File urllib3-remove-authorization-header-when-redirecting-cross-host.patch of Package python-urllib3

diff --git a/test/test_retry.py b/test/test_retry.py
index 1e87585..bc2393b 100644
--- a/test/test_retry.py
+++ b/test/test_retry.py
@@ -211,3 +211,13 @@ class RetryTest(unittest.TestCase):
         except MaxRetryError as e:
             assert 'Caused by redirect' not in str(e)
             self.assertEqual(str(e.reason), 'conntimeout')
+
+    def test_retry_default_remove_headers_on_redirect(self):
+        retry = Retry()
+
+        assert list(retry.remove_headers_on_redirect) == ['Authorization']
+
+    def test_retry_set_remove_headers_on_redirect(self):
+        retry = Retry(remove_headers_on_redirect=['X-API-Secret'])
+
+        assert list(retry.remove_headers_on_redirect) == ['X-API-Secret']
diff --git a/test/with_dummyserver/test_connectionpool.py b/test/with_dummyserver/test_connectionpool.py
index 0f31fa0..05a5f64 100644
--- a/test/with_dummyserver/test_connectionpool.py
+++ b/test/with_dummyserver/test_connectionpool.py
@@ -14,7 +14,6 @@ except:
     from urllib import urlencode
 
 from .. import (
-    requires_network, onlyPy3, onlyPy26OrOlder,
     TARPIT_HOST, VALID_SOURCE_ADDRESSES, INVALID_SOURCE_ADDRESSES,
 )
 from ..port_helpers import find_unused_port
diff --git a/urllib3/connectionpool.py b/urllib3/connectionpool.py
index ab634cb..3c3c4af 100644
--- a/urllib3/connectionpool.py
+++ b/urllib3/connectionpool.py
@@ -683,7 +683,7 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
                     raise
                 return response
 
-            log.info("Redirecting %s -> %s", url, redirect_location)
+            log.debug("Redirecting %s -> %s", url, redirect_location)
             return self.urlopen(
                 method, redirect_location, body, headers,
                 retries=retries, redirect=redirect,
diff --git a/urllib3/poolmanager.py b/urllib3/poolmanager.py
index 7ed00b1..48ca1dd 100644
--- a/urllib3/poolmanager.py
+++ b/urllib3/poolmanager.py
@@ -239,8 +239,9 @@ class PoolManager(RequestMethods):
 
         kw['assert_same_host'] = False
         kw['redirect'] = False
+
         if 'headers' not in kw:
-            kw['headers'] = self.headers
+            kw['headers'] = self.headers.copy()
 
         if self.proxy is not None and u.scheme == "http":
             response = conn.urlopen(method, url, **kw)
@@ -262,6 +263,14 @@ class PoolManager(RequestMethods):
         if not isinstance(retries, Retry):
             retries = Retry.from_int(retries, redirect=redirect)
 
+        # Strip headers marked as unsafe to forward to the redirected location.
+        # Check remove_headers_on_redirect to avoid a potential network call within
+        # conn.is_same_host() which may use socket.gethostbyname() in the future.
+        if (retries.remove_headers_on_redirect
+                and not conn.is_same_host(redirect_location)):
+            for header in retries.remove_headers_on_redirect:
+                kw['headers'].pop(header, None)
+
         try:
             retries = retries.increment(method, url, response=response, _pool=conn)
         except MaxRetryError:
diff --git a/urllib3/util/retry.py b/urllib3/util/retry.py
index d379833..46e6949 100644
--- a/urllib3/util/retry.py
+++ b/urllib3/util/retry.py
@@ -113,18 +113,26 @@ class Retry(object):
         whether we should raise an exception, or return a response,
         if status falls in ``status_forcelist`` range and retries have
         been exhausted.
+
+    :param iterable remove_headers_on_redirect:
+        Sequence of headers to remove from the request when a response
+        indicating a redirect is returned before firing off the redirected
+        request.
     """
 
     DEFAULT_METHOD_WHITELIST = frozenset([
         'HEAD', 'GET', 'PUT', 'DELETE', 'OPTIONS', 'TRACE'])
 
+    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Authorization'])
+
     #: Maximum backoff time.
     BACKOFF_MAX = 120
 
     def __init__(self, total=10, connect=None, read=None, redirect=None,
                  method_whitelist=DEFAULT_METHOD_WHITELIST, status_forcelist=None,
                  backoff_factor=0, raise_on_redirect=True, raise_on_status=True,
-                 _observed_errors=0):
+                 _observed_errors=0,
+                 remove_headers_on_redirect=DEFAULT_REDIRECT_HEADERS_BLACKLIST):
 
         self.total = total
         self.connect = connect
@@ -141,6 +149,7 @@ class Retry(object):
         self.raise_on_redirect = raise_on_redirect
         self.raise_on_status = raise_on_status
         self._observed_errors = _observed_errors  # TODO: use .history instead?
+        self.remove_headers_on_redirect = remove_headers_on_redirect
 
     def new(self, **kw):
         params = dict(
@@ -152,6 +161,7 @@ class Retry(object):
             raise_on_redirect=self.raise_on_redirect,
             raise_on_status=self.raise_on_status,
             _observed_errors=self._observed_errors,
+            remove_headers_on_redirect=self.remove_headers_on_redirect
         )
         params.update(kw)
         return type(self)(**params)