rclone/lib/rest/rest_header_reset.go
Nick Craig-Wood bc8f0208aa rest: Remove auth headers on HTTP redirect
Before this change the rest package would forward all the headers on
an HTTP redirect, including the Authorization: header.  This caused
problems when forwarded to a signed S3 URL ("Only one auth mechanism
allowed") as well as being a potential security risk.

After we use the go1.8+ mechanism for doing this instead of using our
own which does it correctly removing the Authorization: header when
redirecting to a different host.

This hasn't fixed the behaviour for rclone compiled with go1.7.

Fixes #2635
2018-10-11 21:20:33 +01:00

15 lines
309 B
Go

//+build go1.8
package rest
import (
"net/http"
)
// ClientWithHeaderReset makes a new http client which resets the
// headers passed in on redirect
//
// This is now unecessary with go1.8 so becomes a no-op
func ClientWithHeaderReset(c *http.Client, headers map[string]string) *http.Client {
return c
}