Client basic HTTP auth domain mismatch

[krya]

Long story short

I was making calls with aiohttp client to one twilio API server (which requires basic HTTP authentication) and it was working fine untill I reached an endpoint that does a redirect to amazon S3.
But it appears that aiohttp passes basic authentication headers after redirection to a location defined in last response header even if domain doesnt match with the one that did redirection which causes an issue in my case because amazon requires that there should be only one auth method (in my cause token was in the url for redirection)
I've checked the requests lib and it works fine in this exact case.

Expected behaviour

once lib follows redirection and domain doesnt match with previous it should NOT send basic auth headers to this domain

Actual behaviour

end response from S3 ends with an authentication error since there is an auth token in the URL AND a basic auth headers

Steps to reproduce

I'm not sure on available to everyone server that does a redirection to S3

Your environment

ubuntu 14/16
aiohttp==1.3.3 (same with git master)

[fafhrd91]

makes sense for me.

@kxepal @asvetlov ?

[asvetlov]

I think it is security issue and should be fixed

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a [new issue] for related bugs.
If you feel like there's important points made in this discussion, please include those exceprts into that [new issue].
[new issue]: https://github.com/aio-libs/aiohttp/issues/new