Comment 4 for bug 1904551

Revision history for this message
Aarni Koskela (akx) wrote (last edit ):

+1 from me.

I actually bumped into this since I have a project with a fairly stringent warning filter, and using `distutils.version.StrictVersion` raises a warning with new versions of `setuptools`: https://github.com/pypa/setuptools/commit/1701579e0827317d8888c2254a17b5786b6b5246

That warning turned into an exception, and here we are...

I think it's somewhat irresponsible of `swiftclient` to quietly patch the requests package on import, especially since the patched version doesn't have the header injection mitigations that have been in requests proper since 2016 (https://github.com/psf/requests/commit/2669ab797ce769ecedf5493b04cb976f33e37210).

Maybe swiftclient shouldn't use requests if it needs to speak non-standard HTTP...

EDIT: I submitted a patch for this: https://review.opendev.org/c/openstack/python-swiftclient/+/828821