forked/reqwest-impersonate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

make sensitive header check include port

Browse Source 
- adjusts to use &mut Headers
- add integration test
This commit is contained in:
Sean McArthur
2017-05-18 10:42:39 -07:00
parent 21a28dffd1
commit e00a64aa18
3 changed files with 71 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/client.rs
View File

@@ -364,7 +364,7 @@ impl RequestBuilder {
}
};
headers = remove_sensitive_headers(headers, &url, &urls);
remove_sensitive_headers(&mut headers, &url, &urls);
debug!("redirecting to {:?} '{}'", method, url);
} else {
return Ok(::response::new(res, client.auto_ungzip.load(Ordering::Relaxed)))

36
src/redirect.rs
View File

@@ -1,9 +1,8 @@
use std::fmt;
use ::Url;
use hyper::header::{Headers, Authorization, Cookie};
#[allow(unused_imports)]
use hyper::header::{Headers, Authorization, Cookie, Accept};
use ::Url;
/// A type that controls the policy on how to handle the following of redirects.
///
@@ -182,14 +181,17 @@ pub fn check_redirect(policy: &RedirectPolicy, next: &Url, previous: &[Url]) ->
}).inner
}
pub fn remove_sensitive_headers(mut headers: Headers, next: &Url, previous: &[Url]) -> Headers {
let cross_host = next.host().unwrap() != previous.last().unwrap().host().unwrap();
if cross_host {
headers.remove::<Authorization<String>>();
headers.remove::<Cookie>();
headers.remove_raw("www-authenticate");
pub fn remove_sensitive_headers(headers: &mut Headers, next: &Url, previous: &[Url]) {
if let Some(previous) = previous.last() {
let cross_host = next.host_str() != previous.host_str()
|| next.port_or_known_default() != previous.port_or_known_default();
if cross_host {
headers.remove::<Authorization<String>>();
headers.remove::<Cookie>();
headers.remove_raw("cookie2");
headers.remove_raw("www-authenticate");
}
}
headers
}
/*
@@ -245,6 +247,8 @@ fn test_redirect_policy_custom() {
#[test]
fn test_remove_sensitive_headers() {
use hyper::header::Accept;
let mut headers = Headers::new();
headers.set(Accept::star());
headers.set(Authorization("let me in".to_owned()));
@@ -256,13 +260,15 @@ fn test_remove_sensitive_headers() {
let next = Url::parse("http://initial-domain.com/path").unwrap();
let mut prev = vec![Url::parse("http://initial-domain.com/new_path").unwrap()];
assert_eq!(remove_sensitive_headers(headers.clone(), &next, &prev), headers);
let mut filtered_headers = headers.clone();
remove_sensitive_headers(&mut headers, &next, &prev);
assert_eq!(headers, filtered_headers);
prev.push(Url::parse("http://new-domain.com/path").unwrap());
let mut filtered_headers = headers.clone();
filtered_headers.remove::<Authorization<String>>();
filtered_headers.remove::<Cookie>();
assert_eq!(remove_sensitive_headers(headers.clone(), &next, &prev), filtered_headers);
}
remove_sensitive_headers(&mut headers, &next, &prev);
assert_eq!(headers, filtered_headers);
}

49
tests/client.rs
View File

@@ -186,6 +186,55 @@ fn test_redirect_307_does_not_try_if_reader_cannot_reset() {
}
}
#[test]
fn test_redirect_removes_sensitive_headers() {
let end_server = server! {
request: b"\
GET /otherhost HTTP/1.1\r\n\
Host: $HOST\r\n\
User-Agent: $USERAGENT\r\n\
Accept: */*\r\n\
Accept-Encoding: gzip\r\n\
\r\n\
",
response: b"\
HTTP/1.1 200 OK\r\n\
Server: test\r\n\
Content-Length: 0\r\n\
\r\n\
"
};
let mid_server = server! {
request: b"\
GET /sensitive HTTP/1.1\r\n\
Host: $HOST\r\n\
Cookie: foo=bar\r\n\
User-Agent: $USERAGENT\r\n\
Accept: */*\r\n\
Accept-Encoding: gzip\r\n\
\r\n\
",
response: format!("\
HTTP/1.1 302 Found\r\n\
Server: test\r\n\
Location: http://{}/otherhost\r\n\
Content-Length: 0\r\n\
\r\n\
", end_server.addr())
};
let mut client = reqwest::Client::new().unwrap();
client.referer(false);
client.get(&format!("http://{}/sensitive", mid_server.addr()))
.header(
reqwest::header::Cookie(vec![
String::from("foo=bar")
])
)
.send().unwrap();
}
#[test]
fn test_redirect_policy_can_return_errors() {
let server = server! {