Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SECURITY: Requests module leaks passwords & usernames for HTTP Basic Auth #839

Open
jonfoster opened this issue Apr 1, 2024 · 1 comment

Comments

@jonfoster
Copy link
Contributor

jonfoster commented Apr 1, 2024

While looking at the MicroPython requests module (on the git HEAD), I noticed this:

If you make a request with HTTP basic auth (a username/password) and did not specify a headers dict, then I believe the username and password would be added to the default headers to be used for every subsequent HTTP request. Even if that request is to a completely different server, which you don't trust with your username and password. That's probably not a good idea.

I haven't verified this, it's just from reading the code, but someone should probably look into it.

This is because there is headers={} in the function prototype, specifying a default for the headers parameter. But (at least in cPython) that same dictionary will get reused for every call that doesn't explicitly specify a headers parameter. So if the function changes the headers dictionary - such as by adding an Authorization header - that change will be there for every future call of the function. This is a known dangerous part of the Python language, you're not the first people to write this kind of bug.

To fix this, you could keep the auth headers separate from the headers variable. Something like this (totally untested!) commit: jonfoster@92e9b22 - feel free to use that as a starting point.

@jonfoster jonfoster changed the title SECURITY: Requests module HTTPS - leaks HTTP Basic Auth passwords & usernames SECURITY: Requests module leaks HTTP Basic Auth passwords & usernames Apr 1, 2024
@jonfoster jonfoster changed the title SECURITY: Requests module leaks HTTP Basic Auth passwords & usernames SECURITY: Requests module leaks passwords & usernames for HTTP Basic Auth Apr 1, 2024
@Gadgetoid
Copy link

Gadgetoid commented Jun 10, 2024

The MicroPython way aiui would be to mirror CPython's solution to this problem, which uses a None default value and then sets it to an empty dict at runtime:

https://github.com/psf/requests/blob/0e322af87745eff34caffe4df68456ebc20d9068/src/requests/models.py#L258-L276

And I see this is exactly what #823 does. That'll teach me not to look at PRs first 😆

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants