bug#24490: 25.1; restclient no longer sends auth header upon redirect

bug#24490: 25.1; restclient no longer sends auth header upon redirect

[Alain Picard]

[-- Attachment #1: Type: text/plain, Size: 22395 bytes --]

Dear Maintainers,

In emacs 25.1,
the code in url-http.el, line 638, states:

  ;; Do not automatically include an authorization header in the
  ;; redirect.  If needed it will be regenerated by the relevant
  ;; auth scheme when the new request happens.
  (setq url-http-extra-headers
(cl-remove "Authorization"
   url-http-extra-headers :key 'car :test 'equal))


I suspect this automatic regenration does not occur.
Problem: I am using restclient.el, and hitting a server which
issues a redirect, and I receive a 400 Forbidden response because
the redirected call does not receive the authentication header
(I can see this from the log of my server).

Here is a subset of my test http file in restclient mode:
------------------
:host = http://localhost:4348
:driver-2 = goCatch 9999

#
GET :host/api/v2/jobs
X-Gocatch-State: {"available" : true, "lat": -33.1, "lng":150.9,
"speed":15, "error":5, "direction":310 }
Authorization: :driver-2
------------------

In emacs 24, this used to return:
  [lots of text here snipped]
// GET http://localhost:4348/api/v2/jobs
// HTTP/1.1 200 OK
// Content-Type: application/json; charset=utf-8
// Cache-Control: max-age=0
// Content-Length: 1222
// Server: http-kit
// Date: Wed, 21 Sep 2016 04:13:46 GMT
// Request duration: 0.247260s


But in emacs 25 it now returns:

No or invalid authentication details are provided
// GET http://localhost:4348/api/v2/jobs
// HTTP/1.1 401 Unauthorized
// Cache-Control: max-age=0
// Content-Length: 49
// Server: http-kit
// Date: Wed, 21 Sep 2016 04:14:29 GMT
// Request duration: 0.131224s


If I comment out the 3 lines starting at line 642:
  (setq url-http-extra-headers
(cl-remove "Authorization"
   url-http-extra-headers :key 'car :test 'equal))

I get back the original, correct behaviour.


Thanks in advance, and thanks for all the great work on
emacs... I've been appreciating your hard work (and emacs) for nearly 25
years.  :-)


                   Alain Picard

================================================================


In GNU Emacs 25.1.1 (x86_64-apple-darwin13.4.0, NS appkit-1265.21 Version
10.9.5 (Build 13F1911))
 of 2016-09-18 built on builder10-9.porkrind.org
Windowing system distributor 'Apple', version 10.3.1404
Configured using:
 'configure --with-ns '--enable-locallisppath=/Library/Application
 Support/Emacs/${version}/site-lisp:/Library/Application
 Support/Emacs/site-lisp''

Configured features:
NOTIFY ACL GNUTLS LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS

Important settings:
  value of $LANG: en_AU.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Ediff

Minor modes in effect:
  magit-auto-revert-mode: t
  global-git-commit-mode: t
  async-bytecomp-package-mode: t
  show-paren-mode: t
  shell-dirtrack-mode: t
  diff-auto-refine-mode: t
  flx-ido-mode: t
  ido-everywhere: t
  winner-mode: t
  auto-insert-mode: t
  global-company-mode: t
  company-mode: t
  override-global-mode: t
  tooltip-mode: t
  global-eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  buffer-read-only: t
  line-number-mode: t
  transient-mark-mode: t

Recent messages:
Region 29 in buffer A is empty [2 times]
Refining difference region 30 ...
ediff-next-difference: At end of the difference list
Region 29 in buffer A is empty [2 times]
Region 28 in buffer A is empty [2 times]
Region 27 in buffer A is empty [2 times]
Region 26 in buffer A is empty [2 times]
Region 19 in buffer A is empty [4 times]
Quit
Saved text until " Type"

