From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail
From: Romain Ouabdelkader <romain.ouabdelkader@gmail.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#37187: 26.2; url-retrieve redirect lost Authorization headers
Date: Sat, 21 Sep 2019 02:01:24 +0200
Message-ID: <CAJ8YToYw9iDOUXXZoh2K9VG1+nEPNjLCi_MwC0kSzUd5Er-fUg@mail.gmail.com>
References: <CAJ8YToZhdbiRPrpBT=MeTZO6Eu2v5+mFL3Z10T6E7Er5bdn=rQ@mail.gmail.com>
 <877e627lj1.fsf@gnus.org>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="000000000000676bd8059304e530"
Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226";
	logging-data="136164"; mail-complaints-to="usenet@blaine.gmane.org"
Cc: 37187@debbugs.gnu.org, Thomas Fitzsimmons <fitzsim@fitzsim.org>
To: Lars Ingebrigtsen <larsi@gnus.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat Sep 21 02:10:16 2019
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.89)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1iBSye-000ZHL-2e
	for geb-bug-gnu-emacs@m.gmane.org; Sat, 21 Sep 2019 02:10:16 +0200
Original-Received: from localhost ([::1]:36312 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1iBSyc-0005Lx-A0
	for geb-bug-gnu-emacs@m.gmane.org; Fri, 20 Sep 2019 20:10:14 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:43742)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1iBSyS-0005JC-5C
 for bug-gnu-emacs@gnu.org; Fri, 20 Sep 2019 20:10:05 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1iBSyQ-0005uU-Os
 for bug-gnu-emacs@gnu.org; Fri, 20 Sep 2019 20:10:04 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43]:49992)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1iBSyQ-0005uP-KN
 for bug-gnu-emacs@gnu.org; Fri, 20 Sep 2019 20:10:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1iBSyQ-0007cr-Co
 for bug-gnu-emacs@gnu.org; Fri, 20 Sep 2019 20:10:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Romain Ouabdelkader <romain.ouabdelkader@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sat, 21 Sep 2019 00:10:02 +0000
Resent-Message-ID: <handler.37187.B37187.156902456029227@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 37187
X-GNU-PR-Package: emacs
Original-Received: via spool by 37187-submit@debbugs.gnu.org id=B37187.156902456029227
 (code B ref 37187); Sat, 21 Sep 2019 00:10:02 +0000
Original-Received: (at 37187) by debbugs.gnu.org; 21 Sep 2019 00:09:20 +0000
Original-Received: from localhost ([127.0.0.1]:58813 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1iBSxj-0007bK-T6
 for submit@debbugs.gnu.org; Fri, 20 Sep 2019 20:09:20 -0400
Original-Received: from mail-io1-f48.google.com ([209.85.166.48]:40579)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <romain.ouabdelkader@gmail.com>) id 1iBSql-0007Lp-EE
 for 37187@debbugs.gnu.org; Fri, 20 Sep 2019 20:02:07 -0400
Original-Received: by mail-io1-f48.google.com with SMTP id h144so20012421iof.7
 for <37187@debbugs.gnu.org>; Fri, 20 Sep 2019 17:02:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; 
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=qC2Mvhr/nzxMgIbBlTtOUyqIZoeIbQNpY1FEbKnFCPo=;
 b=HLkltR2c5avVBxLRxg7HGQJoygWflTeyNZqZEZLgs/QKfw2DhOxMvfVG9MqYrPJqUU
 1idt1BEsU/ogd08D1wl2CQoTyf5132/1z2i0u5cUkHbRVhBVlutA0+8Ftzw20bWDaHWX
 Tw9KvnadA9tm4kEdTot7P7cG+7OvNnPvm8H51GOlRMhLx2GtReW87UoNGANouKrasiRj
 uKzeX9KEZzGPtmBku+kACV94cVudwOLJ58s3RSiBpr8anI6cjUfuoY+lfE1fHxJokq6z
 Q7IY1+iPdEF5hDO0S53IMLzH5Tf9ojfpGYOQyWaVn4ERE2lG7VVdnzwmP4dUZ2wXjre+
 isIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=qC2Mvhr/nzxMgIbBlTtOUyqIZoeIbQNpY1FEbKnFCPo=;
 b=BcZnudqNmF6kA6ZNfOB9nUeVGO3IRuEKDliBHHbyh8P5Ay9Yu8Kuk9EEgWpFyoJFmQ
 4HITVd4Jmx/05jsAs5H8U43UjTXnnhPd5WMNhmg+0zwcErpK4ttlFR++9DVEbSMwR0BB
 bn/o68zxpVO3KWH3tNXpuyzezpQ42mZilpWh1O+wDKEWknamTY0uitAuAWOCNbhVkcvV
 T/UY9Hi3rzOxpykCe1o0E1nBi9HXECaD/BzrocMRo4nCAI6uVKIypWl2dB+arMirLhIm
 S8WNmEZvGMbYrk44AGb/VdY2LKh5d+cm2dx5nR0CXY9CnfjGJUgWCZEYNNgXJ+QFKSjg
 U2rg==
X-Gm-Message-State: APjAAAXkXvQG1MEMK6bFosjVBWzHUq80GmmXwl+TyXT2+rARo6mGd6xz
 3dgXmpk6a5qoKbYpm+EdKHjPf6sA16qQbwxGuJo7s8uH3qGIBA==
X-Google-Smtp-Source: APXvYqzWRllyDS8T8904pXRPp+xogEplEbvwp7mmcH7ptVMXer4o60RYeLNShmNqKDM5Azg2fzECler8l/63nVVibYQ=
X-Received: by 2002:a5e:d817:: with SMTP id l23mr19620059iok.142.1569024121463; 
 Fri, 20 Sep 2019 17:02:01 -0700 (PDT)
In-Reply-To: <877e627lj1.fsf@gnus.org>
X-Mailman-Approved-At: Fri, 20 Sep 2019 20:09:18 -0400
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 209.51.188.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: "bug-gnu-emacs"
 <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.bugs:166822
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/166822>

