Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[iOS] Headers for one request are sent for all subsequent requests, even if no headers specified #690

Closed
andreialecu opened this issue Jun 5, 2020 · 4 comments
Labels

Comments

@andreialecu
Copy link

andreialecu commented Jun 5, 2020

Describe the bug

When an image with source={{uri: "...", headers: { host: "somehost.com", authorization: "..." }} is loaded, all other subsequent images will use the same headers.

This can lead to images not showing, because the host header is wrong, and web servers will return 404 errors for the request.

To Reproduce
Steps to reproduce the behavior if possible, or a link to a reproduction repo:

  1. Go to https://hookbin.com/ and create a new endpoint
  2. Add an image with source={{ uri: "hookbin endpoint #1", headers: { foo: "bar" } }}.
  3. Create another endpoint at hookbin
  4. Add another image with source={{ uri: "hookbin endpoint #2" }}, ensure it loads after image 2.

The request for image on endpoint #2 will include the foo: bar headers.

This is probably the reason of a lot of errors with images not properly showing in this repository.

Additionally, this is a serious security issue, as signing credentials or other session tokens could be leaked to other servers. See screenshot below.

Expected behavior

Headers should not be reused.

Screenshots

image

Notice how headers are leaked to other servers. The headers were only supposed to be used for images from the s3 bucket, but they are attached to every request.

Dependency versions

  • React Native version: 0.62.1
  • React version: 16.11.0
  • React Native Fast Image version: 8.1.5
@andreialecu
Copy link
Author

andreialecu commented Jun 5, 2020

Issue acknowledged as bug in react-native-fast-image by upstream SDWebImage contributor @dreampiggy at:

SDWebImage/SDWebImage#3031 (comment)

@dreampiggy
Copy link
Contributor

dreampiggy commented Jun 5, 2020

Not the issue of upstream dependency, this is a bug of react-native-fast-image implementation on iOS. Should use the correct API to do Per-image-level-header-setup.

@andreialecu
Copy link
Author

Fix is available at #691

@andreialecu
Copy link
Author

Closing since #691 was merged, and the fix is in version 8.3.0 as per #691 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants