raise_for_status leaks HTTP basic auth #5021
Description
Calling raise_for_status() output (leaks) the HTTP basic auth password when raising an exception.
Expected Result
>>> import requests >>> r = requests.get("http://user:somepassw@httpbin.org/status/401") >>> r.raise_for_status() Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 401 Client Error: UNAUTHORIZED for url: http://user:<redacted>@httpbin.org/status/401 Actual Result
Here we can see the HTTP password in the resulting exception (somepassw in our case)
>>> import requests >>> r = requests.get("http://user:somepassw@httpbin.org/status/401") >>> r.raise_for_status() Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 401 Client Error: UNAUTHORIZED for url: http://user:somepassw@httpbin.org/status/401 System Information
$ python -m requests.help { "chardet": { "version": "3.0.4" }, "cryptography": { "version": "" }, "idna": { "version": "2.8" }, "implementation": { "name": "CPython", "version": "3.7.2" }, "platform": { "release": "4.20.8-arch1-1-ARCH", "system": "Linux" }, "pyOpenSSL": { "openssl_version": "", "version": null }, "requests": { "version": "2.21.0" }, "system_ssl": { "version": "1010101f" }, "urllib3": { "version": "1.24.1" }, "using_pyopenssl": false }