@@ -142,7 +142,7 @@ static function (ResponseInterface $response) use ($uri, $statusCode) {
142142 }
143143
144144 /**
145- * Check for too many redirects
145+ * Check for too many redirects.
146146 *
147147 * @throws TooManyRedirectsException Too many redirects.
148148 */
@@ -178,7 +178,7 @@ public function modifyRequest(RequestInterface $request, array $options, Respons
178178 $ modify ['body ' ] = '' ;
179179 }
180180
181- $ uri = $ this -> redirectUri ($ request , $ response , $ protocols );
181+ $ uri = self :: redirectUri ($ request , $ response , $ protocols );
182182 if (isset ($ options ['idn_conversion ' ]) && ($ options ['idn_conversion ' ] !== false )) {
183183 $ idnOptions = ($ options ['idn_conversion ' ] === true ) ? \IDNA_DEFAULT : $ options ['idn_conversion ' ];
184184 $ uri = Utils::idnUriConvert ($ uri , $ idnOptions );
@@ -198,19 +198,46 @@ public function modifyRequest(RequestInterface $request, array $options, Respons
198198 $ modify ['remove_headers ' ][] = 'Referer ' ;
199199 }
200200
201- // Remove Authorization header if host is different .
202- if ($ request ->getUri ()-> getHost () !== $ modify ['uri ' ]-> getHost ( )) {
201+ // Remove Authorization and Cookie headers if required .
202+ if (self :: shouldStripSensitiveHeaders ( $ request ->getUri (), $ modify ['uri ' ])) {
203203 $ modify ['remove_headers ' ][] = 'Authorization ' ;
204+ $ modify ['remove_headers ' ][] = 'Cookie ' ;
204205 }
205206
206207 return Psr7 \Utils::modifyRequest ($ request , $ modify );
207208 }
208209
209210 /**
210- * Set the appropriate URL on the request based on the location header
211+ * Determine if we should strip sensitive headers from the request.
212+ *
213+ * We return true if either of the following conditions are true:
214+ *
215+ * 1. the host is different;
216+ * 2. the scheme has changed, and now is non-https.
211217 */
212- private function redirectUri (RequestInterface $ request , ResponseInterface $ response , array $ protocols ): UriInterface
213- {
218+ private static function shouldStripSensitiveHeaders (
219+ UriInterface $ originalUri ,
220+ UriInterface $ modifiedUri
221+ ): bool {
222+ if (\strcasecmp ($ originalUri ->getHost (), $ modifiedUri ->getHost ()) !== 0 ) {
223+ return true ;
224+ }
225+
226+ if ($ originalUri ->getScheme () !== $ modifiedUri ->getScheme () && 'https ' !== $ modifiedUri ->getScheme ()) {
227+ return true ;
228+ }
229+
230+ return false ;
231+ }
232+
233+ /**
234+ * Set the appropriate URL on the request based on the location header.
235+ */
236+ private static function redirectUri (
237+ RequestInterface $ request ,
238+ ResponseInterface $ response ,
239+ array $ protocols
240+ ): UriInterface {
214241 $ location = Psr7 \UriResolver::resolve (
215242 $ request ->getUri (),
216243 new Psr7 \Uri ($ response ->getHeaderLine ('Location ' ))
0 commit comments