Update meta to only include authorization header.

2017-04-06 14:01:27 -05:00 · 2017-04-06 14:01:27 -05:00 · 21927336dc
parent 423030d2c2
commit 21927336dc
2 changed files with 60 additions and 4 deletions
--- a/enterprise/meta.go
+++ b/enterprise/meta.go
@ -417,10 +417,9 @@ func AuthedCheckRedirect(req *http.Request, via []*http.Request) error {
 	} else if len(via) == 0 {
 		return nil
 	}
-	for attr, val := range via[0].Header {
-		if _, ok := req.Header[attr]; !ok {
-			req.Header[attr] = val
-		}
+	preserve := "Authorization"
+	if auth, ok := via[0].Header[preserve]; ok {
+		req.Header[preserve] = auth
 	}
 	return nil
 }
--- a/enterprise/meta_test.go
+++ b/enterprise/meta_test.go
@ -7,6 +7,7 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
+	"net/http/httptest"
 	"net/url"
 	"reflect"
 	"testing"
@ -1396,3 +1397,59 @@ func (c *MockClient) Do(URL *url.URL, path, method string, params map[string]str
 		Body:       ioutil.NopCloser(bytes.NewReader(c.Body)),
 	}, nil
 }
+
+func Test_AuthedCheckRedirect_Do(t *testing.T) {
+	var ts2URL string
+	ts1 := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		want := http.Header{
+			"Referer":         []string{ts2URL},
+			"Accept-Encoding": []string{"gzip"},
+			"Authorization":   []string{"hunter2"},
+		}
+		for k, v := range want {
+			if !reflect.DeepEqual(r.Header[k], v) {
+				t.Errorf("Request.Header = %#v; want %#v", r.Header[k], v)
+			}
+		}
+		if t.Failed() {
+			w.Header().Set("Result", "got errors")
+		} else {
+			w.Header().Set("Result", "ok")
+		}
+	}))
+	defer ts1.Close()
+
+	ts2 := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Redirect(w, r, ts1.URL, http.StatusFound)
+	}))
+	defer ts2.Close()
+	ts2URL = ts2.URL
+
+	tr := &http.Transport{}
+	defer tr.CloseIdleConnections()
+
+	c := &http.Client{
+		Transport:     tr,
+		CheckRedirect: AuthedCheckRedirect,
+	}
+
+	req, _ := http.NewRequest("GET", ts2.URL, nil)
+	req.Header.Add("Cookie", "foo=bar")
+	req.Header.Add("Authorization", "hunter2")
+	req.Header.Add("Howdy", "doody")
+	req.Header.Set("User-Agent", "Darth Vader, an extraterrestrial from the Planet Vulcan")
+
+	res, err := c.Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	defer res.Body.Close()
+	if res.StatusCode != 200 {
+		t.Fatal(res.Status)
+	}
+
+	if got := res.Header.Get("Result"); got != "ok" {
+		t.Errorf("result = %q; want ok", got)
+	}
+}