Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ktor client resends auth data to redirect location #1467

Closed
dtretyakov opened this issue Nov 29, 2019 · 1 comment
Closed

Ktor client resends auth data to redirect location #1467

dtretyakov opened this issue Nov 29, 2019 · 1 comment
Assignees
@e5l
Labels
bug

Comments

@dtretyakov
Copy link
Contributor

Ktor Version and Engine Used
Ktor HTTP client 1.2.5 with Apache engine.

Describe the bug

Enable followRedirects for http client and send request with auth data to the host https://foo/redirect which redirects to the host https://bar with auth data from host foo.

To Reproduce
Steps to reproduce the behavior:

HttpClient(Apache) {
        followRedirects = true
    }.use { httpClient ->
    httpClient.get<HttpResponse>("https://foo/redirect") {
        basicAuthorization("login", "***")
    }
}

Actual result: Authorization header data is leaked to the host https://bar.

Expected behavior
The Authorization header from original request to the host foo is cleared before establishing redirect request to the host bar. It's a good security practice.

Comment
It could be solved by cleaning the Authorization header in the HttpRedirect feature:
https://github.com/ktorio/ktor/blob/master/ktor-client/ktor-client-core/common/src/io/ktor/client/features/HttpRedirect.kt#L39
@dtretyakov dtretyakov added the bug label Nov 29, 2019
@e5l e5l self-assigned this Nov 29, 2019
e5l added a commit that referenced this issue Dec 2, 2019
@e5l
Don't send Authorization after redirect
f4b85f7 
    Fix #1467
e5l added a commit that referenced this issue Dec 3, 2019
@e5l
Don't send Authorization after redirect
a40a6f8 
    Fix #1467
e5l added a commit that referenced this issue Dec 3, 2019
@e5l
Don't send Authorization after redirect
145424b 
    Fix #1467
@louro11
Copy link

louro11 commented Dec 11, 2019

CVE-2019-19703 was assigned to this issue

@dtretyakov dtretyakov mentioned this issue Feb 19, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@e5l e5l

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dtretyakov @e5l @louro11