PYSEC-2021-364

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/scrapy-splash/PYSEC-2021-364.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2021-364

Aliases

Published

2021-10-05T21:15:00Z

Modified

2023-11-01T04:56:24.630340Z

Summary

[none]

Details

Scrapy-splash is a library which provides Scrapy and JavaScript integration. In affected versions users who use HttpAuthMiddleware (i.e. the http_user and http_pass spider attributes) for Splash authentication will have any non-Splash request expose your credentials to the request target. This includes robots.txt requests sent by Scrapy when the ROBOTSTXT_OBEY setting is set to True. Upgrade to scrapy-splash 0.8.0 and use the new SPLASH_USER and SPLASH_PASS settings instead to set your Splash authentication credentials safely. If you cannot upgrade, set your Splash request credentials on a per-request basis, using the splash_headers request parameter, instead of defining them globally using the HttpAuthMiddleware. Alternatively, make sure all your requests go through Splash. That includes disabling the robots.txt middleware.

References

Affected packages

PyPI / scrapy-splash

Package

Name: scrapy-splash; View open source insights on deps.dev
Purl: pkg:pypi/scrapy-splash

Affected ranges

Type: GIT
Repo: https://github.com/scrapy-plugins/scrapy-splash
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2b253e57fe64ec575079c8cdc99fe2013502ea31

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.8.0

Affected versions

0.*

0.2

0.3

0.4

0.5

0.6

0.6.1

0.7

0.7.1

0.7.2

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/scrapy-splash/PYSEC-2021-364.yaml"