From: Ben Darnell <ben@bendarnell.com>
Date: Mon, 20 Feb 2012 06:17:45 +0000 (-0800)
Subject: Fix the Host header when using basic auth credentials in the URL.
X-Git-Tag: v2.3.0~80
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=530731cc8d3e7a686e3424e5a800703f3aa9737d;p=thirdparty%2Ftornado.git

Fix the Host header when using basic auth credentials in the URL.
---

diff --git a/tornado/simple_httpclient.py b/tornado/simple_httpclient.py
index aa2bec637..755c63ae0 100644
--- a/tornado/simple_httpclient.py
+++ b/tornado/simple_httpclient.py
@@ -259,7 +259,10 @@ class _HTTPConnection(object):
         if "Connection" not in self.request.headers:
             self.request.headers["Connection"] = "close"
         if "Host" not in self.request.headers:
-            self.request.headers["Host"] = parsed.netloc
+            if '@' in parsed.netloc:
+                self.request.headers["Host"] = parsed.netloc.rpartition('@')[-1]
+            else:
+                self.request.headers["Host"] = parsed.netloc
         username, password = None, None
         if parsed.username is not None:
             username, password = parsed.username, parsed.password
diff --git a/tornado/test/simple_httpclient_test.py b/tornado/test/simple_httpclient_test.py
index 1d26193fa..f2fc12d3b 100644
--- a/tornado/test/simple_httpclient_test.py
+++ b/tornado/test/simple_httpclient_test.py
@@ -3,6 +3,7 @@ from __future__ import absolute_import, division, with_statement
 import collections
 import gzip
 import logging
+import re
 import socket
 
 from tornado.ioloop import IOLoop
@@ -74,6 +75,10 @@ class SeeOther303GetHandler(RequestHandler):
         assert not self.request.body
         self.write("ok")
 
+class HostEchoHandler(RequestHandler):
+    def get(self):
+        self.write(self.request.headers["Host"])
+
 
 class SimpleHTTPClientTestCase(AsyncHTTPTestCase, LogTrapTestCase):
     def setUp(self):
@@ -95,6 +100,7 @@ class SimpleHTTPClientTestCase(AsyncHTTPTestCase, LogTrapTestCase):
             url("/no_content", NoContentHandler),
             url("/303_post", SeeOther303PostHandler),
             url("/303_get", SeeOther303GetHandler),
+            url("/host_echo", HostEchoHandler),
             ], gzip=True)
 
     def test_singleton(self):
@@ -239,3 +245,13 @@ class SimpleHTTPClientTestCase(AsyncHTTPTestCase, LogTrapTestCase):
         # 204 status with non-zero content length is malformed
         response = self.fetch("/no_content?error=1")
         self.assertEqual(response.code, 599)
+
+    def test_host_header(self):
+        host_re = re.compile(b("^localhost:[0-9]+$"))
+        response = self.fetch("/host_echo")
+        self.assertTrue(host_re.match(response.body))
+
+        url = self.get_url("/host_echo").replace("http://", "http://me:secret@")
+        self.http_client.fetch(url, self.stop)
+        response = self.wait()
+        self.assertTrue(host_re.match(response.body), response.body)
diff --git a/website/sphinx/releases/next.rst b/website/sphinx/releases/next.rst
index cc29c60b1..365e48b78 100644
--- a/website/sphinx/releases/next.rst
+++ b/website/sphinx/releases/next.rst
@@ -28,3 +28,5 @@ In progress
   method).
 * The ``Etag`` header is now returned on 304 responses to an ``If-None-Match``
   request, improving compatibility with some caches.
+* `tornado.simple_httpclient` no longer includes basic auth credentials
+  in the ``Host`` header when those credentials are extracted from the URL.