From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail
From: Lars Ingebrigtsen <larsi@gnus.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#37187: 26.2; url-retrieve redirect lost Authorization headers
Date: Sat, 21 Sep 2019 09:41:22 +0200
Message-ID: <87ftkq2j19.fsf@gnus.org>
References: <CAJ8YToZhdbiRPrpBT=MeTZO6Eu2v5+mFL3Z10T6E7Er5bdn=rQ@mail.gmail.com>
 <877e627lj1.fsf@gnus.org>
 <CAJ8YToYw9iDOUXXZoh2K9VG1+nEPNjLCi_MwC0kSzUd5Er-fUg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226";
	logging-data="32980"; mail-complaints-to="usenet@blaine.gmane.org"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
Cc: 37187@debbugs.gnu.org, Thomas Fitzsimmons <fitzsim@fitzsim.org>
To: Romain Ouabdelkader <romain.ouabdelkader@gmail.com>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat Sep 21 09:42:12 2019
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.89)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1iBa1z-0008Ui-KJ
	for geb-bug-gnu-emacs@m.gmane.org; Sat, 21 Sep 2019 09:42:11 +0200
Original-Received: from localhost ([::1]:39960 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1iBa1x-0002Ac-PN
	for geb-bug-gnu-emacs@m.gmane.org; Sat, 21 Sep 2019 03:42:09 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:60847)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1iBa1r-0002AW-Dz
 for bug-gnu-emacs@gnu.org; Sat, 21 Sep 2019 03:42:04 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1iBa1q-0005Z1-Ao
 for bug-gnu-emacs@gnu.org; Sat, 21 Sep 2019 03:42:03 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43]:50174)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1iBa1q-0005YO-7X
 for bug-gnu-emacs@gnu.org; Sat, 21 Sep 2019 03:42:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1iBa1q-0004ch-2r
 for bug-gnu-emacs@gnu.org; Sat, 21 Sep 2019 03:42:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Lars Ingebrigtsen <larsi@gnus.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sat, 21 Sep 2019 07:42:02 +0000
Resent-Message-ID: <handler.37187.B37187.156905169417737@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 37187
X-GNU-PR-Package: emacs
Original-Received: via spool by 37187-submit@debbugs.gnu.org id=B37187.156905169417737
 (code B ref 37187); Sat, 21 Sep 2019 07:42:02 +0000
Original-Received: (at 37187) by debbugs.gnu.org; 21 Sep 2019 07:41:34 +0000
Original-Received: from localhost ([127.0.0.1]:58995 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1iBa1O-0004c0-Bm
 for submit@debbugs.gnu.org; Sat, 21 Sep 2019 03:41:34 -0400
Original-Received: from quimby.gnus.org ([80.91.231.51]:48166)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@gnus.org>) id 1iBa1H-0004bm-D6
 for 37187@debbugs.gnu.org; Sat, 21 Sep 2019 03:41:30 -0400
Original-Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie)
 by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.89) (envelope-from <larsi@gnus.org>)
 id 1iBa1D-0007bV-5u; Sat, 21 Sep 2019 09:41:25 +0200
In-Reply-To: <CAJ8YToYw9iDOUXXZoh2K9VG1+nEPNjLCi_MwC0kSzUd5Er-fUg@mail.gmail.com>
 (Romain Ouabdelkader's message of "Sat, 21 Sep 2019 02:01:24 +0200")
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 209.51.188.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: "bug-gnu-emacs"
 <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.bugs:166839
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/166839>

Romain Ouabdelkader <romain.ouabdelkader@gmail.com> writes:

> Indeed, curl does the same thing:
> https://curl.haxx.se/docs/CVE-2018-1000007.html
>
> But it seems to only strip the Authorization header if the redirect is on 
> another host:
>
> https://github.com/curl/curl/commit/af32cd3859336ab.patch

Right.  But Thomas seems to imply in Bug#21350 that url.el will
determine when doing the redirected call whether to include auth again,
so if that new URL requires auth, then it'll be regenerated at that
point.

Is that not the case?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no