aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges

An attacker must first have an open redirect or similar vulnerability on the target domain that causes aiohttp's `ClientSession` (with `follow_redirects=True`, the default) to follow a redirect to an attacker-controlled origin. When the attacker's server responds with a `401` Digest challenge, the unpatched middleware computes and sends a digest response using the victim's configured credentials, leaking the digest to the attacker [ref_id=1]. The attacker can then attempt to recover the password from the captured digest if the cryptography is weak or the password is reused.

The vulnerability is in `aiohttp/client_middleware_digest_auth.py` in the `DigestAuthMiddleware.__call__` method. Prior to the patch, the middleware would answer a `401` challenge from any origin, including one reached via a cross-origin redirect. The patch adds origin-scoping logic that pins credentials to the first request's origin and skips authentication for other origins unless they fall within an RFC 7616 `domain` protection space.

The patch introduces a `_origin` attribute on the middleware instance, set to the origin of the first request the middleware handles. In `__call__`, before processing the request, the middleware now checks whether the request's origin matches `_origin` or is covered by a previously advertised `domain` directive. If neither condition holds, the request is passed through without adding an `Authorization` header [patch_id=6088948]. This prevents the middleware from answering a cross-origin challenge, whether reached via redirect or direct request, unless the anchor origin explicitly vouched for that origin via RFC 7616's `domain` parameter.