Load-path shadows:
/Users/ap/.emacs.d/elpa/cider-browse-ns-20140725.2249/cider-browse-ns hides
/Users/ap/.emacs.d/elpa/cider-0.13.0/cider-browse-ns
/Users/ap/.emacs.d/elpa/helm-20160413.2223/helm-multi-match hides
/Users/ap/.emacs.d/elpa/helm-core-20160415.1131/helm-multi-match
/Users/ap/.emacs.d/elpa/circe-20160413.1027/lcs hides
/Users/ap/.emacs.d/elpa/lcs-20121201.555/lcs
/Users/ap/.emacs.d/elpa/circe-20160413.1027/lui hides
/Users/ap/.emacs.d/elpa/lui-20140910.112/lui
/Users/ap/.emacs.d/elpa/circe-20160413.1027/lui-logging hides
/Users/ap/.emacs.d/elpa/lui-20140910.112/lui-logging
/Users/ap/.emacs.d/elpa/circe-20160413.1027/lui-irc-colors hides
/Users/ap/.emacs.d/elpa/lui-20140910.112/lui-irc-colors
/Users/ap/.emacs.d/elpa/circe-20160413.1027/lui-format hides
/Users/ap/.emacs.d/elpa/lui-20140910.112/lui-format
/Users/ap/.emacs.d/elpa/circe-20160413.1027/lui-autopaste hides
/Users/ap/.emacs.d/elpa/lui-20140910.112/lui-autopaste
/Users/ap/.emacs.d/elpa/circe-20160413.1027/shorten hides
/Users/ap/.emacs.d/elpa/shorten-20131201.620/shorten
/Users/ap/.emacs.d/elpa/color-theme-solarized-20160219.924/solarized-theme
hides /Users/ap/.emacs.d/elpa/solarized-theme-20160408.1143/solarized-theme
/Users/ap/.emacs.d/elpa/circe-20160413.1027/tracking hides
/Users/ap/.emacs.d/elpa/tracking-20151129.319/tracking
/Users/ap/.emacs.d/elpa/circe-20160413.1027/shorten hides
/Users/ap/.emacs.d/elpa/tracking-20151129.319/shorten
/Users/ap/.emacs.d/emacs-hacks/whitespace hides
/Applications/Emacs.app/Contents/Resources/lisp/whitespace
/Users/ap/.emacs.d/elpa/org-20160411/ox hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox
/Users/ap/.emacs.d/elpa/org-20160411/ox-texinfo hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-texinfo
/Users/ap/.emacs.d/elpa/org-20160411/ox-publish hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-publish
/Users/ap/.emacs.d/elpa/org-20160411/ox-org hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-org
/Users/ap/.emacs.d/elpa/org-20160411/ox-odt hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-odt
/Users/ap/.emacs.d/elpa/org-20160411/ox-md hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-md
/Users/ap/.emacs.d/elpa/org-20160411/ox-man hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-man
/Users/ap/.emacs.d/elpa/org-20160411/ox-latex hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-latex
/Users/ap/.emacs.d/elpa/org-20160411/ox-icalendar hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-icalendar
/Users/ap/.emacs.d/elpa/org-20160411/ox-html hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-html
/Users/ap/.emacs.d/elpa/org-20160411/ox-beamer hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-beamer
/Users/ap/.emacs.d/elpa/org-20160411/ox-ascii hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-ascii
/Users/ap/.emacs.d/elpa/org-20160411/org hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org
/Users/ap/.emacs.d/elpa/org-20160411/org-w3m hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-w3m
/Users/ap/.emacs.d/elpa/org-20160411/org-version hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-version
/Users/ap/.emacs.d/elpa/org-20160411/org-timer hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-timer
/Users/ap/.emacs.d/elpa/org-20160411/org-table hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-table
/Users/ap/.emacs.d/elpa/org-20160411/org-src hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-src
/Users/ap/.emacs.d/elpa/org-20160411/org-rmail hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-rmail
/Users/ap/.emacs.d/elpa/org-20160411/org-protocol hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-protocol
/Users/ap/.emacs.d/elpa/org-20160411/org-plot hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-plot
/Users/ap/.emacs.d/elpa/org-20160411/org-pcomplete hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-pcomplete
/Users/ap/.emacs.d/elpa/org-20160411/org-mouse hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-mouse
/Users/ap/.emacs.d/elpa/org-20160411/org-mobile hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-mobile
/Users/ap/.emacs.d/elpa/org-20160411/org-mhe hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-mhe
/Users/ap/.emacs.d/elpa/org-20160411/org-macs hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-macs
