python · aiohttpHeads-up
aiohttp DigestAuthMiddleware leaks credentials on cross-origin redirect
DigestAuthMiddleware can send an authentication response after following a cross-origin redirect, potentially leaking auth digest to attacker-controlled domains
What changed
DigestAuthMiddleware can send an authentication response after following a cross-origin redirect, potentially leaking auth digest to attacker-controlled domains.
Who it affects
Users of aiohttp who use DigestAuthMiddleware with default follow_redirects=True.
What to do today
Disable follow_redirects in DigestAuthMiddleware or apply the patch from commit 38d16060037e1bfcd6d677abababa3c2a4bb58fa.
The trail
Collected→
Audited→
Written→
Published