Use only CredentialCache when redirecting Uris in ManagedHandler.

Commit migrated from https://github.com/dotnet/corefx/commit/9d5f5d1f8630e3c50404647926496b0d45cf1203

diff --git a/src/libraries/System.Net.Http/src/System/Net/Http/Managed/AuthenticationHandler.cs b/src/libraries/System.Net.Http/src/System/Net/Http/Managed/AuthenticationHandler.cs
index e4ddde8..9a47f6c 100644 (file)
--- a/src/libraries/System.Net.Http/src/System/Net/Http/Managed/AuthenticationHandler.cs
+++ b/src/libraries/System.Net.Http/src/System/Net/Http/Managed/AuthenticationHandler.cs
@@ -14,7 +14,7 @@ namespace System.Net.Http
     {
         private readonly HttpMessageHandler _innerHandler;
         private readonly bool _preAuthenticate;
-        private readonly ICredentials _credentials;
+        private ICredentials _credentials;
         private AuthenticationHelper.DigestResponse _digestResponse;
 
         public AuthenticationHandler(bool preAuthenticate, ICredentials credentials, HttpMessageHandler innerHandler)
@@ -44,7 +44,19 @@ namespace System.Net.Http
 
             HttpResponseMessage response = await _innerHandler.SendAsync(request, cancellationToken).ConfigureAwait(false);
 
-            if (!_preAuthenticate && response.StatusCode == HttpStatusCode.Unauthorized)
+            // In case of redirection, ensure _credentials as CredentialCache
+            if (response.StatusCode == HttpStatusCode.MultipleChoices ||
+                response.StatusCode == HttpStatusCode.Moved ||
+                response.StatusCode == HttpStatusCode.Found ||
+                response.StatusCode == HttpStatusCode.SeeOther ||
+                response.StatusCode == HttpStatusCode.TemporaryRedirect)
+            {
+                // Just as with WinHttpHandler and CurlHandler, for security reasons, we drop the server credential if it is
+                // anything other than a CredentialCache. We allow credentials in a CredentialCache since they
+                // are specifically tied to URIs.
+                _credentials = _credentials as CredentialCache;
+            }
+            else if (_credentials != null && !_preAuthenticate && response.StatusCode == HttpStatusCode.Unauthorized)
             {
                 HttpHeaderValueCollection<AuthenticationHeaderValue> authenticateValues = response.Headers.WwwAuthenticate;
 

diff --git a/src/libraries/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.cs b/src/libraries/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.cs
index f5dbf63..79c2b84 100644 (file)
--- a/src/libraries/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.cs
+++ b/src/libraries/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.cs
@@ -813,12 +813,6 @@ namespace System.Net.Http.Functional.Tests
         [Fact]
         public async Task GetAsync_CredentialIsNetworkCredentialUriRedirect_StatusCodeUnauthorized()
         {
-            if (ManagedHandlerTestHelpers.IsEnabled)
-            {
-                // TODO #23129: The managed handler is currently getting Ok when it should be getting Unauthorized.
-                return;
-            }
-
             var handler = new HttpClientHandler();
             handler.Credentials = _credential;
             using (var client = new HttpClient(handler))