diff options
author | Daniel Stenberg <daniel@haxx.se> | 2018-01-19 13:19:25 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2018-01-22 10:00:00 +0100 |
commit | af32cd3859336ab963591ca0df9b1e33a7ee066b (patch) | |
tree | ae91ca52a3cbbfabe89c74dda181abbbc40c1150 /tests/data/test318 | |
parent | 993dd5651a6c853bfe3870f6a69c7b329fa4e8ce (diff) |
http: prevent custom Authorization headers in redirects
... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
curl already handles Authorization headers created internally.
Note: this changes behavior slightly, for the sake of reducing mistakes.
Added test 317 and 318 to verify.
Reported-by: Craig de Stigter
Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
Diffstat (limited to 'tests/data/test318')
-rw-r--r-- | tests/data/test318 | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/tests/data/test318 b/tests/data/test318 new file mode 100644 index 000000000..838d1ba0f --- /dev/null +++ b/tests/data/test318 @@ -0,0 +1,95 @@ +<testcase> +<info> +<keywords> +HTTP +HTTP proxy +HTTP Basic auth +HTTP proxy Basic auth +followlocation +</keywords> +</info> +# +# Server-side +<reply> +<data> +HTTP/1.1 302 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Location: http://goto.second.host.now/3180002 +Content-Length: 8 +Connection: close + +contents +</data> +<data2> +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Content-Length: 9 + +contents +</data2> + +<datacheck> +HTTP/1.1 302 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Location: http://goto.second.host.now/3180002 +Content-Length: 8 +Connection: close + +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Content-Length: 9 + +contents +</datacheck> +</reply> + +# +# Client-side +<client> +<server> +http +</server> + <name> +HTTP with custom Authorization: and redirect to new host + </name> + <command> +http://first.host.it.is/we/want/that/page/318 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location-trusted +</command> +</client> + +# +# Verify data after the test has been "shot" +<verify> +<strip> +^User-Agent:.* +</strip> +<protocol> +GET http://first.host.it.is/we/want/that/page/318 HTTP/1.1
+Host: first.host.it.is
+Proxy-Authorization: Basic dGVzdGluZzp0aGlz
+Accept: */*
+Proxy-Connection: Keep-Alive
+Authorization: s3cr3t
+
+GET http://goto.second.host.now/3180002 HTTP/1.1
+Host: goto.second.host.now
+Proxy-Authorization: Basic dGVzdGluZzp0aGlz
+Accept: */*
+Proxy-Connection: Keep-Alive
+Authorization: s3cr3t
+
+</protocol> +</verify> +</testcase> |