/Users/ap/.emacs.d/elpa/org-20160411/org-macro hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-macro
/Users/ap/.emacs.d/elpa/org-20160411/org-loaddefs hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-loaddefs
/Users/ap/.emacs.d/elpa/org-20160411/org-list hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-list
/Users/ap/.emacs.d/elpa/org-20160411/org-irc hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-irc
/Users/ap/.emacs.d/elpa/org-20160411/org-install hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-install
/Users/ap/.emacs.d/elpa/org-20160411/org-inlinetask hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-inlinetask
/Users/ap/.emacs.d/elpa/org-20160411/org-info hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-info
/Users/ap/.emacs.d/elpa/org-20160411/org-indent hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-indent
/Users/ap/.emacs.d/elpa/org-20160411/org-id hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-id
/Users/ap/.emacs.d/elpa/org-20160411/org-habit hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-habit
/Users/ap/.emacs.d/elpa/org-20160411/org-gnus hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-gnus
/Users/ap/.emacs.d/elpa/org-20160411/org-footnote hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-footnote
/Users/ap/.emacs.d/elpa/org-20160411/org-feed hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-feed
/Users/ap/.emacs.d/elpa/org-20160411/org-faces hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-faces
/Users/ap/.emacs.d/elpa/org-20160411/org-eshell hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-eshell
/Users/ap/.emacs.d/elpa/org-20160411/org-entities hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-entities
/Users/ap/.emacs.d/elpa/org-20160411/org-element hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-element
/Users/ap/.emacs.d/elpa/org-20160411/org-docview hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-docview
/Users/ap/.emacs.d/elpa/org-20160411/org-datetree hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-datetree
/Users/ap/.emacs.d/elpa/org-20160411/org-ctags hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-ctags
/Users/ap/.emacs.d/elpa/org-20160411/org-crypt hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-crypt
/Users/ap/.emacs.d/elpa/org-20160411/org-compat hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-compat
/Users/ap/.emacs.d/elpa/org-20160411/org-colview hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-colview
/Users/ap/.emacs.d/elpa/org-20160411/org-clock hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-clock
/Users/ap/.emacs.d/elpa/org-20160411/org-capture hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-capture
/Users/ap/.emacs.d/elpa/org-20160411/org-bibtex hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-bibtex
/Users/ap/.emacs.d/elpa/org-20160411/org-bbdb hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-bbdb
/Users/ap/.emacs.d/elpa/org-20160411/org-attach hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-attach
/Users/ap/.emacs.d/elpa/org-20160411/org-archive hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-archive
/Users/ap/.emacs.d/elpa/org-20160411/org-agenda hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-agenda
/Users/ap/.emacs.d/elpa/org-20160411/ob hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob
/Users/ap/.emacs.d/elpa/org-20160411/ob-tangle hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-tangle
/Users/ap/.emacs.d/elpa/org-20160411/ob-table hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-table
/Users/ap/.emacs.d/elpa/org-20160411/ob-sqlite hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-sqlite
/Users/ap/.emacs.d/elpa/org-20160411/ob-sql hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-sql
/Users/ap/.emacs.d/elpa/org-20160411/ob-shen hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-shen
/Users/ap/.emacs.d/elpa/org-20160411/ob-screen hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-screen
/Users/ap/.emacs.d/elpa/org-20160411/ob-scheme hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-scheme
/Users/ap/.emacs.d/elpa/org-20160411/ob-scala hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-scala
/Users/ap/.emacs.d/elpa/org-20160411/ob-sass hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-sass
