweickelt
requests: Do not leak header modifications when calling request.
65a1411 
The requests() function takes a headers dict argument
(call-by-reference). This object is then modified in the function. For
instance the host is added and authentication information. Such behavior
is not expected. It is also problematic:

- Modifications of the header dictionary will be visible on the caller
  site.
- When reusing the same (supposedly read-only) headers object for
  differenct calls, the second call will apparently re-use wrong headers
  from the previous call and may fail.

This patch should also fix micropython#839. Unfortunately the copy operation does
not preserve the key order and we have to touch the existing test cases.

Signed-off-by: Richard Weickelt <[email protected]>
@rweickelt rweickelt marked this pull request as ready for review December 11, 2024 23:33
@projectgus projectgus self-requested a review January 7, 2025 00:23
projectgus
projectgus approved these changes Jan 17, 2025
View reviewed changes
Copy link
Contributor

@projectgus projectgus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, thanks @rweickelt!

It looks like there's a slightly lower-resource-usage alternative where we don't add new entries to headers at all, but move all of those checks to when we're writing the response and write them all directly into the stream if they're not provided by the caller. But that approach would break up the flow of the function, and the improvement in memory usage would be very marginal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@projectgus projectgus projectgus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SECURITY: Requests module leaks passwords & usernames for HTTP Basic Auth
2 participants
@rweickelt @projectgus