From: Lars Ingebrigtsen <larsi@gnus.org>
To: Alain Picard <alain@gocatch.com>
Cc: 24490@debbugs.gnu.org, Thomas Fitzsimmons <fitzsim@fitzsim.org>
Subject: bug#24490: 25.1; restclient no longer sends auth header upon redirect
Date: Tue, 06 Jul 2021 17:44:00 +0200 [thread overview]
Message-ID: <87sg0rphvj.fsf@gnus.org> (raw)
In-Reply-To: <CAAzYSc=Kmd=+A5TA398+a_49dVNVVWOR=-KcTdntHHGzP=QaNQ@mail.gmail.com> (Alain Picard's message of "Wed, 21 Sep 2016 14:19:18 +1000")
Alain Picard <alain@gocatch.com> writes:
> Dear Maintainers,
>
> In emacs 25.1,
> the code in url-http.el, line 638, states:
>
> ;; Do not automatically include an authorization header in the
> ;; redirect. If needed it will be regenerated by the relevant
> ;; auth scheme when the new request happens.
> (setq url-http-extra-headers
> (cl-remove "Authorization"
> url-http-extra-headers :key 'car :test 'equal))
>
> I suspect this automatic regenration does not occur.
I think this code is basically correct -- if the auth scheme has added
something to url-http-extra-headers, then that has to be removed when
doing the redirect, because otherwise we might be sending the auth to a
completely wrong server, with the security implications of that.
> Problem: I am using restclient.el, and hitting a server which
> issues a redirect, and I receive a 400 Forbidden response because
> the redirected call does not receive the authentication header
> (I can see this from the log of my server).
I think this must be a bug in restclient.el -- it should instead use an
auth scheme that re-adds the Authorization header.
I think. The URL interface is pretty vague here, as it is with many
other things...
Hm...
Reading
(defun url-http-create-request ()
[...]
(auth (if (cdr-safe (assoc "Authorization" url-http-extra-headers))
nil
(url-get-authentication (or
(and (boundp 'proxy-info)
proxy-info)
url-http-target-url) nil 'any nil)))
the auth is never added to `url-http-extra-headers', so perhaps that's
not correct anyway -- it should be possible for the user to put
Authorization in `url-http-extra-headers', and then have that be heeded
even over the redirect.
I've added Thomas to the CCs; perhaps he has some insights here. (Also
see Bug#21350.)
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
next prev parent reply other threads:[~2021-07-06 15:44 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-21 4:19 bug#24490: 25.1; restclient no longer sends auth header upon redirect Alain Picard
2016-09-21 8:15 ` Andreas Schwab
2016-09-22 0:01 ` Alain Picard
2021-07-06 15:44 ` Lars Ingebrigtsen [this message]
2021-07-08 21:34 ` Thomas Fitzsimmons
2021-07-14 17:47 ` Thomas Fitzsimmons
2021-07-14 18:23 ` Lars Ingebrigtsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sg0rphvj.fsf@gnus.org \
--to=larsi@gnus.org \
--cc=24490@debbugs.gnu.org \
--cc=alain@gocatch.com \
--cc=fitzsim@fitzsim.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).