/Users/ap/.emacs.d/elpa/org-20160411/ob-ruby hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-ruby
/Users/ap/.emacs.d/elpa/org-20160411/ob-ref hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-ref
/Users/ap/.emacs.d/elpa/org-20160411/ob-R hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-R
/Users/ap/.emacs.d/elpa/org-20160411/ob-python hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-python
/Users/ap/.emacs.d/elpa/org-20160411/ob-plantuml hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-plantuml
/Users/ap/.emacs.d/elpa/org-20160411/ob-picolisp hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-picolisp
/Users/ap/.emacs.d/elpa/org-20160411/ob-perl hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-perl
/Users/ap/.emacs.d/elpa/org-20160411/ob-org hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-org
/Users/ap/.emacs.d/elpa/org-20160411/ob-octave hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-octave
/Users/ap/.emacs.d/elpa/org-20160411/ob-ocaml hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-ocaml
/Users/ap/.emacs.d/elpa/org-20160411/ob-mscgen hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-mscgen
/Users/ap/.emacs.d/elpa/org-20160411/ob-maxima hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-maxima
/Users/ap/.emacs.d/elpa/org-20160411/ob-matlab hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-matlab
/Users/ap/.emacs.d/elpa/org-20160411/ob-makefile hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-makefile
/Users/ap/.emacs.d/elpa/org-20160411/ob-lob hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-lob
/Users/ap/.emacs.d/elpa/org-20160411/ob-lisp hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-lisp
/Users/ap/.emacs.d/elpa/org-20160411/ob-lilypond hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-lilypond
/Users/ap/.emacs.d/elpa/org-20160411/ob-ledger hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-ledger
/Users/ap/.emacs.d/elpa/org-20160411/ob-latex hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-latex
/Users/ap/.emacs.d/elpa/org-20160411/ob-keys hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-keys
/Users/ap/.emacs.d/elpa/org-20160411/ob-js hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-js
/Users/ap/.emacs.d/elpa/org-20160411/ob-java hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-java
/Users/ap/.emacs.d/elpa/org-20160411/ob-io hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-io
/Users/ap/.emacs.d/elpa/org-20160411/ob-haskell hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-haskell
/Users/ap/.emacs.d/elpa/org-20160411/ob-gnuplot hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-gnuplot
/Users/ap/.emacs.d/elpa/org-20160411/ob-fortran hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-fortran
/Users/ap/.emacs.d/elpa/org-20160411/ob-exp hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-exp
/Users/ap/.emacs.d/elpa/org-20160411/ob-eval hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-eval
/Users/ap/.emacs.d/elpa/org-20160411/ob-emacs-lisp hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-emacs-lisp
/Users/ap/.emacs.d/elpa/org-20160411/ob-dot hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-dot
/Users/ap/.emacs.d/elpa/org-20160411/ob-ditaa hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-ditaa
/Users/ap/.emacs.d/elpa/org-20160411/ob-css hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-css
/Users/ap/.emacs.d/elpa/org-20160411/ob-core hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-core
/Users/ap/.emacs.d/elpa/org-20160411/ob-comint hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-comint
/Users/ap/.emacs.d/elpa/org-20160411/ob-clojure hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-clojure
/Users/ap/.emacs.d/elpa/org-20160411/ob-calc hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-calc
/Users/ap/.emacs.d/elpa/org-20160411/ob-C hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-C
/Users/ap/.emacs.d/elpa/org-20160411/ob-awk hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-awk
/Users/ap/.emacs.d/elpa/org-20160411/ob-asymptote hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-asymptote
/Users/ap/.emacs.d/elpa/seq-2.15/seq hides
/Applications/Emacs.app/Contents/Resources/lisp/emacs-lisp/seq

