Index: urllib3-1.22/urllib3/poolmanager.py =================================================================== --- urllib3-1.22.orig/urllib3/poolmanager.py +++ urllib3-1.22/urllib3/poolmanager.py @@ -7,6 +7,7 @@ from ._collections import RecentlyUsedCo from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool from .connectionpool import port_by_scheme from .exceptions import LocationValueError, MaxRetryError, ProxySchemeUnknown +from .packages import six from .packages.six.moves.urllib.parse import urljoin from .request import RequestMethods from .util.url import parse_url @@ -341,8 +342,10 @@ class PoolManager(RequestMethods): # conn.is_same_host() which may use socket.gethostbyname() in the future. if (retries.remove_headers_on_redirect and not conn.is_same_host(redirect_location)): - for header in retries.remove_headers_on_redirect: - kw['headers'].pop(header, None) + headers = list(six.iterkeys(kw['headers'])) + for header in headers: + if header.lower() in retries.remove_headers_on_redirect: + kw['headers'].pop(header, None) try: retries = retries.increment(method, url, response=response, _pool=conn) Index: urllib3-1.22/urllib3/util/retry.py =================================================================== --- urllib3-1.22.orig/urllib3/util/retry.py +++ urllib3-1.22/urllib3/util/retry.py @@ -179,7 +179,8 @@ class Retry(object): self.raise_on_status = raise_on_status self.history = history or tuple() self.respect_retry_after_header = respect_retry_after_header - self.remove_headers_on_redirect = remove_headers_on_redirect + self.remove_headers_on_redirect = frozenset([ + h.lower() for h in remove_headers_on_redirect]) def new(self, **kw): params = dict( Index: urllib3-1.22/test/test_retry.py =================================================================== --- urllib3-1.22.orig/test/test_retry.py +++ urllib3-1.22/test/test_retry.py @@ -253,9 +253,9 @@ class TestRetry(object): def test_retry_default_remove_headers_on_redirect(self): retry = Retry() - assert sorted(list(retry.remove_headers_on_redirect)) == sorted(["Authorization", "Cookie"]) + assert sorted(list(retry.remove_headers_on_redirect)) == sorted(["authorization", "cookie"]) def test_retry_set_remove_headers_on_redirect(self): retry = Retry(remove_headers_on_redirect=['X-API-Secret']) - assert list(retry.remove_headers_on_redirect) == ['X-API-Secret'] + assert list(retry.remove_headers_on_redirect) == ['x-api-secret'] Index: urllib3-1.22/test/with_dummyserver/test_poolmanager.py =================================================================== --- urllib3-1.22.orig/test/with_dummyserver/test_poolmanager.py +++ urllib3-1.22/test/with_dummyserver/test_poolmanager.py @@ -122,6 +122,17 @@ class TestPoolManager(HTTPDummyServerTes self.assertNotIn('Authorization', data) + r = http.request('GET', '%s/redirect' % self.base_url, + fields={'target': '%s/headers' % self.base_url_alt}, + headers={'authorization': 'foo'}) + + self.assertEqual(r.status, 200) + + data = json.loads(r.data.decode('utf-8')) + + self.assertNotIn('authorization', data) + self.assertNotIn('Authorization', data) + def test_redirect_cross_host_no_remove_headers(self): http = PoolManager() self.addCleanup(http.clear) @@ -154,6 +165,20 @@ class TestPoolManager(HTTPDummyServerTes self.assertNotIn('X-API-Secret', data) self.assertEqual(data['Authorization'], 'bar') + r = http.request('GET', '%s/redirect' % self.base_url, + fields={'target': '%s/headers' % self.base_url_alt}, + headers={'x-api-secret': 'foo', + 'authorization': 'bar'}, + retries=Retry(remove_headers_on_redirect=['X-API-Secret'])) + + self.assertEqual(r.status, 200) + + data = json.loads(r.data.decode('utf-8')) + + self.assertNotIn('x-api-secret', data) + self.assertNotIn('X-API-Secret', data) + self.assertEqual(data['Authorization'], 'bar') + def test_raise_on_redirect(self): http = PoolManager() self.addCleanup(http.clear)