From 5a8f690426b9e1ea9490064b08aa9511c23075e4 Mon Sep 17 00:00:00 2001 From: Tibor Vass Date: Mon, 8 Jun 2015 19:56:37 -0400 Subject: [PATCH] Do not set auth headers if 302 This patch ensures no auth headers are set for v1 registries if there was a 302 redirect. This also ensures v2 does not use authTransport. Signed-off-by: Tibor Vass --- docs/session.go | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/docs/session.go b/docs/session.go index d7478f6c..ca1f8e49 100644 --- a/docs/session.go +++ b/docs/session.go @@ -70,6 +70,15 @@ func AuthTransport(base http.RoundTripper, authConfig *cliconfig.AuthConfig, alw } func (tr *authTransport) RoundTrip(orig *http.Request) (*http.Response, error) { + // Authorization should not be set on 302 redirect for untrusted locations. + // This logic mirrors the behavior in AddRequiredHeadersToRedirectedRequests. + // As the authorization logic is currently implemented in RoundTrip, + // a 302 redirect is detected by looking at the Referer header as go http package adds said header. + // This is safe as Docker doesn't set Referer in other scenarios. + if orig.Header.Get("Referer") != "" && !trustedLocation(orig) { + return tr.RoundTripper.RoundTrip(orig) + } + req := transport.CloneRequest(orig) tr.mu.Lock() tr.modReq[orig] = req @@ -84,13 +93,7 @@ func (tr *authTransport) RoundTrip(orig *http.Request) (*http.Response, error) { if req.Header.Get("Authorization") == "" { if req.Header.Get("X-Docker-Token") == "true" && len(tr.Username) > 0 { req.SetBasicAuth(tr.Username, tr.Password) - } else if len(tr.token) > 0 && - // Authorization should not be set on 302 redirect for untrusted locations. - // This logic mirrors the behavior in AddRequiredHeadersToRedirectedRequests. - // As the authorization logic is currently implemented in RoundTrip, - // a 302 redirect is detected by looking at the Referer header as go http package adds said header. - // This is safe as Docker doesn't set Referer in other scenarios. - (req.Header.Get("Referer") == "" || trustedLocation(orig)) { + } else if len(tr.token) > 0 { req.Header.Set("Authorization", "Token "+strings.Join(tr.token, ",")) } } @@ -151,7 +154,9 @@ func NewSession(client *http.Client, authConfig *cliconfig.AuthConfig, endpoint } } - client.Transport = AuthTransport(client.Transport, authConfig, alwaysSetBasicAuth) + if endpoint.Version == APIVersion1 { + client.Transport = AuthTransport(client.Transport, authConfig, alwaysSetBasicAuth) + } jar, err := cookiejar.New(nil) if err != nil {