Clear credential headers when redirecting to cross site

lib/mechanize/http/agent.rb

@@ -9,6 +9,8 @@
 
 class Mechanize::HTTP::Agent
 
+  CREDENTIAL_HEADERS = ['Authorization', 'Cookie']
+
   # :section: Headers
 
   # Disables If-Modified-Since conditional requests (enabled by default)
@@ -995,6 +997,12 @@ def response_redirect(response, method, page, redirects, headers,
 
     @history.push(page, page.uri)
 
+    if new_uri.host != page.uri.host
+      CREDENTIAL_HEADERS.each do |ch|
+        headers.delete_if{ |h| h.downcase == ch.downcase }
+      end
+    end
+
     fetch new_uri, redirect_method, headers, [], referer, redirects + 1
   end
 

test/test_mechanize_http_agent.rb

@@ -1555,6 +1555,44 @@ def test_response_redirect_limit
     end
   end
 
+  def test_response_redirect_to_cross_site_with_credential
+    @agent.redirect_ok = true
+
+    headers = {
+      'Range' => 'bytes=0-9999',
+      'Content-Type' => 'application/x-www-form-urlencoded',
+      'Content-Length' => '9999',
+      'Authorization' => 'Basic xxx',
+      'Cookie' => 'name=value',
+    }
+
+    page = html_page ''
+    @agent.response_redirect({ 'Location' => 'http://trap' }, :get,
+                             page, 0, headers)
+
+    assert !(headers.keys.include? 'Authorization')
+    assert !(headers.keys.include? 'Cookie')
+  end
+
+  def test_response_redirect_to_same_site_with_credential
+    @agent.redirect_ok = true
+
+    headers = {
+      'Range' => 'bytes=0-9999',
+      'Content-Type' => 'application/x-www-form-urlencoded',
+      'Content-Length' => '9999',
+      'Authorization' => 'Basic xxx',
+      'Cookie' => 'name=value',
+    }
+
+    page = html_page ''
+    @agent.response_redirect({ 'Location' => 'http://example' }, :get,
+                             page, 0, headers)
+
+    assert headers.keys.include? 'Authorization'
+    assert headers.keys.include? 'Cookie'
+  end
+
   def test_response_redirect_not_ok
     @agent.redirect_ok = false