session: Only set api_key query param for REST

crobinso · crobinso · commit 13b8a058400a · 2020-11-12T13:01:14.000-05:00
XMLRPC sends it in the POST payload. This makes it less likely that the API key will leak into error messages: https://bugzilla.redhat.com/show_bug.cgi?id=1896791 Signed-off-by: Cole Robinson <crobinso@redhat.com>
diff --git a/bugzilla/_session.py b/bugzilla/_session.py
@@ -42,7 +42,6 @@ def __init__(self, url, user_agent,
         if sslverify is False:
             self._session.verify = False
         self._session.headers["User-Agent"] = self._user_agent
-        self._session.params["Bugzilla_api_key"] = self._api_key
         self._set_tokencache_param()
 
     def _get_timeout(self):
@@ -55,6 +54,10 @@ def _get_timeout(self):
 
     def set_rest_defaults(self):
         self._session.headers["Content-Type"] = "application/json"
+        # Bugzilla 5.0 only supports api_key as a query parameter.
+        # Bugzilla 5.1+ takes it as a X-BUGZILLA-API-KEY header as well,
+        # with query param taking preference.
+        self._session.params["Bugzilla_api_key"] = self._api_key
     def set_xmlrpc_defaults(self):
         self._is_xmlrpc = True
         self._session.headers["Content-Type"] = "text/xml"
