Do not forward the Authentication header after 3xx #284
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The `Authorization` header is sent when retrying a query after a `401` response. Usually, a cookie is set, which holds the "authorized" status of the agent. If the query including the `Authentication` header is accepted (i.e. authentication is valid), and the server sends a `3xx` response back, the original query is cloned, and some headers are removed. The `Authentication` header must also be removed, otherwise the query might fail again (with a `403`), for example when the `Location` in the `3xx` response is a redirect to a different domain, in a different authorization realm. Actual debugging and fix by Sergey Belikov. This should fix libwww-perl#131.
|
LGTM |
|
Should we add a regression test? |
|
The change looks clean to me, but I would love to see either RFC that validates this change or have some more test run on modules that depend on us.
might or will or only when it rains ? Can we have some downstream integration test? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
Authorizationheader is sent when retrying a query after a401response. Usually, a cookie is set, which holds the "authorized" status
of the agent.
If the query including the
Authenticationheader is accepted(i.e. authentication is valid), and the server sends a
3xxresponseback, the original query is cloned, and some headers are removed.
The
Authenticationheader must also be removed, otherwise the querymight fail again (with a
403), for example when theLocationinthe
3xxresponse is a redirect to a different domain, in a differentauthorization realm.
Actual debugging and fix by Sergey Belikov.
This should fix #131.