-
-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not add auth and cookie header when redirecting #465
Comments
puppet-archive/lib/puppet_x/bodeco/util.rb Lines 86 to 118 in 2f4cb0f
since |
I know this code hasn't been touched since initially created by @nanliu so not sure if anyone wants to tackle this. |
Since archive is implementing it's own HTTP client
PuppetX::Bodeco::Util
for http downloads then the fix for PUP-11188 (puppetlabs/puppet@9a8d3ef) needs to be implemented here as well or need to move away from this library in favor of the defaultPuppet::Network::HTTP
.The underlying problem in an example is JFrog Cloud will redirect authenticated header/cookie information from the session to the s3 bucket for download. The s3 bucket only needs the Signature that JFrog will provide based on the storage configuration it has not the session/auth from the client -> JFrog part.
Passing this info on from the client auth is potentially a security risk but causes the client to fail to download due to more than one auth being sent:
Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified
The text was updated successfully, but these errors were encountered: