Don't allow single hop headers on redirect

Signed-off-by: Levi Gross <[email protected]>

Author: levigross

base_get_test.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"encoding/xml"
+	"errors"
 	"io"
 	"net/http"
 	"net/http/cookiejar"
@@ -1164,29 +1165,28 @@ func TestAuthStripOnRedirect(t *testing.T) {
 	srv.Close()
 }
 
-func TestNoAuthStripOnRedirect(t *testing.T) {
+func TestNoRedirect(t *testing.T) {
 	srv := httptest.NewServer(http.DefaultServeMux)
-	http.HandleFunc("/tester/", func(w http.ResponseWriter, req *http.Request) {
-		if req.Header.Get("Authorization") == "" {
-			http.Error(w, "Didn't find Auth: "+req.Header.Get("Authorization"), http.StatusInternalServerError)
-		}
-	})
-
-	resp, err := Get(srv.URL+"/tester", &RequestOptions{
-		Auth:                    []string{"one ", "two"},
-		Headers:                 map[string]string{"WWW-Authenticate": "foo"},
-		RedirectLocationTrusted: true,
+	http.HandleFunc("/3tester/", func(w http.ResponseWriter, req *http.Request) {
+		http.Redirect(w, req, "/", http.StatusMovedPermanently)
 	})
 
-	if err != nil {
-		t.Error("Request didn't creds inside", err)
+	client := &http.Client{
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return errors.New("cancel redirection")
+		},
 	}
 
-	if resp.Ok != true {
-		t.Error("Request didn't creds inside", resp.StatusCode, resp.String())
+	_, err := Get(srv.URL+"/3tester/", &RequestOptions{
+		HTTPClient: client,
+	})
+
+	if err == nil {
+		t.Error("Request passed when it was supposed to fail on redirect", err)
 	}
 
 	srv.Close()
+
 }
 
 func verifyOkArgsResponse(resp *Response, t *testing.T) *BasicGetResponseArgs {

request.go

@@ -107,11 +107,6 @@ type RequestOptions struct {
 	// this is useful if you want to use an OAUTH client with your request.
 	HTTPClient *http.Client
 
-	// RedirectLocationTrusted is a flag that will enable all headers to be
-	// forwarded to the redirect location. Otherwise, the headers specified in
-	// `SensitiveHTTPHeaders` will be removed from the request.
-	RedirectLocationTrusted bool
-
 	// SensitiveHTTPHeaders is a map of sensitive HTTP headers that a user
 	// doesn't want passed on a redirect.
 	SensitiveHTTPHeaders map[string]struct{}
@@ -176,6 +171,7 @@ func buildRequest(httpMethod, url string, ro *RequestOptions, httpClient *http.C
 	// Do we need to add any HTTP headers or Basic Auth?
 	addHTTPHeaders(ro, req)
 	addCookies(ro, req)
+
 	addRedirectFunctionality(httpClient, ro)
 
 	return httpClient.Do(req)

utils.go

@@ -9,7 +9,7 @@ import (
 )
 
 const (
-	localUserAgent = "GRequests/0.7"
+	localUserAgent = "GRequests/0.10"
 
 	// Default value for net.Dialer Timeout
 	dialTimeout = 30 * time.Second
@@ -52,6 +52,9 @@ var (
 type XMLCharDecoder func(charset string, input io.Reader) (io.Reader, error)
 
 func addRedirectFunctionality(client *http.Client, ro *RequestOptions) {
+	if client.CheckRedirect != nil {
+		return
+	}
 	client.CheckRedirect = func(req *http.Request, via []*http.Request) error {
 		if ro.RedirectLimit == 0 {
 			ro.RedirectLimit = RedirectLimit
@@ -67,7 +70,7 @@ func addRedirectFunctionality(client *http.Client, ro *RequestOptions) {
 
 		for k, vv := range via[0].Header {
 			// Is this a sensitive header?
-			if _, found := ro.SensitiveHTTPHeaders[k]; found && ro.RedirectLocationTrusted == false {
+			if _, found := ro.SensitiveHTTPHeaders[k]; found {
 				continue
 			}