only copy Authorization header when redirecting to same base domain

[#finishes 98132086] Signed-off-by: Jonathan Berkhahn <jaberkha@us.ibm.com>
cloudfoundry · Jul 1, 2015 · 1aea6fa · 1aea6fa
1 parent e116164
commit 1aea6fa
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 11 deletions.
diff --git a/cf/net/http_client.go b/cf/net/http_client.go
@@ -33,16 +33,16 @@ func PrepareRedirect(req *http.Request, via []*http.Request) error {
 	}
 
 	prevReq := via[len(via)-1]
-	copyHeaders(prevReq, req)
+	copyHeaders(prevReq, req, getBaseDomain(req.URL.String()) == getBaseDomain(req.Header["Referer"][0]))
 	dumpRequest(req)
 
 	return nil
 }
 
-func copyHeaders(from *http.Request, to *http.Request) {
+func copyHeaders(from *http.Request, to *http.Request, sameDomain bool) {
 	for key, values := range from.Header {
 		// do not copy POST-specific headers
-		if key != "Content-Type" && key != "Content-Length" {
+		if key != "Content-Type" && key != "Content-Length" && !(!sameDomain && key == "Authorization") {
 			to.Header.Set(key, strings.Join(values, ","))
 		}
 	}
@@ -93,3 +93,9 @@ func WrapNetworkErrors(host string, err error) error {
 	return errors.NewWithError(T("Error performing request"), err)
 
 }
+
+func getBaseDomain(host string) string {
+	hostUrl, _ := url.Parse(host)
+	hostStrs := strings.Split(hostUrl.Host, ".")
+	return hostStrs[len(hostStrs)-2] + "." + hostStrs[len(hostStrs)-1]
+}
diff --git a/cf/net/http_client_test.go b/cf/net/http_client_test.go
@@ -1,16 +1,17 @@
 package net_test
 
 import (
-	"code.google.com/p/go.net/websocket"
 	"crypto/x509"
-	"github.com/cloudfoundry/cli/cf/errors"
-	. "github.com/cloudfoundry/cli/cf/net"
-	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/gomega"
 	"net"
 	"net/http"
 	"net/url"
 	"syscall"
+
+	"code.google.com/p/go.net/websocket"
+	"github.com/cloudfoundry/cli/cf/errors"
+	. "github.com/cloudfoundry/cli/cf/net"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
 )
 
 var _ = Describe("HTTP Client", func() {
@@ -22,7 +23,8 @@ var _ = Describe("HTTP Client", func() {
 			originalReq.Header.Set("Authorization", "my-auth-token")
 			originalReq.Header.Set("Accept", "application/json")
 
-			redirectReq, err := http.NewRequest("GET", "/bar", nil)
+			redirectReq, err := http.NewRequest("GET", "http://local.com/bar", nil)
+			redirectReq.Header["Referer"] = []string{"http://local.com"}
 			Expect(err).NotTo(HaveOccurred())
 
 			via := []*http.Request{originalReq}
@@ -34,13 +36,33 @@ var _ = Describe("HTTP Client", func() {
 			Expect(redirectReq.Header.Get("Accept")).To(Equal("application/json"))
 		})
 
+		It("transfers 'Authorization' headers during a redirect to the same Host", func() {
+			originalReq, err := http.NewRequest("GET", "/foo", nil)
+			Expect(err).NotTo(HaveOccurred())
+			originalReq.Header.Set("Authorization", "my-auth-token")
+			originalReq.Header.Set("Accept", "application/json")
+
+			redirectReq, err := http.NewRequest("GET", "http://local.com/bar", nil)
+			redirectReq.Header["Referer"] = []string{"http://remote.com"}
+			Expect(err).NotTo(HaveOccurred())
+
+			via := []*http.Request{originalReq}
+
+			err = PrepareRedirect(redirectReq, via)
+
+			Expect(err).NotTo(HaveOccurred())
+			Expect(redirectReq.Header.Get("Authorization")).To(Equal(""))
+			Expect(redirectReq.Header.Get("Accept")).To(Equal("application/json"))
+		})
+
 		It("does not transfer POST-specific headers", func() {
 			originalReq, err := http.NewRequest("POST", "/foo", nil)
 			Expect(err).NotTo(HaveOccurred())
 			originalReq.Header.Set("Content-Type", "application/json")
 			originalReq.Header.Set("Content-Length", "100")
 
-			redirectReq, err := http.NewRequest("GET", "/bar", nil)
+			redirectReq, err := http.NewRequest("GET", "http://local.com/bar", nil)
+			redirectReq.Header["Referer"] = []string{"http://local.com"}
 			Expect(err).NotTo(HaveOccurred())
 
 			via := []*http.Request{originalReq}
@@ -59,7 +81,8 @@ var _ = Describe("HTTP Client", func() {
 			secondReq, err := http.NewRequest("GET", "/manchu", nil)
 			Expect(err).NotTo(HaveOccurred())
 
-			redirectReq, err := http.NewRequest("GET", "/bar", nil)
+			redirectReq, err := http.NewRequest("GET", "http://local.com/bar", nil)
+			redirectReq.Header["Referer"] = []string{"http://local.com"}
 			Expect(err).NotTo(HaveOccurred())
 
 			via := []*http.Request{firstReq, secondReq}