Specify CheckRedirect function in http.send client #5388
Labels
Projects
Comments
ashutosh-narkar
added a commit
to ashutosh-narkar/opa
that referenced
this issue
Jan 5, 2023
Currently if http redirects are enabled, we use the client's default redirect policy. We should instead check if the hosts http.send calls as part of the redirect are explictly allowed by the policy authors. This change updates the http client's CheckRedirect policy to verify the hosts the client calls when redirects are enabled. Fixes: open-policy-agent#5388 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
ashutosh-narkar
added a commit
that referenced
this issue
Jan 6, 2023
Currently if http redirects are enabled, we use the client's default redirect policy. We should instead check if the hosts http.send calls as part of the redirect are explictly allowed by the policy authors. This change updates the http client's CheckRedirect policy to verify the hosts the client calls when redirects are enabled. Fixes: #5388 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The http client used in the
http.sendbuilt-in does not specify the CheckRedirect field during the initialization of http.Client struct. If http redirects are disabled, CheckRedirect returnsErrUseLastResponse. It would good to have the CheckRedirect validate the redirect URLs returned by the server when http redirects are enabled.The text was updated successfully, but these errors were encountered: