Do not forward Authorization header by default

2024-11-23 00:44:55 +03:00 · 2024-01-06 13:33:50 +01:00 · 2024-01-06 13:33:50 +01:00 · 0b5c1f1cfc
commit 0b5c1f1cfc
parent 6ac325d879
4 changed files with 30 additions and 2 deletions
--- a/integration/hurl/tests_ok/follow_redirect.py
+++ b/integration/hurl/tests_ok/follow_redirect.py
@ -37,3 +37,14 @@ def followed_redirect_post():
@app.route("/follow-redirect-308", methods=["POST"])
 def follow_redirect_308():
    return redirect("http://localhost:8000/followed-redirect-post", code=308)
+
+
+@app.route("/follow-redirect-basic-auth")
+def follow_redirect_basic_auth():
+    return redirect("http://127.0.0.1:8000/followed-redirect-basic-auth")
+
+
+@app.route("/followed-redirect-basic-auth")
+def followed_redirect_basic_auth():
+    assert "Authorization" not in request.headers
+    return "Followed redirect Basic Auth!"
--- a/integration/hurl/tests_ok/follow_redirect_option.hurl
+++ b/integration/hurl/tests_ok/follow_redirect_option.hurl
@ -44,3 +44,13 @@ HTTP 200
 [Asserts]
 header "Location" not exists
 `Followed redirect POST!`
+
+# Do not forward authorization header by default toa different host
+GET http://localhost:8000/follow-redirect-basic-auth
+Authorization: Basic Ym9iQGVtYWlsLmNvbTpzZWNyZXQ=
+[Options]
+location: true
+HTTP 200
+[Asserts]
+header "Location" not exists
+`Followed redirect Basic Auth!`
--- a/integration/hurl/tests_ok/follow_redirect_option.out
+++ b/integration/hurl/tests_ok/follow_redirect_option.out
@ -1 +1 @@
-Followed redirect POST!
+Followed redirect Basic Auth!
--- a/packages/hurl/src/http/client.rs
+++ b/packages/hurl/src/http/client.rs
@ -127,10 +127,17 @@ impl Client {
                }
            }
            let redirect_method = get_redirect_method(status, request_spec.method);
+            // TODO: add --location-trusted option to forward Authorization header explicitly
+            let headers = request_spec
+                .headers
+                .iter()
+                .filter(|header| header.name.to_lowercase() != "authorization")
+                .cloned()
+                .collect::<Vec<Header>>();
            request_spec = RequestSpec {
                method: redirect_method,
                url: redirect_url,
-                headers: request_spec.headers,
+                headers,
                ..Default::default()
            };
        }