Strip credentials on cross-domain redirects and HTTPS-to-HTTP downgrades

Authorization and Proxy-Authorization headers, along with Realm credentials,
were forwarded to arbitrary redirect targets regardless of origin.

Author: hyperxpro

client/src/main/java/org/asynchttpclient/netty/handler/intercept/Redirect30xInterceptor.java

@@ -104,15 +104,33 @@ public boolean exitAfterHandlingRedirect(Channel channel, NettyResponseFuture<?>
                         (statusCode == MOVED_PERMANENTLY_301 || statusCode == SEE_OTHER_303 || statusCode == FOUND_302 && !config.isStrict302Handling());
                 boolean keepBody = statusCode == TEMPORARY_REDIRECT_307 || statusCode == PERMANENT_REDIRECT_308 || statusCode == FOUND_302 && config.isStrict302Handling();
 
+                HttpHeaders responseHeaders = response.headers();
+                String location = responseHeaders.get(LOCATION);
+                Uri newUri = Uri.create(future.getUri(), location);
+                LOGGER.debug("Redirecting to {}", newUri);
+
+                boolean sameBase = request.getUri().isSameBase(newUri);
+                boolean schemeDowngrade = request.getUri().isSecured() && !newUri.isSecured();
+                boolean stripAuth = !sameBase || schemeDowngrade || stripAuthorizationOnRedirect;
+
+                if (stripAuth && (request.getRealm() != null || request.getHeaders().contains(AUTHORIZATION))) {
+                    LOGGER.debug("Stripping credentials on redirect to {}", newUri);
+                }
+
                 final RequestBuilder requestBuilder = new RequestBuilder(switchToGet ? GET : originalMethod)
                         .setChannelPoolPartitioning(request.getChannelPoolPartitioning())
                         .setFollowRedirect(true)
                         .setLocalAddress(request.getLocalAddress())
                         .setNameResolver(request.getNameResolver())
                         .setProxyServer(request.getProxyServer())
-                        .setRealm(request.getRealm())
+                        .setRealm(stripAuth ? null : request.getRealm())
                         .setRequestTimeout(request.getRequestTimeout());
 
+                if (stripAuth) {
+                    future.setRealm(null);
+                    future.setProxyRealm(null);
+                }
+
                 if (keepBody) {
                     requestBuilder.setCharset(request.getCharset());
                     if (isNonEmpty(request.getFormParams())) {
@@ -130,18 +148,13 @@ public boolean exitAfterHandlingRedirect(Channel channel, NettyResponseFuture<?>
                     }
                 }
 
-                requestBuilder.setHeaders(propagatedHeaders(request, realm, keepBody, stripAuthorizationOnRedirect));
+                requestBuilder.setHeaders(propagatedHeaders(request, realm, keepBody, stripAuth));
 
                 // in case of a redirect from HTTP to HTTPS, future
                 // attributes might change
                 final boolean initialConnectionKeepAlive = future.isKeepAlive();
                 final Object initialPartitionKey = future.getPartitionKey();
 
-                HttpHeaders responseHeaders = response.headers();
-                String location = responseHeaders.get(LOCATION);
-                Uri newUri = Uri.create(future.getUri(), location);
-                LOGGER.debug("Redirecting to {}", newUri);
-
                 CookieStore cookieStore = config.getCookieStore();
                 if (cookieStore != null) {
                     // Update request's cookies assuming that cookie store is already updated by Interceptors
@@ -150,7 +163,6 @@ public boolean exitAfterHandlingRedirect(Channel channel, NettyResponseFuture<?>
                     }
                 }
 
-                boolean sameBase = request.getUri().isSameBase(newUri);
                 if (sameBase) {
                     // we can only assume the virtual host is still valid if the baseUrl is the same
                     requestBuilder.setVirtualHost(request.getVirtualHost());