Описание
urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
urllib3 handles redirects and retries using the same mechanism, which is controlled by the Retry object. The most common way to disable redirects is at the request level, as follows:
However, it is also possible to disable redirects, for all requests, by instantiating a PoolManager and specifying retries in a way that disable redirects:
However, the retries parameter is currently ignored, which means all the above examples don't disable redirects.
Affected usages
Passing retries on PoolManager instantiation to disable redirects or restrict their number.
By default, requests and botocore users are not affected.
Impact
Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable.
Remediation
You can remediate this vulnerability with the following steps:
- Upgrade to a patched version of urllib3. If your organization would benefit from the continued support of urllib3 1.x, please contact sethmichaellarson@gmail.com to discuss sponsorship or contribution opportunities.
- Disable redirects at the
request()level instead of thePoolManager()level.
Пакеты
urllib3
< 2.5.0
2.5.0
Связанные уязвимости
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.
urllib3 is a user-friendly HTTP client library for Python. Prior to 2. ...