summaryrefslogtreecommitdiff
path: root/vendor/k8s.io/client-go/transport/round_trippers.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/k8s.io/client-go/transport/round_trippers.go')
-rw-r--r--vendor/k8s.io/client-go/transport/round_trippers.go112
1 files changed, 110 insertions, 2 deletions
diff --git a/vendor/k8s.io/client-go/transport/round_trippers.go b/vendor/k8s.io/client-go/transport/round_trippers.go
index c728b1877..de64e0078 100644
--- a/vendor/k8s.io/client-go/transport/round_trippers.go
+++ b/vendor/k8s.io/client-go/transport/round_trippers.go
@@ -17,6 +17,7 @@ limitations under the License.
package transport
import (
+ "bytes"
"fmt"
"net/http"
"strings"
@@ -129,7 +130,7 @@ func SetAuthProxyHeaders(req *http.Request, username string, groups []string, ex
}
for key, values := range extra {
for _, value := range values {
- req.Header.Add("X-Remote-Extra-"+key, value)
+ req.Header.Add("X-Remote-Extra-"+headerKeyEscape(key), value)
}
}
}
@@ -246,7 +247,7 @@ func (rt *impersonatingRoundTripper) RoundTrip(req *http.Request) (*http.Respons
}
for k, vv := range rt.impersonate.Extra {
for _, v := range vv {
- req.Header.Add(ImpersonateUserExtraHeaderPrefix+k, v)
+ req.Header.Add(ImpersonateUserExtraHeaderPrefix+headerKeyEscape(k), v)
}
}
@@ -422,3 +423,110 @@ func (rt *debuggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, e
func (rt *debuggingRoundTripper) WrappedRoundTripper() http.RoundTripper {
return rt.delegatedRoundTripper
}
+
+func legalHeaderByte(b byte) bool {
+ return int(b) < len(legalHeaderKeyBytes) && legalHeaderKeyBytes[b]
+}
+
+func shouldEscape(b byte) bool {
+ // url.PathUnescape() returns an error if any '%' is not followed by two
+ // hexadecimal digits, so we'll intentionally encode it.
+ return !legalHeaderByte(b) || b == '%'
+}
+
+func headerKeyEscape(key string) string {
+ var buf bytes.Buffer
+ for i := 0; i < len(key); i++ {
+ b := key[i]
+ if shouldEscape(b) {
+ // %-encode bytes that should be escaped:
+ // https://tools.ietf.org/html/rfc3986#section-2.1
+ fmt.Fprintf(&buf, "%%%02X", b)
+ continue
+ }
+ buf.WriteByte(b)
+ }
+ return buf.String()
+}
+
+// legalHeaderKeyBytes was copied from net/http/lex.go's isTokenTable.
+// See https://httpwg.github.io/specs/rfc7230.html#rule.token.separators
+var legalHeaderKeyBytes = [127]bool{
+ '%': true,
+ '!': true,
+ '#': true,
+ '$': true,
+ '&': true,
+ '\'': true,
+ '*': true,
+ '+': true,
+ '-': true,
+ '.': true,
+ '0': true,
+ '1': true,
+ '2': true,
+ '3': true,
+ '4': true,
+ '5': true,
+ '6': true,
+ '7': true,
+ '8': true,
+ '9': true,
+ 'A': true,
+ 'B': true,
+ 'C': true,
+ 'D': true,
+ 'E': true,
+ 'F': true,
+ 'G': true,
+ 'H': true,
+ 'I': true,
+ 'J': true,
+ 'K': true,
+ 'L': true,
+ 'M': true,
+ 'N': true,
+ 'O': true,
+ 'P': true,
+ 'Q': true,
+ 'R': true,
+ 'S': true,
+ 'T': true,
+ 'U': true,
+ 'W': true,
+ 'V': true,
+ 'X': true,
+ 'Y': true,
+ 'Z': true,
+ '^': true,
+ '_': true,
+ '`': true,
+ 'a': true,
+ 'b': true,
+ 'c': true,
+ 'd': true,
+ 'e': true,
+ 'f': true,
+ 'g': true,
+ 'h': true,
+ 'i': true,
+ 'j': true,
+ 'k': true,
+ 'l': true,
+ 'm': true,
+ 'n': true,
+ 'o': true,
+ 'p': true,
+ 'q': true,
+ 'r': true,
+ 's': true,
+ 't': true,
+ 'u': true,
+ 'v': true,
+ 'w': true,
+ 'x': true,
+ 'y': true,
+ 'z': true,
+ '|': true,
+ '~': true,
+}
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-10-19 09:20:59 +0000