Skip to content

v2.31.0
Compare
Choose a tag to compare
@nateprewitt nateprewitt released this 22 May 15:26
· 165 commits to main since this release
v2.31.0
This tag was signed with the committer’s verified signature.
nateprewitt Nate Prewitt
GPG key ID: 44D3FF97B80DC864
Learn about vigilant mode.
147c851
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

2.31.0 (2023-05-22)

Security

  • Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
    forwarding of Proxy-Authorization headers to destination servers when
    following HTTPS redirects.

    When proxies are defined with user info (https://user:pass@proxy:8080), Requests
    will construct a Proxy-Authorization header that is attached to the request to
    authenticate with the proxy.

    In cases where Requests receives a redirect response, it previously reattached
    the Proxy-Authorization header incorrectly, resulting in the value being
    sent through the tunneled connection to the destination server. Users who rely on
    defining their proxy credentials in the URL are strongly encouraged to upgrade
    to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
    credentials once the change has been fully deployed.

    Users who do not use a proxy or do not supply their proxy credentials through
    the user information portion of their proxy URL are not subject to this
    vulnerability.

    Full details can be read in our Github Security Advisory
    and CVE-2023-32681.

Assets 4
Loading