From 5221e209a3c46036b6453fb8b315bf48fe340d8c Mon Sep 17 00:00:00 2001 From: Richard Weickelt Date: Wed, 11 Dec 2024 22:04:43 +0100 Subject: [PATCH] requests: Do not leak header modifications when calling request. The requests() function takes a headers dict argument (call-by-reference). This object is then modified in the function. For instance the host is added and authentication information. Such behavior is not expected. It is also problematic: - Modifications of the header dictionary will be visible on the caller site. - When reusing the same (supposedly read-only) headers object for differenct calls, the second call will apparently re-use wrong headers from the previous call and may fail. This patch should also fix #839. Signed-off-by: Richard Weickelt --- python-ecosys/requests/requests/__init__.py | 2 ++ python-ecosys/requests/test_requests.py | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/python-ecosys/requests/requests/__init__.py b/python-ecosys/requests/requests/__init__.py index a9a183619..ac39efaad 100644 --- a/python-ecosys/requests/requests/__init__.py +++ b/python-ecosys/requests/requests/__init__.py @@ -46,6 +46,8 @@ def request( ): if headers is None: headers = {} + else: + headers = dict(headers) redirect = None # redirection url, None means no redirection chunked_data = data and getattr(data, "__next__", None) and not getattr(data, "__len__", None) diff --git a/python-ecosys/requests/test_requests.py b/python-ecosys/requests/test_requests.py index 513e533a3..56a5387e6 100644 --- a/python-ecosys/requests/test_requests.py +++ b/python-ecosys/requests/test_requests.py @@ -70,6 +70,12 @@ def test_get_custom_header(): + b"Connection: close\r\n\r\n" ), format_message(response) +def test_do_not_modify_headers_argument(): + original_headers = {} + headers = dict(original_headers) + requests.request("GET", "http://example.com", headers=original_headers) + + assert headers == original_headers def test_post_json(): response = requests.request("GET", "http://example.com", json="test") @@ -148,6 +154,7 @@ def chunks(): test_simple_get() test_get_auth() test_get_custom_header() +test_do_not_modify_headers_argument() test_post_json() test_post_chunked_data() test_overwrite_get_headers()