RequestBuilder::header unsets sensitive on header value

[Ten0]

RequestBuilder::header:

reqwest/src/async_impl/request.rs

Lines 189 to 218 in 892569e

	pub fn header<K, V>(self, key: K, value: V) -> RequestBuilder
	where
	HeaderName: TryFrom<K>,
	<HeaderName as TryFrom<K>>::Error: Into<http::Error>,
	HeaderValue: TryFrom<V>,
	<HeaderValue as TryFrom<V>>::Error: Into<http::Error>,
	{
	self.header_sensitive(key, value, false)
	}
	/// Add a `Header` to this Request with ability to define if `header_value` is sensitive.
	fn header_sensitive<K, V>(mut self, key: K, value: V, sensitive: bool) -> RequestBuilder
	where
	HeaderName: TryFrom<K>,
	<HeaderName as TryFrom<K>>::Error: Into<http::Error>,
	HeaderValue: TryFrom<V>,
	<HeaderValue as TryFrom<V>>::Error: Into<http::Error>,
	{
	let mut error = None;
	if let Ok(ref mut req) = self.request {
	match <HeaderName as TryFrom<K>>::try_from(key) {
	Ok(key) => match <HeaderValue as TryFrom<V>>::try_from(value) {
	Ok(mut value) => {
	// We want to potentially make an unsensitive header
	// to be sensitive, not the reverse. So, don't turn off
	// a previously sensitive header.
	if sensitive {
	value.set_sensitive(true);
	}
	req.headers_mut().append(key, value);

allows passing HeaderValue, however it overwrites sensitive to false, making it impossible to flag a header as sensitive right away unless going through the .basic_auth or .bearer_auth functions.

It looks like a bug: when simply going through .header, it looks like it should not overwrite the value of sensitive for the generated HeaderValue.

[seanmonstar]

It does? Perhaps I'm not seeing it. Which line specifically does it unset it?

[Ten0]

Ah sorry I read the code for blocking in my editor, and actually linked the async one here.

The issue still lies here:

reqwest/src/blocking/request.rs

Lines 191 to 215 in 892569e

	pub fn header<K, V>(self, key: K, value: V) -> RequestBuilder
	where
	HeaderName: TryFrom<K>,
	HeaderValue: TryFrom<V>,
	<HeaderName as TryFrom<K>>::Error: Into<http::Error>,
	<HeaderValue as TryFrom<V>>::Error: Into<http::Error>,
	{
	self.header_sensitive(key, value, false)
	}
	/// Add a `Header` to this Request with ability to define if header_value is sensitive.
	fn header_sensitive<K, V>(mut self, key: K, value: V, sensitive: bool) -> RequestBuilder
	where
	HeaderName: TryFrom<K>,
	HeaderValue: TryFrom<V>,
	<HeaderName as TryFrom<K>>::Error: Into<http::Error>,
	<HeaderValue as TryFrom<V>>::Error: Into<http::Error>,
	{
	let mut error = None;
	if let Ok(ref mut req) = self.request {
	match <HeaderName as TryFrom<K>>::try_from(key) {
	Ok(key) => match <HeaderValue as TryFrom<V>>::try_from(value) {
	Ok(mut value) => {
	value.set_sensitive(sensitive);
	req.headers_mut().append(key, value);

It seems that the issue was already reported in #1549 and fixed for async by d536ce2, but the blocking implementation was forgotten.

I'll open a PR.