Ktor Version and Engine Used
Ktor HTTP client 1.2.5 with Apache engine.
Describe the bug
Enable followRedirects for http client and send request with auth data to the host https://foo/redirect which redirects to the host https://bar with auth data from host foo.
Actual result: Authorization header data is leaked to the host https://bar.
Expected behavior
The Authorization header from original request to the host foo is cleared before establishing redirect request to the host bar. It's a good security practice.
Ktor Version and Engine Used
Ktor HTTP client 1.2.5 with Apache engine.
Describe the bug
Enable
followRedirectsfor http client and send request with auth data to the hosthttps://foo/redirectwhich redirects to the hosthttps://barwith auth data from hostfoo.To Reproduce
Steps to reproduce the behavior:
Actual result:
Authorizationheader data is leaked to the hosthttps://bar.Expected behavior
The
Authorizationheader from original request to the hostfoois cleared before establishing redirect request to the hostbar. It's a good security practice.Comment
It could be solved by cleaning the
Authorizationheader in theHttpRedirectfeature:https://github.com/ktorio/ktor/blob/master/ktor-client/ktor-client-core/common/src/io/ktor/client/features/HttpRedirect.kt#L39
The text was updated successfully, but these errors were encountered: