Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client basic HTTP auth domain mismatch #1699

Closed
krya opened this issue Mar 7, 2017 · 3 comments
Closed

Client basic HTTP auth domain mismatch #1699

krya opened this issue Mar 7, 2017 · 3 comments
Assignees
@asvetlov
Labels
bug outdated
Milestone
2.3

Comments

@krya
Copy link

krya commented Mar 7, 2017

Long story short

I was making calls with aiohttp client to one twilio API server (which requires basic HTTP authentication) and it was working fine untill I reached an endpoint that does a redirect to amazon S3.
But it appears that aiohttp passes basic authentication headers after redirection to a location defined in last response header even if domain doesnt match with the one that did redirection which causes an issue in my case because amazon requires that there should be only one auth method (in my cause token was in the url for redirection)
I've checked the requests lib and it works fine in this exact case.

Expected behaviour

once lib follows redirection and domain doesnt match with previous it should NOT send basic auth headers to this domain

Actual behaviour

end response from S3 ends with an authentication error since there is an auth token in the URL AND a basic auth headers

Steps to reproduce

I'm not sure on available to everyone server that does a redirection to S3

Your environment

ubuntu 14/16
aiohttp==1.3.3 (same with git master)
@fafhrd91 fafhrd91 added this to the 2.1 milestone Mar 14, 2017
@fafhrd91
Copy link
Member

makes sense for me.

@kxepal @asvetlov ?

@asvetlov asvetlov self-assigned this Sep 1, 2017
@asvetlov asvetlov added the bug label Sep 1, 2017
@asvetlov
Copy link
Member

asvetlov commented Sep 1, 2017

I think it is security issue and should be fixed

@asvetlov asvetlov modified the milestones: 2.3.0, 2.1 Sep 1, 2017
@asvetlov asvetlov mentioned this issue Oct 1, 2017
Closed
asvetlov added a commit that referenced this issue Oct 16, 2017
@asvetlov
Fix #1699: Clear auth information on redirecting to other domain
7971330
@asvetlov asvetlov mentioned this issue Oct 16, 2017
Merged
@Chanonry Chanonry mentioned this issue Dec 15, 2017
Closed
@lock
Copy link

lock bot commented Oct 28, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a [new issue] for related bugs.
If you feel like there's important points made in this discussion, please include those exceprts into that [new issue].
[new issue]: https://github.com/aio-libs/aiohttp/issues/new

@lock lock bot added the outdated label Oct 28, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Oct 28, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@asvetlov asvetlov

Labels
bug outdated
Projects
None yet
Milestone
2.3
Development

No branches or pull requests
3 participants
@asvetlov @fafhrd91 @krya