Authorization Header Leakage in scrapy/scrapy on Scheme Change Redirects

In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in cross-origin requests when the scheme, host, or port changes. Consequently, when a redirect downgrades from HTTPS to HTTP, the Authorization header may be inadvertently exposed in plaintext, leading to potential sensitive information disclosure to unauthorized actors. The flaw is located in the _build_redirect_request function of the redirect middleware.

N/A

信息暴露

scrapy 信息泄露漏洞

Scrapy是一个用Python编写的自由且开源的网络爬虫框架。 scrapy存在信息泄露漏洞，该漏洞源于授权标头可能会无意中以明文形式暴露，从而导致潜在的敏感信息泄露。

N/A

N/A