You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While looking at the MicroPython requests module (on the git HEAD), I noticed this:
If you make a request with HTTP basic auth (a username/password) and did not specify a headers dict, then I believe the username and password would be added to the default headers to be used for every subsequent HTTP request. Even if that request is to a completely different server, which you don't trust with your username and password. That's probably not a good idea.
I haven't verified this, it's just from reading the code, but someone should probably look into it.
This is because there is headers={} in the function prototype, specifying a default for the headers parameter. But (at least in cPython) that same dictionary will get reused for every call that doesn't explicitly specify a headers parameter. So if the function changes the headers dictionary - such as by adding an Authorization header - that change will be there for every future call of the function. This is a known dangerous part of the Python language, you're not the first people to write this kind of bug.
To fix this, you could keep the auth headers separate from the headers variable. Something like this (totally untested!) commit: jonfoster@92e9b22 - feel free to use that as a starting point.
The text was updated successfully, but these errors were encountered:
The MicroPython way aiui would be to mirror CPython's solution to this problem, which uses a None default value and then sets it to an empty dict at runtime:
While looking at the MicroPython
requests
module (on the git HEAD), I noticed this:If you make a request with HTTP basic auth (a username/password) and did not specify a headers dict, then I believe the username and password would be added to the default headers to be used for every subsequent HTTP request. Even if that request is to a completely different server, which you don't trust with your username and password. That's probably not a good idea.
I haven't verified this, it's just from reading the code, but someone should probably look into it.
This is because there is
headers={}
in the function prototype, specifying a default for theheaders
parameter. But (at least in cPython) that same dictionary will get reused for every call that doesn't explicitly specify aheaders
parameter. So if the function changes theheaders
dictionary - such as by adding anAuthorization
header - that change will be there for every future call of the function. This is a known dangerous part of the Python language, you're not the first people to write this kind of bug.To fix this, you could keep the auth headers separate from the
headers
variable. Something like this (totally untested!) commit: jonfoster@92e9b22 - feel free to use that as a starting point.The text was updated successfully, but these errors were encountered: