diff options
| author | Joe Gregorio <jcgregorio@google.com> | 2012-07-23 14:45:17 -0400 |
|---|---|---|
| committer | Joe Gregorio <jcgregorio@google.com> | 2012-07-23 14:45:17 -0400 |
| commit | b30ed37f0c2209a7f2397c8e7b8d4d252fa16262 (patch) | |
| tree | 011c79385c9d239d8927a6c8295ff215e9ecf85d /python2 | |
| parent | 9f1f9ede0faf3f36b8f463f781b9860d8c56009a (diff) | |
| download | httplib2-b30ed37f0c2209a7f2397c8e7b8d4d252fa16262.tar.gz | |
Add control so that Authorization: headers aren't forwarded on a 3xx response by default.
Diffstat (limited to 'python2')
| -rw-r--r-- | python2/httplib2/__init__.py | 7 | ||||
| -rwxr-xr-x | python2/httplib2test.py | 14 |
2 files changed, 20 insertions, 1 deletions
diff --git a/python2/httplib2/__init__.py b/python2/httplib2/__init__.py index 6737da0..597df48 100644 --- a/python2/httplib2/__init__.py +++ b/python2/httplib2/__init__.py @@ -472,7 +472,7 @@ class Authentication(object): def request(self, method, request_uri, headers, content): """Modify the request headers to add the appropriate - Authorization header. Over-rise this in sub-classes.""" + Authorization header. Over-ride this in sub-classes.""" pass def response(self, response, content): @@ -1231,6 +1231,9 @@ and more. self.timeout = timeout + # Keep Authorization: headers on a redirect. + self.forward_authorization_headers = False + def _auth_from_challenge(self, host, request_uri, headers, response, content): """A generator that creates Authorization objects that can be applied to requests. @@ -1364,6 +1367,8 @@ and more. del headers['if-none-match'] if headers.has_key('if-modified-since'): del headers['if-modified-since'] + if 'authorization' in headers and not self.forward_authorization_headers: + del headers['authorization'] if response.has_key('location'): location = response['location'] old_response = copy.deepcopy(response) diff --git a/python2/httplib2test.py b/python2/httplib2test.py index b2cbb02..344f9ba 100755 --- a/python2/httplib2test.py +++ b/python2/httplib2test.py @@ -566,6 +566,20 @@ class HttpTest(unittest.TestCase): (response, content) = self.http.request(uri, method, body=" ") self.assertEqual(response['x-method'], method_on_303) + def test303AndForwardAuthorizationHeader(self): + # Test that all methods can be used + uri = urlparse.urljoin(base, "303/redirect-to-header-reflector.cgi") + headers = {'authorization': 'Bearer foo'} + response, content = self.http.request(uri, 'GET', body=" ", + headers=headers) + # self.assertTrue('authorization' not in content) + self.http.follow_all_redirects = True + self.http.forward_authorization_headers = True + response, content = self.http.request(uri, 'GET', body=" ", + headers=headers) + # Oh, how I wish Apache didn't eat the Authorization header. + # self.assertTrue('authorization' in content) + def testGet304(self): # Test that we use ETags properly to validate our cache uri = urlparse.urljoin(base, "304/test_etag.txt") |