Features:
(shadow sort emacsbug tramp-cache ediff-merg ediff-wind ediff-diff
ediff-mult ediff-help ediff-init ediff-util ediff eieio-opt speedbar
sb-image ezimage dframe em-unix em-term term ehelp em-script em-prompt
em-ls em-hist em-pred em-glob em-dirs em-cmpl em-basic em-banner
em-alias nroff-mode man log4j-mode esh-var esh-io esh-cmd esh-opt
esh-ext esh-proc esh-arg esh-groups eshell esh-module esh-mode esh-util
vc vc-dispatcher log-view grep macros mail-extr cider-apropos apropos
linum magit-blame magit-stash magit-bisect magit-remote magit-commit
magit-sequence magit magit-apply magit-wip magit-log magit-diff
smerge-mode magit-core magit-autorevert autorevert filenotify
magit-process magit-popup magit-mode magit-git crm magit-section
magit-utils git-commit log-edit pcvs-util add-log with-editor
async-bytecomp async cider-macroexpansion pulse js cc-mode cc-fonts
cc-guess cc-menus cc-cmds cc-styles cc-align cc-engine cc-vars cc-defs
url-cache restclient warnings tabify org-capture dabbrev dired-aux
face-remap reposition sql browse-url network-stream nsm starttls
misearch multi-isearch paren find-file-in-project bookmark pp view
cal-china lunar solar cal-dst cal-bahai cal-islam cal-hebrew holidays
hol-loaddefs diary-lib diary-loaddefs cal-iso disp-table org-rmail
org-mhe org-irc org-info org-gnus org-docview doc-view subr-x jka-compr
image-mode org-bibtex bibtex org-bbdb org-w3m hl-line server
color-theme-solarized solarized-definitions color-theme wid-edit
google-this clj-refactor pkg-info url-http tls gnutls url url-proxy
url-privacy url-expand url-methods url-history mailcap url-auth
url-cookie url-domsuf url-util url-gw json map lisp-mnt epl derived rx
hydra lv inflections sgml-mode edn peg cider tramp-sh cider-debug
cider-browse-ns cider-inspector cider-mode cider-interaction compile
arc-mode archive-mode cider-repl cider-resolve cider-test cider-overlays
cider-stacktrace cider-doc cider-grimoire cider-popup cider-eldoc
cider-client cider-common cider-util nrepl-client tramp tramp-compat
tramp-loaddefs trampver shell queue nrepl-dict cider-compat ewoc spinner
clojure-mode align imenu multiple-cursors-core rect paredit yasnippet cl
s whitespace-mode ob-ditaa org-timer org-table org-colview org-clock
org-attach vc-git diff-mode org-id org-element avl-tree org-archive
org-agenda org org-macro org-footnote org-pcomplete pcomplete org-list
org-faces org-entities noutline outline org-version ob-emacs-lisp ob
ob-tangle ob-ref ob-lob ob-table ob-exp org-src ob-keys ob-comint comint
ansi-color ob-core ob-eval org-compat org-macs org-loaddefs find-func
cal-menu calendar cal-loaddefs smex flx-ido flx ido winner whitespace
autoinsert bbdb-message sendmail message dired format-spec rfc822 mml
mml-sec epg mm-decode mm-bodies mm-encode mail-parse rfc2231 rfc2047
rfc2045 ietf-drums mailabbrev mail-utils gmm-utils mailheader bbdb
bbdb-site timezone ffap thingatpt url-parse auth-source gnus-util
mm-util help-fns mail-prsvr password-cache url-vars company-oddmuse
company-keywords company-etags etags xref cl-seq project eieio
eieio-core cl-macs company-gtags company-dabbrev-code company-dabbrev
company-files company-capf company-cmake company-xcode company-clang
company-semantic company-eclim company-template company-css company-nxml
company-bbdb company advice bookmark-ring ring my-kbd-map edmacro kmacro
solarized-dark-theme solarized dash use-package diminish bind-key
easy-mmode finder-inf cider-tracing-autoloads
closure-lint-mode-autoloads color-theme-autoloads
fringe-helper-autoloads lcs-autoloads shorten-autoloads
windata-autoloads info package epg-config seq byte-opt gv bytecomp
byte-compile cl-extra help-mode easymenu cconv cl-loaddefs pcase cl-lib
time-date mule-util tooltip eldoc electric uniquify ediff-hook vc-hooks
lisp-float-type mwheel ns-win ucs-normalize term/common-win tool-bar dnd
fontset image regexp-opt fringe tabulated-list newcomment elisp-mode
lisp-mode prog-mode register page menu-bar rfn-eshadow timer select
scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame
cl-generic cham georgian utf-8-lang misc-lang vietnamese tibetan thai
tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek romanian
slovak czech european ethiopic indian cyrillic chinese charscript
case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer
cl-preloaded nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote kqueue cocoa ns
multi-tty make-network-process emacs)

