HTTPCLIENT-1061: Proxy-Authorization header gets sent to the target host when tunneling requests through a proxy that requires authentication

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1074473 13f79535-47bb-0310-9956-ffa450edef68

RELEASE_NOTES.txt

@@ -1,5 +1,9 @@
 Changes since 4.1
 
+* [HTTPCLIENT-1061] Fixed critical bug causing Proxy-Authorization header to be sent to the target
+  host when tunneling requests through a proxy server that requires authentication.
+  Contributed by Oleg Kalnichevski <olegk at apache.org>
+
 * [HTTPCLIENT-1056] Fixed bug causing the RequestAuthCache protocol interceptor to generate
   an invalid AuthScope instance when looking up user credentials for preemptive authentication. 
   Contributed by Oleg Kalnichevski <olegk at apache.org>

httpclient/src/main/java/org/apache/http/client/protocol/RequestProxyAuthentication.java

@@ -43,6 +43,9 @@ import org.apache.http.auth.AuthState;
 import org.apache.http.auth.AuthenticationException;
 import org.apache.http.auth.ContextAwareAuthScheme;
 import org.apache.http.auth.Credentials;
+import org.apache.http.conn.HttpRoutedConnection;
+import org.apache.http.conn.routing.HttpRoute;
+import org.apache.http.protocol.ExecutionContext;
 import org.apache.http.protocol.HttpContext;
 
 /**
@@ -74,6 +77,13 @@ public class RequestProxyAuthentication implements HttpRequestInterceptor {
             return;
         }
 
+        HttpRoutedConnection conn = (HttpRoutedConnection) context.getAttribute(
+                ExecutionContext.HTTP_CONNECTION);
+        HttpRoute route = conn.getRoute();
+        if (route.isTunnelled()) {
+            return;
+        }
+
         // Obtain authentication state
         AuthState authState = (AuthState) context.getAttribute(
                 ClientContext.PROXY_AUTH_STATE);