Changeset 18437 in josm for trunk/src/org

Timestamp:

2022-04-27T21:26:39+02:00 (2 years ago)

Author:

taylor.smock

Message:

Fix #21935: Avoid leaking Authorization headers on redirects in HttpClient

This was found due to a change in where OSM stores GPX data files.
OSM now uses s3 buckets, and redirects using a signed URL. S3 does
not like multiple authentication methods.

File:

• trunk/src/org/openstreetmap/josm/tools/HttpClient.java (modified) (1 diff)

trunk/src/org/openstreetmap/josm/tools/HttpClient.java

@@ -189 +189 @@
                             " Can''t redirect. Aborting.", cr.getResponseCode()));
                 } else if (maxRedirects > 0) {
+                    final URL oldUrl = url;
                     url = new URL(url, redirectLocation);
                     maxRedirects--;
                     logRequest(tr("Download redirected to ''{0}''", redirectLocation));
+                    // Fix JOSM #21935: Avoid leaking `Authorization` header on redirects.
+                    if (!Objects.equals(oldUrl.getHost(), this.url.getHost()) && this.getRequestHeader("Authorization") != null) {
+                        logRequest(tr("Download redirected to different host (''{0}'' -> ''{1}''), removing authorization headers",
+                                oldUrl.getHost(), url.getHost()));
+                        this.headers.remove("Authorization");
+                    }
                     response = connect();
                     successfulConnection = true;