Gallaecio

**Name of the Vulnerable Software and Affected Versions** Scrapy versions prior to 2.5.1 Scrapy versions 1.8 and earlier **Description** The issue affects Scrapy when using `HttpAuthMiddleware` for HTTP authentication, causing all requests to expose credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests or requests reached through redirects. **Recommendations** For Scrapy versions prior to 2.5.1, upgrade to Scrapy 2.5.1 and use the new `http auth domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. For Scrapy versions 1.8 and earlier, upgrade to Scrapy 1.8.1 if upgrading to Scrapy 2.5.1 is not an option. If upgrading is not possible, set HTTP authentication credentials on a per-request basis using the `w3lib.http.basic auth header` function to convert credentials into a value that can be assigned to the `Authorization` header of the request.

**Name of the Vulnerable Software and Affected Versions** scrapy-splash versions prior to 0.8.0 **Description** The issue affects users who utilize `HttpAuthMiddleware` for Splash authentication, causing non-Splash requests to expose credentials to the request target. This includes `robots.txt` requests sent by Scrapy when the `ROBOTSTXT OBEY` setting is set to `True`. **Recommendations** Upgrade to scrapy-splash 0.8.0 and use the new `SPLASH USER` and `SPLASH PASS` settings to set Splash authentication credentials safely. If you cannot upgrade, set your Splash request credentials on a per-request basis using the `splash headers` request parameter, instead of defining them globally using the `HttpAuthMiddleware`. Alternatively, make sure all your requests go through Splash by disabling the robots.txt middleware.