Fixes a bug introduced in 2.20.0 with unintended Authorization header
stripping for redirects using default ports (http/80, https/443).
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 745132abc0)
[Peter: mention fix from 2.20.0]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-18074: The Requests package before 2.20.0 for Python sends an
HTTP Authorization header to an http URI upon receiving a same-hostname
https-to-http redirect, which makes it easier for remote attackers to
discover credentials by sniffing the network.
LICENSE update: replaced http address with https.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 42bebd1e7c)
[Peter: mention security impact]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Requests need hashlib to run with Python 2. Otherwise it is not possible to
import, due to missing e.g. md5.
[Peter: tweak commit message]
Signed-off-by: Sven Haardiek <sven.haardiek@iotec-gmbh.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
