requests icon indicating copy to clipboard operation
requests copied to clipboard
verified publisher icon psf

Use hostname for netrc instead split netloc

Open danigm opened this issue 7 months ago • 2 comments

This patch uses the "hostname" attribute from the parsed url to get the host, instead of trying to calculate the host from netloc that can produce errors when "http://username:[email protected]" format is used.

This should fix the security issue reported here: CVE-2024-47081: Netrc credential leak in PSF requests library

danigm avatar Jun 04 '25 10:06 danigm

@danigm Thanks! The new test is failing on Windows, can you take a peek?

sethmlarson avatar Jun 04 '25 13:06 sethmlarson

Can you please rebase as well?

sigmavirus24 avatar Jun 04 '25 15:06 sigmavirus24

I've fixed the windows failure and rebased, so now this patch just adds a new test for netrc because the code fix was added in a different pr: https://github.com/psf/requests/pull/6965

danigm avatar Jun 05 '25 06:06 danigm

An example of this vulnerability is available with this intentionally exploitable site, as documented here, https://www.openwall.com/lists/oss-security/2025/06/03/11

Daviey avatar Jun 05 '25 11:06 Daviey