From 5418e3be0c799c868cb7440ac7837933a153b399 Mon Sep 17 00:00:00 2001 From: Jeffrey van Gogh Date: Mon, 1 Jun 2015 15:13:35 -0700 Subject: [PATCH] Upon HTTP 302 redirect do not include "Authorization" header on 'untrusted' registries. Refactoring in Docker 1.7 changed the behavior to add this header where as Docker <= 1.6 wouldn't emit this Header on a HTTP 302 redirect. This closes #13649 Signed-off-by: Jeffrey van Gogh --- docs/session.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/session.go b/docs/session.go index 71b27bef..024685ae 100644 --- a/docs/session.go +++ b/docs/session.go @@ -84,7 +84,13 @@ func (tr *authTransport) RoundTrip(orig *http.Request) (*http.Response, error) { if req.Header.Get("Authorization") == "" { if req.Header.Get("X-Docker-Token") == "true" && len(tr.Username) > 0 { req.SetBasicAuth(tr.Username, tr.Password) - } else if len(tr.token) > 0 { + } else if len(tr.token) > 0 && + // Authorization should not be set on 302 redirect for untrusted locations. + // This logic mirrors the behavior in AddRequiredHeadersToRedirectedRequests. + // As the authorization logic is currently implemented in RoundTrip, + // a 302 redirect is detected by looking at the Referer header as go http package adds said header. + // This is safe as Docker doesn't set Referer in other scenarios. + (req.Header.Get("Referer") == "" || trustedLocation(orig)) { req.Header.Set("Authorization", "Token "+strings.Join(tr.token, ",")) } }