Fix the Host header when using basic auth credentials in the URL.

minrk · Feb 20, 2012 · 530731c · 530731c
1 parent 0f30e15
commit 530731c
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 1 deletion.
diff --git a/tornado/simple_httpclient.py b/tornado/simple_httpclient.py
@@ -259,7 +259,10 @@ def _on_connect(self, parsed, parsed_hostname):
         if "Connection" not in self.request.headers:
             self.request.headers["Connection"] = "close"
         if "Host" not in self.request.headers:
-            self.request.headers["Host"] = parsed.netloc
+            if '@' in parsed.netloc:
+                self.request.headers["Host"] = parsed.netloc.rpartition('@')[-1]
+            else:
+                self.request.headers["Host"] = parsed.netloc
         username, password = None, None
         if parsed.username is not None:
             username, password = parsed.username, parsed.password

diff --git a/tornado/test/simple_httpclient_test.py b/tornado/test/simple_httpclient_test.py
@@ -3,6 +3,7 @@
 import collections
 import gzip
 import logging
+import re
 import socket
 
 from tornado.ioloop import IOLoop
@@ -74,6 +75,10 @@ def get(self):
         assert not self.request.body
         self.write("ok")
 
+class HostEchoHandler(RequestHandler):
+    def get(self):
+        self.write(self.request.headers["Host"])
+
 
 class SimpleHTTPClientTestCase(AsyncHTTPTestCase, LogTrapTestCase):
     def setUp(self):
@@ -95,6 +100,7 @@ def get_app(self):
             url("/no_content", NoContentHandler),
             url("/303_post", SeeOther303PostHandler),
             url("/303_get", SeeOther303GetHandler),
+            url("/host_echo", HostEchoHandler),
             ], gzip=True)
 
     def test_singleton(self):
@@ -239,3 +245,13 @@ def test_no_content(self):
         # 204 status with non-zero content length is malformed
         response = self.fetch("/no_content?error=1")
         self.assertEqual(response.code, 599)
+
+    def test_host_header(self):
+        host_re = re.compile(b("^localhost:[0-9]+$"))
+        response = self.fetch("/host_echo")
+        self.assertTrue(host_re.match(response.body))
+
+        url = self.get_url("/host_echo").replace("http://", "http://me:secret@")
+        self.http_client.fetch(url, self.stop)
+        response = self.wait()
+        self.assertTrue(host_re.match(response.body), response.body)
diff --git a/website/sphinx/releases/next.rst b/website/sphinx/releases/next.rst
@@ -28,3 +28,5 @@ In progress
   method).
 * The ``Etag`` header is now returned on 304 responses to an ``If-None-Match``
   request, improving compatibility with some caches.
+* `tornado.simple_httpclient` no longer includes basic auth credentials
+  in the ``Host`` header when those credentials are extracted from the URL.