Skip to content

Commit

Permalink
Clear Authorization header when redirecting to cross-site
Browse files Browse the repository at this point in the history
  • Loading branch information
kyoshidajp committed Feb 19, 2019
1 parent 4d60d8b commit 1e8a307
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions lib/httpclient.rb
Original file line number Diff line number Diff line change
Expand Up @@ -378,6 +378,9 @@ def attr_proxy(symbol, assignable = false)
# Default User-Agent header
DEFAULT_AGENT_NAME = 'HTTPClient/1.0'

# Authorization Header
AUTH_HEADER = 'Authorization'

# Creates a HTTPClient instance which manages sessions, cookies, etc.
#
# HTTPClient.new takes optional arguments as a Hash.
Expand Down Expand Up @@ -1112,18 +1115,31 @@ def follow_redirect(method, uri, query, body, header, &block)
raise BadResponseError.new("Missing Location header for redirect", res)
end
method = :get if res.see_other? # See RFC2616 10.3.4
orig_uri = uri
uri = urify(@redirect_uri_callback.call(uri, res))
# To avoid duped query parameter. 'location' must include query part.
request_query = nil
previous = res
retry_number += 1
header = clear_auth_header(header, orig_uri, uri)
else
return res
end
end
raise BadResponseError.new("retry count exceeded", res)
end

def clear_auth_header(header, from_uri, to_uri)
return header if same_host?(from_uri, to_uri)
header.delete_if {|h| h[0] == AUTH_HEADER}
end

def same_host?(from_uri, to_uri)
return true if to_uri.path.start_with?("/")

[from_uri.scheme, from_uri.host, from_uri.port] == [to_uri.scheme, to_uri.host, to_uri.port]
end

def success_content(res)
if res.ok?
return res.content
Expand Down

0 comments on commit 1e8a307

Please sign in to comment.