requests: Do not leak header modifications when calling request()

The requests() function takes a headers dict argument
(call-by-reference). This object is then modified in the function. For
instance the host is added and authentication information. Such behavior
is not expected. It is also problematic:

- Modifications of the header dictionary will be visible on the caller
  site.
- When reusing the same (supposedly read-only) headers object for
  differenct calls, the second call will apparently re-use wrong headers
  from the previous call and may fail.

This patch should also fix micropython#839.

Signed-off-by: Richard Weickelt <[email protected]>

Author: rweickelt

Diff for: python-ecosys/requests/requests/__init__.py

@@ -46,6 +46,8 @@ def request(
 ):
     if headers is None:
         headers = {}
+    else:
+        headers = dict(headers)
 
     redirect = None  # redirection url, None means no redirection
     chunked_data = data and getattr(data, "__next__", None) and not getattr(data, "__len__", None)

Diff for: python-ecosys/requests/test_requests.py

@@ -70,6 +70,12 @@ def test_get_custom_header():
         + b"Connection: close\r\n\r\n"
     ), format_message(response)
 
+def test_do_not_modify_headers_argument():
+    original_headers = {}
+    headers = dict(original_headers)
+    response = requests.request("GET", "http://example.com", headers=original_headers)
+
+    assert headers == original_headers
 
 def test_post_json():
     response = requests.request("GET", "http://example.com", json="test")
@@ -148,6 +154,7 @@ def chunks():
 test_simple_get()
 test_get_auth()
 test_get_custom_header()
+test_do_not_modify_headers_argument()
 test_post_json()
 test_post_chunked_data()
 test_overwrite_get_headers()