Stop sending basic auth credentials to redirect location

Pulp is getting redirected and sending the Remote's credentials to the redirected location. Looks like if we set the credentials on the request instead of the session, aiohttp will only send the credentials to redirected locations when the domains match which is the behavior we want. fixes #6227
pulp · Feb 25, 2020 · 4505f14 · 4505f14
1 parent 7be835f
commit 4505f14
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 9 deletions.
diff --git a/CHANGES/6227.bugfix b/CHANGES/6227.bugfix
@@ -0,0 +1 @@
+Stopped HttpDownloader sending basic auth credentials to redirect location if domains don't match.
diff --git a/pulpcore/download/factory.py b/pulpcore/download/factory.py
@@ -106,15 +106,8 @@ def _make_aiohttp_session_from_remote(self):
 
         conn = aiohttp.TCPConnector(**tcp_conn_opts)
 
-        auth_options = {}
-        if self._remote.username and self._remote.password:
-            auth_options['auth'] = aiohttp.BasicAuth(
-                login=self._remote.username,
-                password=self._remote.password
-            )
-
         timeout = aiohttp.ClientTimeout(total=None, sock_connect=600, sock_read=600)
-        return aiohttp.ClientSession(connector=conn, timeout=timeout, **auth_options)
+        return aiohttp.ClientSession(connector=conn, timeout=timeout)
 
     def build(self, url, **kwargs):
         """
@@ -160,6 +153,12 @@ class to be instantiated.
         if self._remote.proxy_url:
             options['proxy'] = self._remote.proxy_url
 
+        if self._remote.username and self._remote.password:
+            options['auth'] = aiohttp.BasicAuth(
+                login=self._remote.username,
+                password=self._remote.password
+            )
+
         return download_class(url, **options, **kwargs)
 
     def _generic(self, download_class, url, **kwargs):

diff --git a/pulpcore/download/http.py b/pulpcore/download/http.py
@@ -181,7 +181,7 @@ async def _run(self, extra_data=None):
         Args:
             extra_data (dict): Extra data passed by the downloader.
         """
-        async with self.session.get(self.url, proxy=self.proxy) as response:
+        async with self.session.get(self.url, proxy=self.proxy, auth=self.auth) as response:
             response.raise_for_status()
             to_return = await self._handle_response(response)
             await response.release()