Skip to content

Commit 195d071

Browse files
WSH032WSH032
committed
docs(#10): add docs for pull #10 
1 parent 2300818 commit 195d071

File tree

2 files changed

+26
-1
lines changed

2 files changed

+26
-1
lines changed

Diff for: CHANGELOG.md

+4-1
Original file line numberDiff line numberDiff line change
@@ -15,13 +15,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
1515
- `Removed` for now removed features.
1616
- `Fixed` for any bug fixes.
1717
- `Security` in case of vulnerabilities.
18+
- `[YANKED]` for deprecated releases.
1819

1920
<!-- Refer to: https://github.com/olivierlacan/keep-a-changelog/blob/main/CHANGELOG.md -->
2021
<!-- Refer to: https://github.com/gradio-app/gradio/blob/main/CHANGELOG.md -->
2122

2223
## [Unreleased]
2324

24-
None.
25+
### Security
26+
27+
- [#10](https://github.com/WSH032/fastapi-proxy-lib/pull/10) - fix security vulnerabilities of cookies leakage between different users. Thanks [@WSH032](https://github.com/WSH032)!
2528

2629
## [0.0.1b0] - 2023-11-27 [YANKED]
2730

Diff for: docs/Usage/Security.md

+22
Original file line numberDiff line numberDiff line change
@@ -51,3 +51,25 @@ For this situation, the browser's same-origin protection policy will fail,
5151
and cookies from `http://www.example.com/` will be sent to` http://www.google.com/`.
5252

5353
You should inform the user of this situation and let them decide whether to continue.
54+
55+
---
56+
57+
## What did `fastapi-proxy-lib` do to protect your Security? 🔐
58+
59+
!!! info
60+
The following content is the security measures taken by `fastapi-proxy-lib` behind the scenes.
61+
You may not need to read these for using this library.
62+
63+
### Forbid the merging of cookies at the AsyncClient level
64+
65+
For fix security vulnerabilities of cookies leakage between different users:
66+
67+
- Before sending each proxy request, `fastapi-proxy-lib` will clear `AsyncClient.cookies` to avoid recording cookies from different users.
68+
- To prevent `AsyncClient` merge cookie, `fastapi-proxy-lib` will forcibly add an empty cookie string `""` to each proxy request that does not contain a cookie field header.
69+
70+
Through these, `fastapi-proxy-lib` hopes to prevent the mergence and sharing of cookies from different users.
71+
72+
More info, please visit [Security Advisories `GHSA-7vwr-g6pm-9hc8`](https://github.com/WSH032/fastapi-proxy-lib/security/advisories/GHSA-7vwr-g6pm-9hc8) and [#10](https://github.com/WSH032/fastapi-proxy-lib/pull/10).
73+
74+
!!! note
75+
It will **not affect** the normal sending and receiving of cookies.

0 commit comments

Comments
 (0)