[arvados] updated: 2.7.0-5102-g359be27e63

git repository hosting git at public.arvados.org
Mon Oct 30 13:48:47 UTC 2023 

Summary of changes:
 services/keep-web/handler.go      | 38 +++++++++++++++++---------
 services/keep-web/handler_test.go | 56 ++++++++++++++++++++++++++++++++++-----
 2 files changed, 76 insertions(+), 18 deletions(-)

       via  359be27e63987690c6e14813c763ea349f4a9534 (commit)
       via  c84ffebec2f5f7d8db00a2ce82e7c764ccb4cdd8 (commit)
       via  9b9ada224856e289cdd9e81954c4ea3c3bc1fe68 (commit)
      from  79c3a619453df42b1177f92a442700906ff13c64 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 359be27e63987690c6e14813c763ea349f4a9534
Merge: 79c3a61945 c84ffebec2
Author: Brett Smith <brett.smith at curii.com>
Date:   Mon Oct 30 09:48:40 2023 -0400

    Merge branch '21025-keep-web-redirect-bypass'
    
    Closes #21025.
    
    Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith at curii.com>


commit c84ffebec2f5f7d8db00a2ce82e7c764ccb4cdd8
Author: Brett Smith <brett.smith at curii.com>
Date:   Mon Oct 30 09:47:24 2023 -0400

    21025: Clarify explanation
    
    Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith at curii.com>

diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go
index 0df19d443d..123c4fe34d 100644
--- a/services/keep-web/handler.go
+++ b/services/keep-web/handler.go
@@ -297,10 +297,12 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	origin := r.Header.Get("Origin")
 	cors := origin != "" && !strings.HasSuffix(origin, "://"+r.Host)
 	safeAjax := cors && (r.Method == http.MethodGet || r.Method == http.MethodHead)
-	// Important distiction: safeAttachment checks whether api_token exists as
-	// a query parameter. The following condition checks whether api_token
-	// exists as request form data *or* a query parameter. This distinction is
-	// necessary to redirect when required, and not when not.
+	// Important distinction: safeAttachment checks whether api_token exists
+	// as a query parameter. haveFormTokens checks whether api_token exists
+	// as request form data *or* a query parameter. Different checks are
+	// necessary because both the request disposition and the location of
+	// the API token affect whether or not the request needs to be
+	// redirected. The different branch comments below explain further.
 	safeAttachment := attachment && !r.URL.Query().Has("api_token")
 	if formTokens, haveFormTokens := r.Form["api_token"]; !haveFormTokens {
 		// No token to use or redact.

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list