From ac10b4a3b939f2b177425ca480b630a38f88b6eb Mon Sep 17 00:00:00 2001
From: Eric Callahan <arksine.code@gmail.com>
Date: Mon, 17 Apr 2023 08:13:05 -0400
Subject: [PATCH] http_client: don't store client in the wrapper

This closes a securitiy vulernability where the client could
be used to download and save a file from any configured
location.

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
---
 moonraker/components/http_client.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/moonraker/components/http_client.py b/moonraker/components/http_client.py
index f05370e..9cf26ae 100644
--- a/moonraker/components/http_client.py
+++ b/moonraker/components/http_client.py
@@ -278,7 +278,7 @@ class HttpRequestWrapper:
     def __init__(
         self, client: HttpClient, default_url: str, **kwargs
     ) -> None:
-        self.client = client
+        self._do_request = client.request
         self._last_response: Optional[HttpResponse] = None
         self.default_request_args: Dict[str, Any] = {
             "method": "GET",
@@ -293,7 +293,7 @@ class HttpRequestWrapper:
         req_args.update(kwargs)
         method = req_args.pop("method", self.default_request_args["method"])
         url = req_args.pop("url", self.default_request_args["url"])
-        self._last_response = await self.client.request(method, url, **req_args)
+        self._last_response = await self._do_request(method, url, **req_args)
         return self._last_response
 
     def set_method(self, method: str) -> None: