From: Can Sarıgöl <cansarigol@derinbilgi.com.tr>
Date: Fri, 4 Oct 2019 09:33:18 +0000 (+0300)
Subject: Don't include username/password components in `Host` header (#417)
X-Git-Tag: 0.7.5~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd3fbcc8d744b1eeed8676ce29c31253caa6c4ac;p=thirdparty%2Fhttpx.git

Don't include username/password components in `Host` header (#417)

* removed auth and port from host of header

* used URL attribute rather _uri_reference

* reverted removing port into host

* reverted username and password from header

* applied new copy_with with username and password
---

diff --git a/httpx/models.py b/httpx/models.py
index 97820e0a..f70fdf44 100644
--- a/httpx/models.py
+++ b/httpx/models.py
@@ -136,6 +136,10 @@ class URL:
     def authority(self) -> str:
         return self._uri_reference.authority or ""
 
+    @property
+    def userinfo(self) -> str:
+        return self._uri_reference.userinfo or ""
+
     @property
     def username(self) -> str:
         userinfo = self._uri_reference.userinfo or ""
@@ -635,7 +639,10 @@ class BaseRequest:
         has_connection = "connection" in self.headers
 
         if not has_host:
-            auto_headers.append((b"host", self.url.authority.encode("ascii")))
+            url = self.url
+            if url.userinfo:
+                url = url.copy_with(username=None, password=None)
+            auto_headers.append((b"host", url.authority.encode("ascii")))
         if not has_user_agent:
             auto_headers.append((b"user-agent", USER_AGENT.encode("ascii")))
         if not has_accept:
diff --git a/tests/client/test_headers.py b/tests/client/test_headers.py
index c5429a87..a8c5445b 100755
--- a/tests/client/test_headers.py
+++ b/tests/client/test_headers.py
@@ -131,3 +131,22 @@ def test_header_does_not_exist():
     headers = models.Headers({"foo": "bar"})
     with pytest.raises(KeyError):
         del headers["baz"]
+
+
+def test_host_without_auth_in_header():
+    url = "http://username:password@example.org:80/echo_headers"
+
+    with Client(dispatch=MockDispatch()) as client:
+        response = client.get(url)
+
+    assert response.status_code == 200
+    assert response.json() == {
+        "headers": {
+            "accept": "*/*",
+            "accept-encoding": "gzip, deflate, br",
+            "connection": "keep-alive",
+            "host": "example.org:80",
+            "user-agent": f"python-httpx/{__version__}",
+            "authorization": "Basic dXNlcm5hbWU6cGFzc3dvcmQ=",
+        }
+    }