Memory information:
((conses 16 1517046 206707)
 (symbols 48 58309 0)
 (miscs 40 8265 8483)
 (strings 32 229927 22382)
 (string-bytes 1 6528476)
 (vectors 16 135880)
 (vector-slots 8 3744387 160745)
 (floats 8 15254 10159)
 (intervals 56 72471 1258)
 (buffers 976 167))

-- 
 <http://www.gocatch.com>
<http://www.facebook.com/goCatch> <http://twitter.com/goCatchApp> 
<http://www.linkedin.com/company/gocatch> 
<https://www.instagram.com/gocatch/> 
<https://itunes.apple.com/au/app/gocatch/id444439909?mt=8> 
<https://play.google.com/store/apps/details?id=com.gocatchapp.goCatch&hl=en>
 

[-- Attachment #2: Type: text/html, Size: 49323 bytes --]

bug#24490: 25.1; restclient no longer sends auth header upon redirect

[Andreas Schwab]

On Sep 21 2016, Alain Picard <alain@gocatch.com> wrote:

> Problem: I am using restclient.el, and hitting a server which
> issues a redirect, and I receive a 400 Forbidden response because
> the redirected call does not receive the authentication header
> (I can see this from the log of my server).

How does curl or wget handle this?

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."

bug#24490: 25.1; restclient no longer sends auth header upon redirect

[Alain Picard]

[-- Attachment #1: Type: text/plain, Size: 1438 bytes --]

Well, curl gives you back the 303 (See Other) with
the Location header, unless you add -L (follow redirection)
in which case it reposts any original header (including Authorization) to
the new location.  i.e. "it just works".

What would be nice for restclient is a separate keystroke
which either does or does not follow the redirection; sometimes
you want to debug the initial hop.  But the default should be
to do what it does now, which is to follow; i.e. "act like a browser".

Hope this helps.

  Alain

On 21 September 2016 at 18:15, Andreas Schwab <schwab@suse.de> wrote:

> On Sep 21 2016, Alain Picard <alain@gocatch.com> wrote:
>
> > Problem: I am using restclient.el, and hitting a server which
> > issues a redirect, and I receive a 400 Forbidden response because
> > the redirected call does not receive the authentication header
> > (I can see this from the log of my server).
>
> How does curl or wget handle this?
>
> Andreas.
>
> --
> Andreas Schwab, SUSE Labs, schwab@suse.de
> GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
> "And now for something completely different."
>

-- 
 <http://www.gocatch.com>
<http://www.facebook.com/goCatch> <http://twitter.com/goCatchApp> 
<http://www.linkedin.com/company/gocatch> 
<https://www.instagram.com/gocatch/> 
<https://itunes.apple.com/au/app/gocatch/id444439909?mt=8> 
<https://play.google.com/store/apps/details?id=com.gocatchapp.goCatch&hl=en>
 

[-- Attachment #2: Type: text/html, Size: 4280 bytes --]

bug#24490: 25.1; restclient no longer sends auth header upon redirect

[Lars Ingebrigtsen]

Alain Picard <alain@gocatch.com> writes:

> Dear Maintainers,
>
> In emacs 25.1,
> the code in url-http.el, line 638, states:
>
>   ;; Do not automatically include an authorization header in the
>   ;; redirect.  If needed it will be regenerated by the relevant
>   ;; auth scheme when the new request happens.
>   (setq url-http-extra-headers
> (cl-remove "Authorization"
>    url-http-extra-headers :key 'car :test 'equal))
>
> I suspect this automatic regenration does not occur.

I think this code is basically correct -- if the auth scheme has added
something to url-http-extra-headers, then that has to be removed when
doing the redirect, because otherwise we might be sending the auth to a
completely wrong server, with the security implications of that.

> Problem: I am using restclient.el, and hitting a server which
> issues a redirect, and I receive a 400 Forbidden response because
> the redirected call does not receive the authentication header
> (I can see this from the log of my server).

I think this must be a bug in restclient.el -- it should instead use an
auth scheme that re-adds the Authorization header.

I think.  The URL interface is pretty vague here, as it is with many
other things...

Hm...

