summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNoam Lerner <noamler@fb.com>2018-03-14 13:10:28 +0200
committerNoam Lerner <noamler@fb.com>2018-03-14 20:48:22 +0200
commit08b31872bf4094bbef474cae6de6c90fb4245a99 (patch)
tree010fb8b83d1b3c3a539931d93288512f40efbe30
parent9438f510abc4b8bf28ec58038c21ff5f5211c750 (diff)
downloadchef-08b31872bf4094bbef474cae6de6c90fb4245a99.tar.gz
Stripping out Authorization header on redirect to a different host
Signed-off-by: Noam Lerner <noamler@fb.com>
-rw-r--r--lib/chef/http.rb4
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/chef/http.rb b/lib/chef/http.rb
index 241806da4e..a10906443b 100644
--- a/lib/chef/http.rb
+++ b/lib/chef/http.rb
@@ -381,7 +381,9 @@ class Chef
elsif redirect_location = redirected_to(response)
if [:GET, :HEAD].include?(method)
follow_redirect do
- send_http_request(method, url + redirect_location, headers, body, &response_handler)
+ redirected_url = url + redirect_location
+ headers.delete("Authorization") if url.host != redirected_url.host
+ send_http_request(method, redirected_url, headers, body, &response_handler)
end
else
raise Exceptions::InvalidRedirect, "#{method} request was redirected from #{url} to #{redirect_location}. Only GET and HEAD support redirects."