--000000000000676bd8059304e530
Content-Type: text/plain; charset="UTF-8"

Indeed, curl does the same thing:
https://curl.haxx.se/docs/CVE-2018-1000007.html

But it seems to only strip the Authorization header if the redirect is on
another host:

https://github.com/curl/curl/commit/af32cd3859336ab.patch

On Fri, Sep 20, 2019 at 10:36 PM Lars Ingebrigtsen <larsi@gnus.org> wrote:

> Romain Ouabdelkader <romain.ouabdelkader@gmail.com> writes:
>
> > I have an issue with the 'url-retrieve' function:
> > If the target url returns a redirect, the 'Authorization' header is not
> > sent on the redirect url.
>
> This is apparently on purpose:
>
>            ;; Do not automatically include an authorization header in the
>            ;; redirect.  If needed it will be regenerated by the relevant
>            ;; auth scheme when the new request happens.
>            (setq url-http-extra-headers
>                  (cl-remove "Authorization"
>                             url-http-extra-headers :key 'car :test 'equal))
>
> It's from this patch:
>
> commit 325200ac1dcf5bed6918ea827d8a48d89487e083
> Author: Thomas Fitzsimmons <fitzsim@fitzsim.org>
> Date:   Wed Sep 23 01:45:29 2015 -0400
>
>     Do not include authorization header in an HTTP redirect
>
>     * lisp/url/url-http.el (url-http-parse-headers): Do not
>     automatically include Authorization header in redirect.
>     (Bug#21350)
>
> And I think that makes sense -- when there's a redirect, the domain may
> be new, and the auth should perhaps not be sent there.
>
> I've had a look at the standards, but I can't see that they say anything
> about this, so I think that perhaps this works as it's supposed to.  But
> I haven't checked what Firefox does, for instance.
>
> --
> (domestic pets only, the antidote for overdose, milk.)
>    bloggy blog: http://lars.ingebrigtsen.no
>

--000000000000676bd8059304e530
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Indeed, curl does the same thing:<div><a href=3D"https://c=
url.haxx.se/docs/CVE-2018-1000007.html">https://curl.haxx.se/docs/CVE-2018-=
1000007.html</a><br></div><div><br></div><div>But it seems to only strip th=
e Authorization header if the redirect is on=C2=A0</div><div>another host:<=
/div><div><br></div><div><a href=3D"https://github.com/curl/curl/commit/af3=
2cd3859336ab.patch">https://github.com/curl/curl/commit/af32cd3859336ab.pat=
ch</a></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"=
gmail_attr">On Fri, Sep 20, 2019 at 10:36 PM Lars Ingebrigtsen &lt;<a href=
=3D"mailto:larsi@gnus.org">larsi@gnus.org</a>&gt; wrote:<br></div><blockquo=
te class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px =
solid rgb(204,204,204);padding-left:1ex">Romain Ouabdelkader &lt;<a href=3D=
"mailto:romain.ouabdelkader@gmail.com" target=3D"_blank">romain.ouabdelkade=
r@gmail.com</a>&gt; writes:<br>
<br>
&gt; I have an issue with the &#39;url-retrieve&#39; function:<br>
&gt; If the target url returns a redirect, the &#39;Authorization&#39; head=
er is not<br>
&gt; sent on the redirect url.<br>
<br>
This is apparently on purpose:<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0;; Do not automatically include an=
 authorization header in the<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0;; redirect.=C2=A0 If needed it wi=
ll be regenerated by the relevant<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0;; auth scheme when the new reques=
t happens.<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(setq url-http-extra-headers<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(cl-remove &q=
uot;Authorization&quot;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 url-http-extra-headers :key &#39;car :test &#39;eq=
ual))<br>
<br>
It&#39;s from this patch:<br>
<br>
commit 325200ac1dcf5bed6918ea827d8a48d89487e083<br>
Author: Thomas Fitzsimmons &lt;<a href=3D"mailto:fitzsim@fitzsim.org" targe=
t=3D"_blank">fitzsim@fitzsim.org</a>&gt;<br>
Date:=C2=A0 =C2=A0Wed Sep 23 01:45:29 2015 -0400<br>
<br>
=C2=A0 =C2=A0 Do not include authorization header in an HTTP redirect<br>
<br>
=C2=A0 =C2=A0 * lisp/url/url-http.el (url-http-parse-headers): Do not<br>
=C2=A0 =C2=A0 automatically include Authorization header in redirect.<br>
=C2=A0 =C2=A0 (Bug#21350)<br>
<br>
And I think that makes sense -- when there&#39;s a redirect, the domain may=
<br>
be new, and the auth should perhaps not be sent there.<br>
<br>
I&#39;ve had a look at the standards, but I can&#39;t see that they say any=
thing<br>
about this, so I think that perhaps this works as it&#39;s supposed to.=C2=
=A0 But<br>
I haven&#39;t checked what Firefox does, for instance.<br>
<br>
-- <br>
(domestic pets only, the antidote for overdose, milk.)<br>
=C2=A0 =C2=A0bloggy blog: <a href=3D"http://lars.ingebrigtsen.no" rel=3D"no=
referrer" target=3D"_blank">http://lars.ingebrigtsen.no</a><br>
</blockquote></div>

--000000000000676bd8059304e530--