TrueCloudLab/distribution
13
0
Fork 3
Code Issues 3 Pull requests Projects Releases 2 Packages Wiki Activity Actions

Merge pull request #13815 from tiborvass/do-not-send-basic-auth-on-302

Browse source 
Do not set auth headers for registry v1 if 302
This commit is contained in:
Arnaud Porterie 2015-06-09 15:34:53 -07:00
commit aa8d3d2ca3
1 changed files with 13 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
docs/session.go
View file

@ -70,6 +70,15 @@ func AuthTransport(base http.RoundTripper, authConfig *cliconfig.AuthConfig, alw
} }
func (tr *authTransport) RoundTrip(orig *http.Request) (*http.Response, error) { func (tr *authTransport) RoundTrip(orig *http.Request) (*http.Response, error) {
// Authorization should not be set on 302 redirect for untrusted locations.
// This logic mirrors the behavior in AddRequiredHeadersToRedirectedRequests.
// As the authorization logic is currently implemented in RoundTrip,
// a 302 redirect is detected by looking at the Referer header as go http package adds said header.
// This is safe as Docker doesn't set Referer in other scenarios.
if orig.Header.Get("Referer") != "" && !trustedLocation(orig) {
return tr.RoundTripper.RoundTrip(orig)
}
req := transport.CloneRequest(orig) req := transport.CloneRequest(orig)
tr.mu.Lock() tr.mu.Lock()
tr.modReq[orig] = req tr.modReq[orig] = req
@ -84,13 +93,7 @@ func (tr *authTransport) RoundTrip(orig *http.Request) (*http.Response, error) {
if req.Header.Get("Authorization") == "" { if req.Header.Get("Authorization") == "" {
if req.Header.Get("X-Docker-Token") == "true" && len(tr.Username) > 0 { if req.Header.Get("X-Docker-Token") == "true" && len(tr.Username) > 0 {
req.SetBasicAuth(tr.Username, tr.Password) req.SetBasicAuth(tr.Username, tr.Password)
} else if len(tr.token) > 0 && } else if len(tr.token) > 0 {
// Authorization should not be set on 302 redirect for untrusted locations.
// This logic mirrors the behavior in AddRequiredHeadersToRedirectedRequests.
// As the authorization logic is currently implemented in RoundTrip,
// a 302 redirect is detected by looking at the Referer header as go http package adds said header.
// This is safe as Docker doesn't set Referer in other scenarios.
(req.Header.Get("Referer") == "" || trustedLocation(orig)) {
req.Header.Set("Authorization", "Token "+strings.Join(tr.token, ",")) req.Header.Set("Authorization", "Token "+strings.Join(tr.token, ","))
} }
} }
@ -151,7 +154,9 @@ func NewSession(client *http.Client, authConfig *cliconfig.AuthConfig, endpoint
} }
} }
client.Transport = AuthTransport(client.Transport, authConfig, alwaysSetBasicAuth) if endpoint.Version == APIVersion1 {
client.Transport = AuthTransport(client.Transport, authConfig, alwaysSetBasicAuth)
}
jar, err := cookiejar.New(nil) jar, err := cookiejar.New(nil)
if err != nil { if err != nil {