rclone/lib/rest/rest_header_reset_go17.go
Nick Craig-Wood bc8f0208aa rest: Remove auth headers on HTTP redirect
Before this change the rest package would forward all the headers on
an HTTP redirect, including the Authorization: header.  This caused
problems when forwarded to a signed S3 URL ("Only one auth mechanism
allowed") as well as being a potential security risk.

After we use the go1.8+ mechanism for doing this instead of using our
own which does it correctly removing the Authorization: header when
redirecting to a different host.

This hasn't fixed the behaviour for rclone compiled with go1.7.

Fixes #2635
2018-10-11 21:20:33 +01:00

33 lines
680 B
Go

//+build !go1.8
package rest
import (
"net/http"
"github.com/pkg/errors"
)
// ClientWithHeaderReset makes a new http client which resets the
// headers passed in on redirect
//
// This is only needed for go < go1.8
func ClientWithHeaderReset(c *http.Client, headers map[string]string) *http.Client {
if len(headers) == 0 {
return c
}
clientCopy := *c
clientCopy.CheckRedirect = func(req *http.Request, via []*http.Request) error {
if len(via) >= 10 {
return errors.New("stopped after 10 redirects")
}
// Reset the headers in the new request
for k, v := range headers {
if v != "" {
req.Header.Set(k, v)
}
}
return nil
}
return &clientCopy
}