mirrors/uv
1
0
Fork 0
mirror of https://github.com/astral-sh/uv.git synced 2025-11-24 21:29:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Respect URL-encoded credentials in redirect location (#14315)

Browse source 
uv currently ignores URL-encoded credentials in a redirect location.
This PR adds a check for these credentials to the redirect handling
logic. If found, they are moved to the Authorization header in the
redirect request.

Closes #11097
This commit is contained in:
John Mumm 2025-06-27 16:41:14 +02:00 committed by GitHub
parent 56266447e2
commit a824468c8b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 72 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

11
crates/uv-client/src/base_client.rs
View file

@ -25,6 +25,7 @@ use tracing::{debug, trace};
use url::ParseError;
use url::Url;
use uv_auth::Credentials;
use uv_auth::{AuthMiddleware, Indexes};
use uv_configuration::{KeyringProviderType, TrustedHost};
use uv_fs::Simplified;
@ -725,6 +726,16 @@ fn request_into_redirect(
}
}
// Check if there are credentials on the redirect location itself.
// If so, move them to Authorization header.
if !redirect_url.username().is_empty() {
if let Some(credentials) = Credentials::from_url(&redirect_url) {
let _ = redirect_url.set_username("");
let _ = redirect_url.set_password(None);
headers.insert(AUTHORIZATION, credentials.to_header_value());
}
}
std::mem::swap(req.headers_mut(), &mut headers);
*req.url_mut() = Url::from(redirect_url);
debug!(