On 6/3/25 13:09, Alan Coopersmith wrote: > [I'm not sure how the attacker is supposed to get the victim to make a > requests call using a URL the attacker controls, but that didn't stop > them from getting a CVE issued for this. -alan- ]
Suppose that a server (like a web scraper) receives URLs that are attacker-controlled, validates that the point to the expected domain name, and then fetches them. In this case, Requests will send credentials for a domain name that is *not* the one that it is supposed to send them for, which is clearly a vulnerability. It's definitely better to reconstruct the URL from scheme, authority, path, and query before sending the request, but I am almost certain there are servers in the wild that do not do this. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
