treq is vulnerable to information disclosure. Treq’s request methods (treq.get
, treq.post
, etc.) and treq.client.HTTPClient
constructor passes a dictionary as the cookies argument, leaking information upon an HTTP redirect to a different domain., e.g. should https://example.com redirect to http://cloudstorageprovider.com the latter will receive the cookie session.