Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 13baeb3

Browse files
author
Arnaud Porterie
committed
Merge pull request moby#13815 from tiborvass/do-not-send-basic-auth-on-302
Do not set auth headers for registry v1 if 302
2 parents ceee259 + 123a058 commit 13baeb3

1 file changed

Lines changed: 13 additions & 8 deletions

File tree

registry/session.go

Lines changed: 13 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,15 @@ func AuthTransport(base http.RoundTripper, authConfig *cliconfig.AuthConfig, alw
7070
}
7171

7272
func (tr *authTransport) RoundTrip(orig *http.Request) (*http.Response, error) {
73+
// Authorization should not be set on 302 redirect for untrusted locations.
74+
// This logic mirrors the behavior in AddRequiredHeadersToRedirectedRequests.
75+
// As the authorization logic is currently implemented in RoundTrip,
76+
// a 302 redirect is detected by looking at the Referer header as go http package adds said header.
77+
// This is safe as Docker doesn't set Referer in other scenarios.
78+
if orig.Header.Get("Referer") != "" && !trustedLocation(orig) {
79+
return tr.RoundTripper.RoundTrip(orig)
80+
}
81+
7382
req := transport.CloneRequest(orig)
7483
tr.mu.Lock()
7584
tr.modReq[orig] = req
@@ -84,13 +93,7 @@ func (tr *authTransport) RoundTrip(orig *http.Request) (*http.Response, error) {
8493
if req.Header.Get("Authorization") == "" {
8594
if req.Header.Get("X-Docker-Token") == "true" && len(tr.Username) > 0 {
8695
req.SetBasicAuth(tr.Username, tr.Password)
87-
} else if len(tr.token) > 0 &&
88-
// Authorization should not be set on 302 redirect for untrusted locations.
89-
// This logic mirrors the behavior in AddRequiredHeadersToRedirectedRequests.
90-
// As the authorization logic is currently implemented in RoundTrip,
91-
// a 302 redirect is detected by looking at the Referer header as go http package adds said header.
92-
// This is safe as Docker doesn't set Referer in other scenarios.
93-
(req.Header.Get("Referer") == "" || trustedLocation(orig)) {
96+
} else if len(tr.token) > 0 {
9497
req.Header.Set("Authorization", "Token "+strings.Join(tr.token, ","))
9598
}
9699
}
@@ -151,7 +154,9 @@ func NewSession(client *http.Client, authConfig *cliconfig.AuthConfig, endpoint
151154
}
152155
}
153156

154-
client.Transport = AuthTransport(client.Transport, authConfig, alwaysSetBasicAuth)
157+
if endpoint.Version == APIVersion1 {
158+
client.Transport = AuthTransport(client.Transport, authConfig, alwaysSetBasicAuth)
159+
}
155160

156161
jar, err := cookiejar.New(nil)
157162
if err != nil {

0 commit comments

Comments
 (0)