Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 22 additions & 7 deletions tornado/test/httpclient_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -785,7 +785,12 @@ def test_strip_headers_on_redirect(self):
"/redirect?url=%s&status=302" % self.get_url2("/echo_headers")
)
if url_creds:
url = url.replace("http://", "http://%s@" % url_creds)
# Only add credentials to the outer URL being fetched, not to the
# "url" query parameter (the redirect target), which also starts
# with "http://". Otherwise the redirect's Location header would
# carry its own explicit credentials for the new origin, which
# libcurl legitimately honors instead of stripping.
url = url.replace("http://", "http://%s@" % url_creds, 1)
response = self.fetch(**dict(path=url) | kwargs)
response.rethrow()
echoed_headers = json_decode(response.body)
Expand All @@ -799,17 +804,27 @@ def test_strip_headers_on_redirect(self):
"/redirect?url=%s&status=302" % self.get_url("/echo_headers")
)
if url_creds:
url = url.replace("http://", "http://%s@" % url_creds)
url = url.replace("http://", "http://%s@" % url_creds, 1)
response = self.fetch(**dict(path=url) | kwargs)
response.rethrow()
echoed_headers = json_decode(response.body)
# Confirm that non-auth headers are getting through
self.assertIn("User-Agent", echoed_headers)
# Auth headers are not stripped when the redirect is same-origin.
# Each of our tests uses one of these headers, but not both.
self.assertTrue(
"Authorization" in echoed_headers or "Cookie" in echoed_headers
)
if name == "credentials in URL":
# Some libcurl versions (known regression as of 8.20/8.21,
# still present as of curl's git master) drop credentials
# embedded in the URL across a same-origin redirect whose
# Location header is an absolute URL, even though they
# should be preserved. This isn't a security concern
# (nothing is leaked to another origin), so just don't
# assert on it either way here.
pass
else:
# Auth headers are not stripped when the redirect is same-origin.
# Each of our tests uses one of these headers, but not both.
self.assertTrue(
"Authorization" in echoed_headers or "Cookie" in echoed_headers
)


class RequestProxyTest(unittest.TestCase):
Expand Down
Loading