Fix #1699: Clear auth information on redirecting to other domain

aio-libs · Oct 16, 2017 · 7971330 · 7971330
1 parent cc97b8e
commit 7971330
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 1 deletion.
diff --git a/aiohttp/client.py b/aiohttp/client.py
@@ -333,7 +333,7 @@ def _request(self, method, url, *,
 
                         if url.origin() != r_url.origin():
                             auth = None
-                            headers.pop(hdrs.AUTHORIZATION)
+                            headers.pop(hdrs.AUTHORIZATION, None)
 
                         url = r_url
                         params = None

diff --git a/changes/1699.bugfix b/changes/1699.bugfix
@@ -0,0 +1 @@
+Clear auth information on redirecting to other domain
diff --git a/tests/test_client_functional.py b/tests/test_client_functional.py
@@ -5,6 +5,7 @@
 import io
 import json
 import pathlib
+import socket
 import ssl
 from unittest import mock
 
@@ -13,6 +14,7 @@
 
 import aiohttp
 from aiohttp import ServerFingerprintMismatch, hdrs, web
+from aiohttp.abc import AbstractResolver
 from aiohttp.helpers import create_future
 from aiohttp.multipart import MultipartWriter
 
@@ -2237,3 +2239,52 @@ def test_creds_in_auth_and_url(loop):
                                    auth=aiohttp.BasicAuth('user2', 'pass2'))
     finally:
         yield from session.close()
+
+
+@asyncio.coroutine
+def test_drop_auth_on_redirect_to_other_host(test_server, loop):
+    @asyncio.coroutine
+    def srv1(request):
+        assert request.host == 'host1.com'
+        assert request.headers['Authorization'] == 'Basic dXNlcjpwYXNz'
+        raise web.HTTPFound('http://host2.com/path2')
+
+    @asyncio.coroutine
+    def srv2(request):
+        assert request.host == 'host2.com'
+        assert 'Authorization' not in request.headers
+        return web.Response()
+
+    app = web.Application()
+    app.router.add_route('GET', '/path1', srv1)
+    app.router.add_route('GET', '/path2', srv2)
+
+    server = yield from test_server(app)
+
+    class FakeResolver(AbstractResolver):
+
+        @asyncio.coroutine
+        def resolve(self, host, port=0, family=socket.AF_INET):
+            return [{'hostname': host,
+                     'host': server.host,
+                     'port': server.port,
+                     'family': socket.AF_INET,
+                     'proto': 0,
+                     'flags': socket.AI_NUMERICHOST}]
+
+        @asyncio.coroutine
+        def close(self):
+            pass
+
+    connector = aiohttp.TCPConnector(loop=loop, resolver=FakeResolver())
+    client = aiohttp.ClientSession(connector=connector)
+    try:
+        resp = yield from client.get('http://host1.com/path1',
+                                     auth=aiohttp.BasicAuth('user', 'pass'))
+        assert resp.status == 200
+        resp = yield from client.get('http://host1.com/path1',
+                                     headers={'Authorization':
+                                              'Basic dXNlcjpwYXNz'})
+        assert resp.status == 200
+    finally:
+        yield from client.close()
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Clear auth information on redirecting to other domain