bc8f0208aa
Before this change the rest package would forward all the headers on an HTTP redirect, including the Authorization: header. This caused problems when forwarded to a signed S3 URL ("Only one auth mechanism allowed") as well as being a potential security risk. After we use the go1.8+ mechanism for doing this instead of using our own which does it correctly removing the Authorization: header when redirecting to a different host. This hasn't fixed the behaviour for rclone compiled with go1.7. Fixes #2635
33 lines
680 B
Go
33 lines
680 B
Go
//+build !go1.8
|
|
|
|
package rest
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"github.com/pkg/errors"
|
|
)
|
|
|
|
// ClientWithHeaderReset makes a new http client which resets the
|
|
// headers passed in on redirect
|
|
//
|
|
// This is only needed for go < go1.8
|
|
func ClientWithHeaderReset(c *http.Client, headers map[string]string) *http.Client {
|
|
if len(headers) == 0 {
|
|
return c
|
|
}
|
|
clientCopy := *c
|
|
clientCopy.CheckRedirect = func(req *http.Request, via []*http.Request) error {
|
|
if len(via) >= 10 {
|
|
return errors.New("stopped after 10 redirects")
|
|
}
|
|
// Reset the headers in the new request
|
|
for k, v := range headers {
|
|
if v != "" {
|
|
req.Header.Set(k, v)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
return &clientCopy
|
|
}
|