[issue33661] urllib may leak sensitive HTTP headers to a third-party web site
Katsuhiko YOSHIDA added the comment: Hi, I agree with this suggestion. First, section 6.4. "Redirection 3xx" of RFC 7231 doesn't explicitly explain whether to send all headers (including Authorization). I have confirmed that some third-party-library, tool, Programing Language and web browser did NOT forward the Authorization header at redirect. - urllib3 (after 1.23, PR: https://github.com/urllib3/urllib3/pull/1346) - curl (after 7.58.0, ref: https://curl.haxx.se/docs/CVE-2018-107.html) - net/http package of Golang (ref: https://github.com/golang/go/blob/release-branch.go1.11/src/net/http/client.go#L41-L46) - Safari Version 12.0.2 (13606.3.4.1.4) - Google Chrome Version 71.0.3578.98 (Official Build) (64-bit) In other words, these are being on the safe side. Actually, HTTPBasicAuthHandler of urllib2 doesn't forward the Authorization header at redirect. If this suggestion is rejected, I think that it should be changed. -- keywords: +patch nosy: +kyoshidajp pull_requests: +10522 stage: -> patch review ___ Python tracker <https://bugs.python.org/issue33661> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue33661] urllib may leak sensitive HTTP headers to a third-party web site
Katsuhiko YOSHIDA added the comment: Thanks. But I think the “add_unredirected_header” is not enough. These sensitive headers should be removed only when redirecting to cross-site automatically for security like HTTPBasicAuthHandler of urllib2. In order to fulfill this requirement, I think the operation should be in HTTPRedirectHandler.redirect_request. -- ___ Python tracker <https://bugs.python.org/issue33661> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue33661] urllib may leak sensitive HTTP headers to a third-party web site
Katsuhiko YOSHIDA added the comment: According to RFC7235 (https://tools.ietf.org/html/rfc7235#section-4.1), WWW-Authenticate header is sent from server to client. And it has not credential data. Also, Cookie2 header is already obsoleted by RFC6295 (https://tools.ietf.org/html/rfc6265). So, I think that both "Authorization" and "Cookie" are enough. -- ___ Python tracker <https://bugs.python.org/issue33661> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32083] sqlite3 Cursor.description can't return column types
New submission from Katsuhiko YOSHIDA :
My schema of sqlite3 table is the following.
--- schema check start ---
% sqlite3 sample.db
SQLite version 3.16.0 2016-11-04 19:09:39
Enter ".help" for usage hints.
sqlite> PRAGMA table_info(Employees);
0|EmployeeID|int|1||1
1|LastName|varchar(20)|1||0
2|FirstName|varchar(10)|1||0
(ommiting)
sqlite>
--- schema check end ---
Then, I tried to output column types by calling Cursor.description. Like this.
--- sample code start ---
import sqlite3
con = sqlite3.connect("sample.db", detect_types=sqlite3.PARSE_DECLTYPES)
cursor = con.cursor()
cursor.execute("select LastName, FirstName from Employees limit 1;")
print cursor.description
cursor.close()
con.close()
--- sample code end ---
The output is the following.
(('LastName', None, None, None, None, None, None), ('FirstName', None, None,
None, None, None, None))
When changing detect_types parameter to
detect_types=sqlite3.PARSE_DECLTYPES|sqlite3.PARSE_COLNAMES
the result is same.
I expect to output a column type in second element. Could you tell me why?
--
components: Library (Lib)
messages: 306539
nosy: kyoshidajp
priority: normal
severity: normal
status: open
title: sqlite3 Cursor.description can't return column types
type: behavior
versions: Python 2.7, Python 3.6
___
Python tracker
<https://bugs.python.org/issue32083>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
