/vsicurl/ GetFileSizeOrHeaders(): do not propagate authentication sent to the original URL to a S3-like redirect

Co-authored-by: Robin Princeley <[email protected]>

Author: rouault

autotest/gcore/vsicurl.py

@@ -617,6 +617,9 @@ def test_vsicurl_test_redirect_x_amz(server):
     current_time = 1500
 
     def method(request):
+
+        assert request.headers["Authorization"] == "Bearer xxx"
+
         response = "HTTP/1.1 302 Found\r\n"
         response += "Server: foo\r\n"
         response += (
@@ -625,7 +628,7 @@ def method(request):
             + "\r\n"
         )
         response += "Location: %s\r\n" % (
-            "http://localhost:%d/foo.s3.amazonaws.com/test_redirected/test.bin?X-Amz-Signature=foo&X-Amz-Expires=30&X-Amz-Date=%s"
+            "http://127.0.0.1:%d/foo.s3.amazonaws.com/test_redirected/test.bin?X-Amz-Signature=foo&X-Amz-Expires=30&X-Amz-Date=%s"
             % (
                 server.port,
                 time.strftime("%Y%m%dT%H%M%SZ", time.gmtime(current_time)),
@@ -642,9 +645,13 @@ def method(request):
         403,
         {"Server": "foo"},
         "",
+        unexpected_headers=["Authorization"],
     )
 
     def method(request):
+
+        assert "Authorization" not in request.headers
+
         if "Range" in request.headers:
             if request.headers["Range"] == "bytes=0-16383":
                 request.protocol_version = "HTTP/1.1"
@@ -687,10 +694,25 @@ def method(request):
         custom_method=method,
     )
 
-    with webserver.install_http_handler(handler):
-        f = gdal.VSIFOpenL(
-            "/vsicurl/http://localhost:%d/test_redirect/test.bin" % server.port,
-            "rb",
+    gdal.SetPathSpecificOption(
+        "/vsicurl/http://localhost:%d/test_redirect" % server.port,
+        "GDAL_HTTP_AUTH",
+        "BEARER",
+    )
+    gdal.SetPathSpecificOption(
+        "/vsicurl/http://localhost:%d/test_redirect" % server.port,
+        "GDAL_HTTP_BEARER",
+        "xxx",
+    )
+    try:
+        with webserver.install_http_handler(handler):
+            f = gdal.VSIFOpenL(
+                "/vsicurl/http://localhost:%d/test_redirect/test.bin" % server.port,
+                "rb",
+            )
+    finally:
+        gdal.ClearPathSpecificOptions(
+            "/vsicurl/http://localhost:%d/test_redirect" % server.port
         )
     assert f is not None
 

port/cpl_vsil_curl.cpp

@@ -1145,8 +1145,27 @@ vsi_l_offset VSICurlHandle::GetFileSizeOrHeaders(bool bSetError,
     ++nTryCount;
     CURL *hCurlHandle = curl_easy_init();
 
-    struct curl_slist *headers =
-        VSICurlSetOptions(hCurlHandle, osURL.c_str(), m_aosHTTPOptions.List());
+    struct curl_slist *headers = nullptr;
+    if (bS3LikeRedirect)
+    {
+        // Do not propagate authentication sent to the original URL to a S3-like
+        // redirect.
+        CPLStringList aosHTTPOptions{};
+        for (const auto &pszOption : m_aosHTTPOptions)
+        {
+            if (STARTS_WITH_CI(pszOption, "HTTPAUTH") ||
+                STARTS_WITH_CI(pszOption, "HTTP_BEARER"))
+                continue;
+            aosHTTPOptions.AddString(pszOption);
+        }
+        headers = VSICurlSetOptions(hCurlHandle, osURL.c_str(),
+                                    aosHTTPOptions.List());
+    }
+    else
+    {
+        headers = VSICurlSetOptions(hCurlHandle, osURL.c_str(),
+                                    m_aosHTTPOptions.List());
+    }
 
     WriteFuncStruct sWriteFuncHeaderData;
     VSICURLInitWriteFuncStruct(&sWriteFuncHeaderData, nullptr, nullptr,