New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: Authorization header stripping in client on redirects incorrect when redirecting from http to https #35104
Comments
Thanks for the report. /cc @bradfitz |
From my reading, libcurl's behavior is to keep sensitive headers only when the hostname is an exact match (ignoring the port). I think that if we're going to preserve a header on a redirect from |
If the sensitive headers can be copied for subdomains then why not for the same host without a port. I expect the headers to be copied to the same host of the different ports. Redirecting from func isDomainOrSubdomain(sub, parent string) bool {
if sub == parent {
return true
}
// If sub is "foo.example.com" and parent is "example.com",
// that means sub must end in "."+parent.
// Do it without allocating.
if !strings.HasSuffix(sub, parent) {
return false
}
return sub[len(sub)-len(parent)-1] == '.'
} |
Yes, agree with what @manigandand said |
Hello, the problem still occurs using go1.17.2 . |
Hello, the problem still occurs using go1.18. I submit a pr to fix it. |
Change https://go.dev/cl/417014 mentions this issue: |
… domain / subdomain even if ports are different (i.e.: redirect from http to https). Fixes issue golang#35104
Change https://go.dev/cl/424935 mentions this issue: |
@wubin1989 : Your change is removing ports 80 and 443 from a map that is used in the I've created another PR which basically keeps that function untouched and adds another one that returns only the host. I've also updated some of the original tests which were assuming that redirects to the same host + different port shouldn't propagate these headers: #54539 |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Should (source code at https://golang.org/src/net/http/client.go indicates that)
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
A go cli application (singularity, https://github.com/sylabs/singularity) tries to make a http request with a
Authorization: Bearer ..
header.What did you expect to see?
The request on the server with a
Authorization: Bearer ...
headerWhat did you see instead?
Header was stripped from the request. Trying to do the same request with the same headers with curl leaves the header intact.
I think the problem in this case is that
shouldCopyHeaderOnRedirect
strips the header before sending the redirected requestAs far as I can see there is a problem in
isDomainOrSubdomain
. It does an equality or suffix match on the original + redirected hostnames. But the hostnames come fromcanonicalAddr
, which appends the port from the protocol. So it would check whether singularity.example.com:80 is a suffix of singularity.example.com:443, which it isn't, and then strip the header.It seems a bit strange, in this case it would kick in a security check for something that actually improves security ;-) It is either a bug in the code or in the documentation, which does not mention protocol or ports.
The text was updated successfully, but these errors were encountered: