diff options
| author | Noam Lerner <noamler@fb.com> | 2018-03-14 13:10:28 +0200 |
|---|---|---|
| committer | Noam Lerner <noamler@fb.com> | 2018-03-14 20:48:22 +0200 |
| commit | 08b31872bf4094bbef474cae6de6c90fb4245a99 (patch) | |
| tree | 010fb8b83d1b3c3a539931d93288512f40efbe30 | |
| parent | 9438f510abc4b8bf28ec58038c21ff5f5211c750 (diff) | |
| download | chef-08b31872bf4094bbef474cae6de6c90fb4245a99.tar.gz | |
Stripping out Authorization header on redirect to a different host
Signed-off-by: Noam Lerner <noamler@fb.com>
| -rw-r--r-- | lib/chef/http.rb | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/chef/http.rb b/lib/chef/http.rb index 241806da4e..a10906443b 100644 --- a/lib/chef/http.rb +++ b/lib/chef/http.rb @@ -381,7 +381,9 @@ class Chef elsif redirect_location = redirected_to(response) if [:GET, :HEAD].include?(method) follow_redirect do - send_http_request(method, url + redirect_location, headers, body, &response_handler) + redirected_url = url + redirect_location + headers.delete("Authorization") if url.host != redirected_url.host + send_http_request(method, redirected_url, headers, body, &response_handler) end else raise Exceptions::InvalidRedirect, "#{method} request was redirected from #{url} to #{redirect_location}. Only GET and HEAD support redirects." |