Skip to content

Commit

Permalink
Do not forward Authorization header by default
Browse files Browse the repository at this point in the history
  • Loading branch information
fabricereix committed Jan 6, 2024
1 parent 6ac325d commit 0b5c1f1
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 2 deletions.
11 changes: 11 additions & 0 deletions integration/hurl/tests_ok/follow_redirect.py
Original file line number Diff line number Diff line change
Expand Up @@ -37,3 +37,14 @@ def followed_redirect_post():
@app.route("/follow-redirect-308", methods=["POST"])
def follow_redirect_308():
return redirect("http://localhost:8000/followed-redirect-post", code=308)


@app.route("/follow-redirect-basic-auth")
def follow_redirect_basic_auth():
return redirect("http://127.0.0.1:8000/followed-redirect-basic-auth")


@app.route("/followed-redirect-basic-auth")
def followed_redirect_basic_auth():
assert "Authorization" not in request.headers
return "Followed redirect Basic Auth!"
10 changes: 10 additions & 0 deletions integration/hurl/tests_ok/follow_redirect_option.hurl
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,13 @@ HTTP 200
[Asserts]
header "Location" not exists
`Followed redirect POST!`

# Do not forward authorization header by default toa different host
GET http://localhost:8000/follow-redirect-basic-auth
Authorization: Basic Ym9iQGVtYWlsLmNvbTpzZWNyZXQ=
[Options]
location: true
HTTP 200
[Asserts]
header "Location" not exists
`Followed redirect Basic Auth!`
2 changes: 1 addition & 1 deletion integration/hurl/tests_ok/follow_redirect_option.out
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Followed redirect POST!
Followed redirect Basic Auth!
9 changes: 8 additions & 1 deletion packages/hurl/src/http/client.rs
Original file line number Diff line number Diff line change
Expand Up @@ -127,10 +127,17 @@ impl Client {
}
}
let redirect_method = get_redirect_method(status, request_spec.method);
// TODO: add --location-trusted option to forward Authorization header explicitly
let headers = request_spec
.headers
.iter()
.filter(|header| header.name.to_lowercase() != "authorization")
.cloned()
.collect::<Vec<Header>>();
request_spec = RequestSpec {
method: redirect_method,
url: redirect_url,
headers: request_spec.headers,
headers,
..Default::default()
};
}
Expand Down

0 comments on commit 0b5c1f1

Please sign in to comment.