Remove auth header after following a redirect to a different origin

httprb / http

HTTP (The Gem! a.k.a. http.rb) - a fast Ruby HTTP client with a chainable API, streaming support, and timeouts

MIT License

3k stars 321 forks source link

Remove auth header after following a redirect to a different origin #770

Open pcriv opened 10 months ago

pcriv commented 10 months ago

Currently, when following a redirect, the HTTP client keeps the auth headers which creates a problem for example when redirecting from a custom origin to s3.

Related resources:

https://curl.se/docs/CVE-2018-1000007.html https://nvd.nist.gov/vuln/detail/CVE-2021-31879