Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exclude configured cookies from proxy passthrough #1911

Closed
hueniverse opened this issue Sep 7, 2014 · 1 comment · Fixed by #1915
Closed

Exclude configured cookies from proxy passthrough #1911

hueniverse opened this issue Sep 7, 2014 · 1 comment · Fixed by #1915
Assignees
Labels
bug Bug or defect security Issue with security impact
Milestone

Comments

@hueniverse
Copy link
Contributor

Replaces #1813

When passing through headers in proxy requests, exclude any locally configured cookies by default since they are not meant for the upstream server. Allow configuring cookies to be included as an override.

This fixes a security hole of leaking cookies to upstream servers. While it is a breaking change - the fix is correcting a bug and therefore is published as part of a minor release cycle.

@hueniverse hueniverse added bug Bug or defect breaking changes Change that can breaking existing code security Issue with security impact labels Sep 7, 2014
@hueniverse hueniverse removed the breaking changes Change that can breaking existing code label Sep 8, 2014
@hueniverse
Copy link
Contributor Author

After some thoughts decided to make this a non breaking change for now. Semver gods must be obeyed! Added a setting to control this which will be changed to false in the next major release.

@hueniverse hueniverse added this to the 6.8.0 milestone Sep 8, 2014
@hueniverse hueniverse self-assigned this Sep 8, 2014
@hueniverse hueniverse mentioned this issue Sep 8, 2014
@geek geek closed this as completed in #1915 Sep 8, 2014
@lock lock bot locked as resolved and limited conversation to collaborators Jan 12, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Bug or defect security Issue with security impact
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant