diff --git a/cf/net/http_client.go b/cf/net/http_client.go index dffe520dd0c..1797ed23e3a 100644 --- a/cf/net/http_client.go +++ b/cf/net/http_client.go @@ -33,16 +33,16 @@ func PrepareRedirect(req *http.Request, via []*http.Request) error { } prevReq := via[len(via)-1] - copyHeaders(prevReq, req) + copyHeaders(prevReq, req, getBaseDomain(req.URL.String()) == getBaseDomain(req.Header["Referer"][0])) dumpRequest(req) return nil } -func copyHeaders(from *http.Request, to *http.Request) { +func copyHeaders(from *http.Request, to *http.Request, sameDomain bool) { for key, values := range from.Header { // do not copy POST-specific headers - if key != "Content-Type" && key != "Content-Length" { + if key != "Content-Type" && key != "Content-Length" && !(!sameDomain && key == "Authorization") { to.Header.Set(key, strings.Join(values, ",")) } } @@ -93,3 +93,9 @@ func WrapNetworkErrors(host string, err error) error { return errors.NewWithError(T("Error performing request"), err) } + +func getBaseDomain(host string) string { + hostUrl, _ := url.Parse(host) + hostStrs := strings.Split(hostUrl.Host, ".") + return hostStrs[len(hostStrs)-2] + "." + hostStrs[len(hostStrs)-1] +} diff --git a/cf/net/http_client_test.go b/cf/net/http_client_test.go index 582f0b75b1d..64f43fc1f85 100644 --- a/cf/net/http_client_test.go +++ b/cf/net/http_client_test.go @@ -1,16 +1,17 @@ package net_test import ( - "code.google.com/p/go.net/websocket" "crypto/x509" - "github.com/cloudfoundry/cli/cf/errors" - . "github.com/cloudfoundry/cli/cf/net" - . "github.com/onsi/ginkgo" - . "github.com/onsi/gomega" "net" "net/http" "net/url" "syscall" + + "code.google.com/p/go.net/websocket" + "github.com/cloudfoundry/cli/cf/errors" + . "github.com/cloudfoundry/cli/cf/net" + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" ) var _ = Describe("HTTP Client", func() { @@ -22,7 +23,8 @@ var _ = Describe("HTTP Client", func() { originalReq.Header.Set("Authorization", "my-auth-token") originalReq.Header.Set("Accept", "application/json") - redirectReq, err := http.NewRequest("GET", "/bar", nil) + redirectReq, err := http.NewRequest("GET", "http://local.com/bar", nil) + redirectReq.Header["Referer"] = []string{"http://local.com"} Expect(err).NotTo(HaveOccurred()) via := []*http.Request{originalReq} @@ -34,13 +36,33 @@ var _ = Describe("HTTP Client", func() { Expect(redirectReq.Header.Get("Accept")).To(Equal("application/json")) }) + It("transfers 'Authorization' headers during a redirect to the same Host", func() { + originalReq, err := http.NewRequest("GET", "/foo", nil) + Expect(err).NotTo(HaveOccurred()) + originalReq.Header.Set("Authorization", "my-auth-token") + originalReq.Header.Set("Accept", "application/json") + + redirectReq, err := http.NewRequest("GET", "http://local.com/bar", nil) + redirectReq.Header["Referer"] = []string{"http://remote.com"} + Expect(err).NotTo(HaveOccurred()) + + via := []*http.Request{originalReq} + + err = PrepareRedirect(redirectReq, via) + + Expect(err).NotTo(HaveOccurred()) + Expect(redirectReq.Header.Get("Authorization")).To(Equal("")) + Expect(redirectReq.Header.Get("Accept")).To(Equal("application/json")) + }) + It("does not transfer POST-specific headers", func() { originalReq, err := http.NewRequest("POST", "/foo", nil) Expect(err).NotTo(HaveOccurred()) originalReq.Header.Set("Content-Type", "application/json") originalReq.Header.Set("Content-Length", "100") - redirectReq, err := http.NewRequest("GET", "/bar", nil) + redirectReq, err := http.NewRequest("GET", "http://local.com/bar", nil) + redirectReq.Header["Referer"] = []string{"http://local.com"} Expect(err).NotTo(HaveOccurred()) via := []*http.Request{originalReq} @@ -59,7 +81,8 @@ var _ = Describe("HTTP Client", func() { secondReq, err := http.NewRequest("GET", "/manchu", nil) Expect(err).NotTo(HaveOccurred()) - redirectReq, err := http.NewRequest("GET", "/bar", nil) + redirectReq, err := http.NewRequest("GET", "http://local.com/bar", nil) + redirectReq.Header["Referer"] = []string{"http://local.com"} Expect(err).NotTo(HaveOccurred()) via := []*http.Request{firstReq, secondReq}