Reading

(defun url-http-create-request ()
[...]
	 (auth (if (cdr-safe (assoc "Authorization" url-http-extra-headers))
		   nil
		 (url-get-authentication (or
					  (and (boundp 'proxy-info)
					       proxy-info)
					  url-http-target-url) nil 'any nil)))

the auth is never added to `url-http-extra-headers', so perhaps that's
not correct anyway -- it should be possible for the user to put
Authorization in `url-http-extra-headers', and then have that be heeded
even over the redirect.

I've added Thomas to the CCs; perhaps he has some insights here.  (Also
see Bug#21350.)

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#24490: 25.1; restclient no longer sends auth header upon redirect

[Thomas Fitzsimmons]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> Alain Picard <alain@gocatch.com> writes:
>
>> Dear Maintainers,
>>
>> In emacs 25.1,
>> the code in url-http.el, line 638, states:
>>
>>   ;; Do not automatically include an authorization header in the
>>   ;; redirect.  If needed it will be regenerated by the relevant
>>   ;; auth scheme when the new request happens.
>>   (setq url-http-extra-headers
>> (cl-remove "Authorization"
>>    url-http-extra-headers :key 'car :test 'equal))
>>
>> I suspect this automatic regenration does not occur.
>
> I think this code is basically correct -- if the auth scheme has added
> something to url-http-extra-headers, then that has to be removed when
> doing the redirect, because otherwise we might be sending the auth to a
> completely wrong server, with the security implications of that.
>
>> Problem: I am using restclient.el, and hitting a server which
>> issues a redirect, and I receive a 400 Forbidden response because
>> the redirected call does not receive the authentication header
>> (I can see this from the log of my server).
>
> I think this must be a bug in restclient.el -- it should instead use an
> auth scheme that re-adds the Authorization header.

It looks like restclient.el uses advice to skip
url-http-handle-authentication if it (restclient) is in the middle of a
request.

Alain, to rule out that advice as being responsible, can you do:

M-: (ad-deactivate  'url-http-handle-authentication)

then try the API call again?

Thomas

bug#24490: 25.1; restclient no longer sends auth header upon redirect

[Thomas Fitzsimmons]

Thomas Fitzsimmons <fitzsim@fitzsim.org> writes:

> Lars Ingebrigtsen <larsi@gnus.org> writes:
>
>> Alain Picard <alain@gocatch.com> writes:
>>
>>> Dear Maintainers,
>>>
>>> In emacs 25.1,
>>> the code in url-http.el, line 638, states:
>>>
>>>   ;; Do not automatically include an authorization header in the
>>>   ;; redirect.  If needed it will be regenerated by the relevant
>>>   ;; auth scheme when the new request happens.
>>>   (setq url-http-extra-headers
>>> (cl-remove "Authorization"
>>>    url-http-extra-headers :key 'car :test 'equal))
>>>
>>> I suspect this automatic regenration does not occur.
>>
>> I think this code is basically correct -- if the auth scheme has added
>> something to url-http-extra-headers, then that has to be removed when
>> doing the redirect, because otherwise we might be sending the auth to a
>> completely wrong server, with the security implications of that.
>>
>>> Problem: I am using restclient.el, and hitting a server which
>>> issues a redirect, and I receive a 400 Forbidden response because
>>> the redirected call does not receive the authentication header
>>> (I can see this from the log of my server).
>>
>> I think this must be a bug in restclient.el -- it should instead use an
>> auth scheme that re-adds the Authorization header.
>
> It looks like restclient.el uses advice to skip
> url-http-handle-authentication if it (restclient) is in the middle of a
> request.
>
> Alain, to rule out that advice as being responsible, can you do:
>
> M-: (ad-deactivate  'url-http-handle-authentication)
>
> then try the API call again?

The email to "alain@gocatch.com" bounced, so I think we should probably
close this bug report.

Thomas

bug#24490: 25.1; restclient no longer sends auth header upon redirect

[Lars Ingebrigtsen]

Thomas Fitzsimmons <fitzsim@fitzsim.org> writes:

> The email to "alain@gocatch.com" bounced, so I think we should probably
> close this bug report.

OK; done.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no