File 0001-backport-PR-1892-for-bnc-897658-CVE-2014-1830.patch of Package python-requests.openSUSE_13.1_Update

From 510c11af20bf3a651b2dd88ce1e80c6514100983 Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
Date: Thu, 21 Jan 2016 15:36:48 +0100
Subject: [PATCH] backport PR#1892 for bnc#897658 CVE-2014-1830

https://github.com/kennethreitz/requests/pull/1892

If site A redirects to site B, and user had a password for site A in
their ~/.netrc, then requests would send authorization information both
to site A and to site B.
---
 requests/sessions.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/requests/sessions.py b/requests/sessions.py
index f4aeeee..3f95080 100644
--- a/requests/sessions.py
+++ b/requests/sessions.py
@@ -134,6 +134,21 @@ class SessionRedirectMixin(object):
 
             prepared_request.prepare_cookies(self.cookies)
 
+            # If we get redirected to a new host, we should strip out any
+            # authentication headers.
+            original_parsed = urlparse(resp.request.url)
+            redirect_parsed = urlparse(url)
+
+            if (original_parsed.hostname != redirect_parsed.hostname and
+                   'Authorization' in headers):
+                del headers['Authorization']
+
+            # However, .netrc might have more auth for us. Let's get it if it
+            # does.
+            new_auth = get_netrc_auth(url) if self.trust_env else None
+            if new_auth is not None:
+                prepared_request.prepare_auth(new_auth)
+
             resp = self.send(
                 prepared_request,
                 stream=stream,
-- 
2.6.2