GHSA-4qqq-9vqf-3h3f: Scrapy leaks the authorization header on same-domain but cross-origin redirects
Since version 2.11.1, Scrapy drops the Authorization
header when a request is redirected to a different domain. However, it keeps the header if the domain remains the same but the scheme (http/https) or the port change, all scenarios where the header should also be dropped.
In the context of a man-in-the-middle attack, this could be used to get access to the value of that Authorization
header
References
Detect and mitigate GHSA-4qqq-9vqf-3h3f with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →