Release 1.24.2 (#1564)1.24.2release

* Don't load system certificates by default when any other ``ca_certs``, ``ca_certs_dir`` or ``ssl_context`` parameters are specified.
* Remove Authorization header regardless of case when redirecting to cross-site. (Issue #1510)
* Add support for IPv6 addresses in subjectAltName section of certificates. (Issue #1269)

2 files changed, 45 insertions, 1 deletions

diff --git a/test/with_dummyserver/test_https.py b/test/with_dummyserver/test_https.py
index 082ede96..acc149c3 100644
--- a/test/with_dummyserver/test_https.py
+++ b/test/with_dummyserver/test_https.py
@@ -17,7 +17,7 @@ from dummyserver.server import (DEFAULT_CA, DEFAULT_CA_BAD, DEFAULT_CERTS,
                                 DEFAULT_CLIENT_NO_INTERMEDIATE_CERTS,
                                 NO_SAN_CERTS, NO_SAN_CA, DEFAULT_CA_DIR,
                                 IPV6_ADDR_CERTS, IPV6_ADDR_CA, HAS_IPV6,
-                                IP_SAN_CERTS)
+                                IP_SAN_CERTS, IPV6_SAN_CA, IPV6_SAN_CERTS)
 
 from test import (
     onlyPy279OrNewer,
@@ -625,5 +625,23 @@ class TestHTTPS_IPv6Addr(IPV6HTTPSDummyServerTestCase):
         self.assertEqual(r.status, 200)
 
 
+class TestHTTPS_IPV6SAN(IPV6HTTPSDummyServerTestCase):
+    certs = IPV6_SAN_CERTS
+
+    def test_can_validate_ipv6_san(self):
+        """Ensure that urllib3 can validate SANs with IPv6 addresses in them."""
+        try:
+            import ipaddress  # noqa: F401
+        except ImportError:
+            pytest.skip("Only runs on systems with an ipaddress module")
+
+        https_pool = HTTPSConnectionPool('[::1]', self.port,
+                                         cert_reqs='CERT_REQUIRED',
+                                         ca_certs=IPV6_SAN_CA)
+        self.addCleanup(https_pool.close)
+        r = https_pool.request('GET', '/')
+        self.assertEqual(r.status, 200)
+
+
 if __name__ == '__main__':
     unittest.main()
diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py
index 2a13722c..3c1eef8d 100644
--- a/test/with_dummyserver/test_poolmanager.py
+++ b/test/with_dummyserver/test_poolmanager.py
@@ -123,6 +123,17 @@ class TestPoolManager(HTTPDummyServerTestCase):
 
         self.assertNotIn('Authorization', data)
 
+        r = http.request('GET', '%s/redirect' % self.base_url,
+                         fields={'target': '%s/headers' % self.base_url_alt},
+                         headers={'authorization': 'foo'})
+
+        self.assertEqual(r.status, 200)
+
+        data = json.loads(r.data.decode('utf-8'))
+
+        self.assertNotIn('authorization', data)
+        self.assertNotIn('Authorization', data)
+
     def test_redirect_cross_host_no_remove_headers(self):
         http = PoolManager()
         self.addCleanup(http.clear)
@@ -155,6 +166,21 @@ class TestPoolManager(HTTPDummyServerTestCase):
         self.assertNotIn('X-API-Secret', data)
         self.assertEqual(data['Authorization'], 'bar')
 
+        r = http.request('GET', '%s/redirect' % self.base_url,
+                         fields={'target': '%s/headers' % self.base_url_alt},
+                         headers={'x-api-secret': 'foo',
+                                  'authorization': 'bar'},
+                         retries=Retry(remove_headers_on_redirect=['X-API-Secret']))
+
+        self.assertEqual(r.status, 200)
+
+        data = json.loads(r.data.decode('utf-8'))
+
+        self.assertNotIn('x-api-secret', data)
+        self.assertNotIn('X-API-Secret', data)
+
+        self.assertEqual(data['Authorization'], 'bar')
+
     def test_raise_on_redirect(self):
         http = PoolManager()
         self.addCleanup(http.clear)