API Authorization headers are sent in "CDN" download requests

Bug #2027993 reported by Przemysław Suliga
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Fix Committed
Undecided
Zeyad Gouda

Bug Description

After an authenticated request (eg. using X-Device-Authorization header) to a download endpoint on api.snapcraft.io, snapd follows the redirect and includes the authentication header in the request to the location the API endpoint redirects to.

This is unnecessary. The redirect location, if any, is a signed url to one of our "CDN"s and needs no further authentication.

If the API download endpoint does not return the content right away (which can happen in a snap-store-proxy setting for example) and returns a 302 response, snapd should drop any device/user authentication headers intended for the store API in the request to the redirect location.

(We've (Store) decided that this does not have to be a private bug currently.)

Revision history for this message
Samuele Pedroni (pedronis) wrote :

It should be possible to address this with https://pkg.go.dev/net/http#Client.CheckRedirect. Should we drop the authorization headers unconditionally or only if the domain is not the original one?

Revision history for this message
Przemysław Suliga (suligap) wrote :

Thanks, it should be fine to drop these headers unconditionally when requesting a download url and receiving a redirect.

Revision history for this message
Zeyad Gouda (zeyadgouda) wrote :

Hello, I am currently working on it.

Changed in snapd:
assignee: nobody → Zeyad Gouda (zeyadgouda)
status: New → In Progress
Revision history for this message
Zeyad Gouda (zeyadgouda) wrote :

Hello, PR with fix was merged: https://github.com/snapcore/snapd/pull/13055

Changed in snapd:
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.