lib/ureq
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix cookie leak on redirect (#608)

Browse Source 
This removes the cookie header on redirect, otherwise if there are
multiple redirects, a new cookie header gets appended each time, while
the existing one remains. This could result in the cookies being leaked
to a third party.
This commit is contained in:
Alec Moskvin
2023-06-14 00:17:50 -04:00
committed by GitHub
parent 329e1f4ada
commit fbae1391ac
2 changed files with 48 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/unit.rs
View File

@@ -217,9 +217,11 @@ pub(crate) fn connect(
let mut headers = unit.headers;
// on redirects we don't want to keep "content-length". we also might want to
// strip away "authorization" to ensure credentials are not leaked.
// strip away "authorization" and "cookie" to ensure credentials are not leaked.
headers.retain(|h| {
!h.is_name("content-length") && (!h.is_name("authorization") || keep_auth_header)
!h.is_name("content-length")
&& !h.is_name("cookie")
&& (!h.is_name("authorization") || keep_auth_header)
});
// recreate the unit to get a new hostname and cookies for the new host.