summaryrefslogtreecommitdiff
path: root/tests/data/test318
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2018-01-19 13:19:25 +0100
committerDaniel Stenberg <daniel@haxx.se>2018-01-22 10:00:00 +0100
commitaf32cd3859336ab963591ca0df9b1e33a7ee066b (patch)
treeae91ca52a3cbbfabe89c74dda181abbbc40c1150 /tests/data/test318
parent993dd5651a6c853bfe3870f6a69c7b329fa4e8ce (diff)
downloadcurl-af32cd3859336ab963591ca0df9b1e33a7ee066b.tar.gz
http: prevent custom Authorization headers in redirects
... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how curl already handles Authorization headers created internally. Note: this changes behavior slightly, for the sake of reducing mistakes. Added test 317 and 318 to verify. Reported-by: Craig de Stigter Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
Diffstat (limited to 'tests/data/test318')
-rw-r--r--tests/data/test31895
1 files changed, 95 insertions, 0 deletions
diff --git a/tests/data/test318 b/tests/data/test318
new file mode 100644
index 000000000..838d1ba0f
--- /dev/null
+++ b/tests/data/test318
@@ -0,0 +1,95 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP proxy
+HTTP Basic auth
+HTTP proxy Basic auth
+followlocation
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 302 OK
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake swsclose
+Content-Type: text/html
+Funny-head: yesyes
+Location: http://goto.second.host.now/3180002
+Content-Length: 8
+Connection: close
+
+contents
+</data>
+<data2>
+HTTP/1.1 200 OK
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake swsclose
+Content-Type: text/html
+Funny-head: yesyes
+Content-Length: 9
+
+contents
+</data2>
+
+<datacheck>
+HTTP/1.1 302 OK
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake swsclose
+Content-Type: text/html
+Funny-head: yesyes
+Location: http://goto.second.host.now/3180002
+Content-Length: 8
+Connection: close
+
+HTTP/1.1 200 OK
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake swsclose
+Content-Type: text/html
+Funny-head: yesyes
+Content-Length: 9
+
+contents
+</datacheck>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP with custom Authorization: and redirect to new host
+ </name>
+ <command>
+http://first.host.it.is/we/want/that/page/318 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location-trusted
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET http://first.host.it.is/we/want/that/page/318 HTTP/1.1
+Host: first.host.it.is
+Proxy-Authorization: Basic dGVzdGluZzp0aGlz
+Accept: */*
+Proxy-Connection: Keep-Alive
+Authorization: s3cr3t
+
+GET http://goto.second.host.now/3180002 HTTP/1.1
+Host: goto.second.host.now
+Proxy-Authorization: Basic dGVzdGluZzp0aGlz
+Accept: */*
+Proxy-Connection: Keep-Alive
+Authorization: s3cr3t
+
+</protocol>
+</verify>
+</testcase>