Merge pull request #779 from AnswerDotAI/erikgaas/safe_redirect

jph00 · web-flow · commit 7dbe2db56661 · 2026-02-27T16:04:01.000+10:00
Strip Authorization header on cross-origin redirects
diff --git a/fastcore/_modidx.py b/fastcore/_modidx.py
@@ -487,6 +487,9 @@
             'fastcore.net': { 'fastcore.net.HTTP4xxClientError': ('net.html#http4xxclienterror', 'fastcore/net.py'),
                               'fastcore.net.HTTP5xxServerError': ('net.html#http5xxservererror', 'fastcore/net.py'),
                               'fastcore.net.Request.summary': ('net.html#request.summary', 'fastcore/net.py'),
+                              'fastcore.net._SafeRedirectHandler': ('net.html#_saferedirecthandler', 'fastcore/net.py'),
+                              'fastcore.net._SafeRedirectHandler.redirect_request': ( 'net.html#_saferedirecthandler.redirect_request',
+                                                                                      'fastcore/net.py'),
                               'fastcore.net._socket_det': ('net.html#_socket_det', 'fastcore/net.py'),
                               'fastcore.net.do_request': ('net.html#do_request', 'fastcore/net.py'),
                               'fastcore.net.http_response': ('net.html#http_response', 'fastcore/net.py'),
diff --git a/fastcore/net.py b/fastcore/net.py
@@ -74,8 +74,15 @@ class HTTP5xxServerError(HTTPError):
     pass
 
 # %% ../nbs/03b_net.ipynb #128b5f4a
+class _SafeRedirectHandler(urllib.request.HTTPRedirectHandler):
+    def redirect_request(self, req, fp, code, msg, headers, newurl):
+        new_req = super().redirect_request(req, fp, code, msg, headers, newurl)
+        if new_req and urlparse(newurl).netloc != urlparse(req.full_url).netloc:
+            new_req.remove_header('Authorization')
+        return new_req
+
 def urlopener():
-    _opener = urllib.request.build_opener()
+    _opener = urllib.request.build_opener(_SafeRedirectHandler)
     _opener.addheaders = list(url_default_headers.items())
     return _opener
 
diff --git a/nbs/03b_net.ipynb b/nbs/03b_net.ipynb
@@ -270,8 +270,15 @@
    "outputs": [],
    "source": [
     "#| export\n",
+    "class _SafeRedirectHandler(urllib.request.HTTPRedirectHandler):\n",
+    "    def redirect_request(self, req, fp, code, msg, headers, newurl):\n",
+    "        new_req = super().redirect_request(req, fp, code, msg, headers, newurl)\n",
+    "        if new_req and urlparse(newurl).netloc != urlparse(req.full_url).netloc:\n",
+    "            new_req.remove_header('Authorization')\n",
+    "        return new_req\n",
+    "\n",
     "def urlopener():\n",
-    "    _opener = urllib.request.build_opener()\n",
+    "    _opener = urllib.request.build_opener(_SafeRedirectHandler)\n",
     "    _opener.addheaders = list(url_default_headers.items())\n",
     "    return _opener"
    ]
