Fix credential leak on same-host redirects with different ports (aio-libs#12275)

rodrigobnogueira · web-flow · commit 8b10afd473a6 · 2026-03-27T02:58:34.000Z
diff --git a/CHANGES/5783.feature b/CHANGES/5783.feature
diff --git a/aiohttp/client.py b/aiohttp/client.py
@@ -869,12 +869,6 @@ async def _connect_and_send_request(
                         elif not scheme:
                             parsed_redirect_url = url.join(parsed_redirect_url)
 
-                        is_same_host_https_redirect = (
-                            url.host == parsed_redirect_url.host
-                            and parsed_redirect_url.scheme == "https"
-                            and url.scheme == "http"
-                        )
-
                         try:
                             redirect_origin = parsed_redirect_url.origin()
                         except ValueError as origin_val_err:
@@ -886,10 +880,7 @@ async def _connect_and_send_request(
                                 "Invalid redirect URL origin",
                             ) from origin_val_err
 
-                        if (
-                            not is_same_host_https_redirect
-                            and url.origin() != redirect_origin
-                        ):
+                        if url.origin() != redirect_origin:
                             auth = None
                             headers.pop(hdrs.AUTHORIZATION, None)
                             headers.pop(hdrs.COOKIE, None)
diff --git a/docs/client_advanced.rst b/docs/client_advanced.rst
@@ -114,17 +114,6 @@ In cases where the authentication header value expires periodically, an
 :mod:`asyncio` task may be used to update the session's default headers in the
 background.
 
-.. note::
-
-   The ``Authorization`` header will be removed if you get redirected
-   to a different host or protocol, except the case when  HTTP → HTTPS
-   redirect is performed on the same host.
-
-.. versionchanged:: 4.0
-
-   Started keeping the ``Authorization`` header during HTTP → HTTPS
-   redirects when the host remains the same.
-
 .. _aiohttp-client-middleware:
 
 Client Middleware
diff --git a/tests/test_client_functional.py b/tests/test_client_functional.py
@@ -3390,61 +3390,51 @@ def create(url: URL, srv: Handler) -> Awaitable[TestServer]:
 
 
 @pytest.mark.parametrize(
-    ["url_from_s", "url_to_s", "is_drop_header_expected"],
-    [
-        [
-            "http://host1.com/path1",
-            "http://host2.com/path2",
-            True,
-        ],
-        ["http://host1.com/path1", "https://host1.com/path1", False],
-        ["https://host1.com/path1", "http://host1.com/path2", True],
-    ],
+    ("url_from_s", "url_to_s"),
+    (
+        ("http://host1.com/path1", "http://host2.com/path2"),
+        ("http://host1.com/path1", "https://host1.com/path1"),
+        ("https://host1.com/path1", "http://host1.com/path2"),
+        ("http://host1.com/path1", "https://host1.com:9443/path1"),
+    ),
     ids=(
         "entirely different hosts",
         "http -> https",
         "https -> http",
+        "http -> https different port",
     ),
 )
 async def test_drop_auth_on_redirect_to_other_host(
     create_server_for_url_and_handler: Callable[[URL, Handler], Awaitable[TestServer]],
     url_from_s: str,
     url_to_s: str,
-    is_drop_header_expected: bool,
 ) -> None:
     url_from, url_to = URL(url_from_s), URL(url_to_s)
 
     async def srv_from(request: web.Request) -> NoReturn:
-        assert request.host == url_from.host
+        assert request.host.split(":")[0] == url_from.host
         assert request.headers["Authorization"] == "Basic dXNlcjpwYXNz"
         raise web.HTTPFound(url_to)
 
     async def srv_to(request: web.Request) -> web.Response:
-        assert request.host == url_to.host
-        if is_drop_header_expected:
-            assert "Authorization" not in request.headers, "Header wasn't dropped"
-            assert "Proxy-Authorization" not in request.headers
-            assert "Cookie" not in request.headers
-        else:
-            assert "Authorization" in request.headers, "Header was dropped"
-            assert "Proxy-Authorization" in request.headers
-            assert "Cookie" in request.headers
+        assert request.host.split(":")[0] == url_to.host
+        assert "Authorization" not in request.headers, "Header wasn't dropped"
+        assert "Proxy-Authorization" not in request.headers
+        assert "Cookie" not in request.headers
         return web.Response()
 
     server_from = await create_server_for_url_and_handler(url_from, srv_from)
     server_to = await create_server_for_url_and_handler(url_to, srv_to)
 
     assert (
-        url_from.host != url_to.host or server_from.scheme != server_to.scheme
-    ), "Invalid test case, host or scheme must differ"
+        url_from.host != url_to.host
+        or server_from.scheme != server_to.scheme
+        or url_from.port != url_to.port
+    ), "Invalid test case, host, scheme, or port must differ"
 
-    protocol_port_map = {
-        "http": 80,
-        "https": 443,
-    }
     etc_hosts = {
-        (url_from.host, protocol_port_map[server_from.scheme]): server_from,
-        (url_to.host, protocol_port_map[server_to.scheme]): server_to,
+        (url_from.host, url_from.port): server_from,
+        (url_to.host, url_to.port): server_to,
     }
 
     class FakeResolver(AbstractResolver):
