Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SR-15731] swift-package-manager HTTPClient misuses URLSession reserved Authorization header #4358

Open
bobergj opened this issue Jan 14, 2022 · 0 comments
Open

[SR-15731] swift-package-manager HTTPClient misuses URLSession reserved Authorization header #4358

bobergj opened this issue Jan 14, 2022 · 0 comments
Labels
bug

Comments

@bobergj
Copy link

bobergj commented Jan 14, 2022

Previous ID SR-15731
Radar None
Original Reporter @bobergj
Type Bug
Environment

macOS

Additional Detail from JIRA
Votes 0
Component/s Package Manager
Labels Bug
Assignee None
Priority Medium

md5: 2319ff00230245d8f90e2f2a01e4ccb4

Issue Description:

Summary

When the package manager sets an authorization header on a url request, and is using the URLSessionHTTPClient as underlying http client, it's misusing URLSession/URLRequest since the "Authorization" header is a reserved one on macOS:
See https://developer.apple.com/documentation/foundation/urlrequest
and linked https://developer.apple.com/documentation/foundation/nsurlrequest#1776617
> Reserved HTTP Headers
> The URL Loading System handles various aspects of the HTTP protocol for you (HTTP 1.1
> persistent connections, proxies, authentication, and so on). As part of this support, the URL > Loading System takes responsibility for certain HTTP headers:
> ...
> Authorization
> ...
> If you set a value for one of these reserved headers, the system may ignore the value you set, or overwrite it with its own value, or
> simply not send it. Moreover, the exact behavior may change over
> time. To avoid confusing problems like this, do not set these headers directly.

Code Details

The package manager has an authorization provider mechanism for URL requests:

swift-package-manager/Sources/Basics/AuthorizationProvider.swift

Lines 20 to 22 in 85189ac

public protocol AuthorizationProvider {
func authentication(for url: Foundation.URL) -> (user: String, password: String)?
}

HTTPClient sets the Authorization header based on the value given from the authorization provider here:

swift-package-manager/Sources/Basics/HTTPClient.swift

Lines 101 to 103 in c313dea

if let authorization = request.options.authorizationProvider?(request.url), !request.headers.contains("Authorization") {
request.headers.add(name: "Authorization", value: authorization)
}

When the `HTTPClient` is using the `URLSessionHTTPClient` as the underlying client:

swift-package-manager/Sources/Basics/HTTPClient.swift

Line 71 in c313dea

self.underlying = handler ?? URLSessionHTTPClient().execute

(which I believe happens always at least on macOS), the header values are set using
request.addValue(header.value, forHTTPHeaderField: header.name)
on an URLRequest here:

swift-package-manager/Sources/Basics/HTPClient+URLSession.swift

Lines 199 to 201 in 751f0b2

self.headers.forEach { header in
request.addValue(header.value, forHTTPHeaderField: header.name)
}

@swift-ci swift-ci transferred this issue from apple/swift-issues Apr 25, 2022
@shahmishal shahmishal transferred this issue from apple/swift May 4, 2022
@AnthonyLatsis AnthonyLatsis mentioned this issue Feb 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tomerd @bobergj