From b3fd94c13d00f368dbd0f9414e699077ee4a6887 Mon Sep 17 00:00:00 2001
From: Antoine GIRARD <sapk@users.noreply.github.com>
Date: Tue, 30 Jan 2018 23:09:16 +0100
Subject: [PATCH] Add sensitive headers (#3429)

* Add HeaderWithSensitiveCase methods to respect casing

* Update webhook.go
---
 models/webhook.go          | 4 ++--
 modules/httplib/httplib.go | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/models/webhook.go b/models/webhook.go
index b18b9e35a3..62db84f86a 100644
--- a/models/webhook.go
+++ b/models/webhook.go
@@ -588,8 +588,8 @@ func (t *HookTask) deliver() {
 		Header("X-Gitea-Event", string(t.EventType)).
 		Header("X-Gogs-Delivery", t.UUID).
 		Header("X-Gogs-Event", string(t.EventType)).
-		Header("X-GitHub-Delivery", t.UUID).
-		Header("X-GitHub-Event", string(t.EventType)).
+		HeaderWithSensitiveCase("X-GitHub-Delivery", t.UUID).
+		HeaderWithSensitiveCase("X-GitHub-Event", string(t.EventType)).
 		SetTLSClientConfig(&tls.Config{InsecureSkipVerify: setting.Webhook.SkipTLSVerify})
 
 	switch t.ContentType {
diff --git a/modules/httplib/httplib.go b/modules/httplib/httplib.go
index 88190704bb..c96e04c35f 100644
--- a/modules/httplib/httplib.go
+++ b/modules/httplib/httplib.go
@@ -164,6 +164,12 @@ func (r *Request) Header(key, value string) *Request {
 	return r
 }
 
+// HeaderWithSensitiveCase add header item in request and keep the case of the header key.
+func (r *Request) HeaderWithSensitiveCase(key, value string) *Request {
+	r.req.Header[key] = []string{value}
+	return r
+}
+
 // Headers returns headers in request.
 func (r *Request) Headers() http.Header {
 	return r.req.Header