From d536ce261c6e92d9956cc9a3d28c4288046f454b Mon Sep 17 00:00:00 2001 From: Sean McArthur Date: Tue, 31 May 2022 11:43:57 -0700 Subject: [PATCH] Fix RequestBuilder to send explicitly sensitive headers Closes #1549 --- src/async_impl/request.rs | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/src/async_impl/request.rs b/src/async_impl/request.rs index 62744b36c..3a38aa4c3 100644 --- a/src/async_impl/request.rs +++ b/src/async_impl/request.rs @@ -203,7 +203,12 @@ impl RequestBuilder { match >::try_from(key) { Ok(key) => match >::try_from(value) { Ok(mut value) => { - value.set_sensitive(sensitive); + // We want to potentially make an unsensitive header + // to be sensitive, not the reverse. So, don't turn off + // a previously sensitive header. + if sensitive { + value.set_sensitive(true); + } req.headers_mut().append(key, value); } Err(e) => error = Some(crate::error::builder(e.into())), @@ -840,6 +845,25 @@ mod tests { assert!(req.headers()["authorization"].is_sensitive()); } + #[test] + fn test_explicit_sensitive_header() { + let client = Client::new(); + let some_url = "https://localhost/"; + + let mut header = http::HeaderValue::from_static("in plain sight"); + header.set_sensitive(true); + + let req = client + .get(some_url) + .header("hiding", header) + .build() + .expect("request build"); + + assert_eq!(req.url().as_str(), "https://localhost/"); + assert_eq!(req.headers()["hiding"], "in plain sight"); + assert!(req.headers()["hiding"].is_sensitive()); + } + #[test] fn convert_from_http_request() { let http_request = HttpRequest::builder()