The Fix
pip install requests==2.27.0
Based on closed psf/requests issue #1767 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -21,8 +21,8 @@
from . import certs
from .compat import parse_http_list as _parse_list_header
-from .compat import (quote, urlparse, bytes, str, OrderedDict, urlunparse,
- is_py2, is_py3, builtin_str, getproxies, proxy_bypass)
+from .compat import (quote, urlparse, bytes, str, OrderedDict, unquote, is_py2,
Option A — Upgrade to fixed release\npip install requests==2.27.0\nWhen NOT to use: This fix should not be applied if the application relies on the original encoding behavior.\n\n
Why This Fix Works in Production
- Trigger: Users received '401 Unauthorized' errors due to spaces in passwords being replaced with '%20'.
- Mechanism: HTTP Basic Auth credentials were incorrectly %-encoded when extracted from URLs
- Why the fix works: Fixes the issue of HTTP Basic Auth credentials being %-encoded when extracted from URLs by unquoting the URL before parsing it. (first fixed release: 2.27.0).
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- HTTP Basic Auth credentials were incorrectly %-encoded when extracted from URLs
- Production symptom (often without a traceback): Users received '401 Unauthorized' errors due to spaces in passwords being replaced with '%20'.
Proof / Evidence
- GitHub issue: #1767
- Fix PR: https://github.com/psf/requests/pull/1768
- First fixed release: 2.27.0
- Reproduced locally: No (not executed)
- Last verified: 2026-02-07
- Confidence: 0.95
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.72
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“Hmm, that behaviour feels wrong to me. Probably should fix this. =) Thanks! :cake:”
Failure Signature (Search String)
- Users received '401 Unauthorized' errors due to spaces in passwords being replaced with '%20'.
Copy-friendly signature
Failure Signature
-----------------
Users received '401 Unauthorized' errors due to spaces in passwords being replaced with '%20'.
Error Message
Signature-only (no traceback captured)
Error Message
-------------
Users received '401 Unauthorized' errors due to spaces in passwords being replaced with '%20'.
What Broke
Users received '401 Unauthorized' errors due to spaces in passwords being replaced with '%20'.
Why It Broke
HTTP Basic Auth credentials were incorrectly %-encoded when extracted from URLs
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install requests==2.27.0
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/psf/requests/pull/1768
First fixed release: 2.27.0
Last verified: 2026-02-07. Validate in your environment.
When NOT to Use This Fix
- This fix should not be applied if the application relies on the original encoding behavior.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Capture the exact failing error string in logs and tests so you can reproduce via a minimal script.
- Pin production dependencies and upgrade only with a reproducible test that hits the failing path.
Version Compatibility Table
| Version | Status |
|---|---|
| 2.27.0 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.