treq is an HTTP library inspired by requests but written on top of Twisteds Agents. Treqs request methods (treq.get
, treq.post
, etc.) and treq.client.HTTPClient
constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to every domain (supercookies). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should https://example.com
redirect to http://cloudstorageprovider.com
the latter will receive the cookie session
. Treq 2021.1.0 and later bind cookies given to request methods (treq.request
, treq.get
, HTTPClient.request
, HTTPClient.get
, etc.) to the origin of the url parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the cookies argument, pass a http.cookiejar.CookieJar
instance with properly domain- and scheme-scoped cookies in it.
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Treq | Twistedmatrix | 21.1.0 (including) | 22.1.0 (excluding) |