From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Romain Ouabdelkader Newsgroups: gmane.emacs.bugs Subject: bug#37187: 26.2; url-retrieve redirect lost Authorization headers Date: Sat, 21 Sep 2019 10:26:04 +0200 Message-ID: References: <877e627lj1.fsf@gnus.org> <87ftkq2j19.fsf@gnus.org> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="0000000000002a636705930bf28e" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="210250"; mail-complaints-to="usenet@blaine.gmane.org" Cc: 37187@debbugs.gnu.org, Thomas Fitzsimmons To: Lars Ingebrigtsen Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat Sep 21 10:27:17 2019 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iBajd-000saA-G6 for geb-bug-gnu-emacs@m.gmane.org; Sat, 21 Sep 2019 10:27:17 +0200 Original-Received: from localhost ([::1]:40138 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iBajc-0004VE-9e for geb-bug-gnu-emacs@m.gmane.org; Sat, 21 Sep 2019 04:27:16 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:35822) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iBajQ-0004U3-5E for bug-gnu-emacs@gnu.org; Sat, 21 Sep 2019 04:27:06 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iBajO-0001zP-Sa for bug-gnu-emacs@gnu.org; Sat, 21 Sep 2019 04:27:04 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:50241) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iBajO-0001zH-PM for bug-gnu-emacs@gnu.org; Sat, 21 Sep 2019 04:27:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iBajO-0007mt-Io for bug-gnu-emacs@gnu.org; Sat, 21 Sep 2019 04:27:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Romain Ouabdelkader Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 21 Sep 2019 08:27:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37187 X-GNU-PR-Package: emacs Original-Received: via spool by 37187-submit@debbugs.gnu.org id=B37187.156905440729915 (code B ref 37187); Sat, 21 Sep 2019 08:27:02 +0000 Original-Received: (at 37187) by debbugs.gnu.org; 21 Sep 2019 08:26:47 +0000 Original-Received: from localhost ([127.0.0.1]:59062 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iBaj9-0007mR-8X for submit@debbugs.gnu.org; Sat, 21 Sep 2019 04:26:47 -0400 Original-Received: from mail-io1-f43.google.com ([209.85.166.43]:39575) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iBaj8-0007mE-5D for 37187@debbugs.gnu.org; Sat, 21 Sep 2019 04:26:46 -0400 Original-Received: by mail-io1-f43.google.com with SMTP id a1so21618756ioc.6 for <37187@debbugs.gnu.org>; Sat, 21 Sep 2019 01:26:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=B21Rc/5ra+IS6ax0JgjDIPmweQuZPJzZAa2gk8VsJWs=; b=RB9loMqRQQ2TpF9iI8zYg08i0nE/GpvJdKIcZ8l1avuA5SpX5y6dGIiKQXTyyiKRiU iaEki2vJkxXQrwfxr7FS5zCmwhl2WmKzpah2XSKdIm5r+iTwNuGartMXLSNBofU/jQyK QwWmT6RhCsqgvIJBV6AjtkTil+WfJELFB2YUXZ4Z7l9ozZmi5A1Qc4BksPokoey/L55j tJaupJgaMlX8x/oTV/ocwKG7a/q/MyeY2KSRU583T5Nwg0H4cVIkJ3o6zoS6Pp1bnNKY vX/l+lBrYNlipEJiCsV61vM0znzxxmLIr7CObIsvr0Ol5J4FAnu2YKdTvPJBZ4qTeGhG qX8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=B21Rc/5ra+IS6ax0JgjDIPmweQuZPJzZAa2gk8VsJWs=; b=KARCC6xUtjx8YguZMNlcJ0oj9TyeSwrhsJvsk/5jWDSnuu7V82tOx+knwAgqd33lTH kaUJ9iaHbmhj3Q5Q/yZbKJ/SzkulDKqsA4Yqs1jSGLfCF7VlXqoskJYN+XeZLferFHcY +OpUX9vbFUECaUNuDxFYrmhiJqAQI7xXJurw701rdOBk3YLasLwO68xUyGEZpb7E8wkG lETa6EhYSRVrIScp1lyvwk3v5g4gBnOF3hl3AsOEHl5GTEtLeNNNBG+Oprdxfce3ZIr3 tWFhGZVZNRLKHMZXC09iXC6RHgDjaoNFtmm89OCkNSfpkE5v6bgWHkEG6cP23+/vNv+g 7IWQ== X-Gm-Message-State: APjAAAVmvesxE3cX21ZREf8xrMKE7k+VYHbuqoVqoRpiw3mBp5OPnukA EQj9WbzpZcqIA3cEeD7VJMi3MUakgeyt9DlFYfY= X-Google-Smtp-Source: APXvYqwZl/yJ2iVwKMy+4ukLV8pe8Uur9BtdWfjGn04Boa9xBs+MsyfSxIijs++CQVmiuuXbwAZIM6MXGuUFZYhQlbU= X-Received: by 2002:a5e:d817:: with SMTP id l23mr21341928iok.142.1569054400338; Sat, 21 Sep 2019 01:26:40 -0700 (PDT) In-Reply-To: <87ftkq2j19.fsf@gnus.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:166848 Archived-At: --0000000000002a636705930bf28e Content-Type: text/plain; charset="UTF-8" It doesn't forward the auth on the first example I sent with flask. I'm adding the header in 'url-request-extra-headers', perhaps there is another way to do it. On Sat, Sep 21, 2019 at 9:41 AM Lars Ingebrigtsen wrote: > Romain Ouabdelkader writes: > > > Indeed, curl does the same thing: > > https://curl.haxx.se/docs/CVE-2018-1000007.html > > > > But it seems to only strip the Authorization header if the redirect is > on > > another host: > > > > https://github.com/curl/curl/commit/af32cd3859336ab.patch > > Right. But Thomas seems to imply in Bug#21350 that url.el will > determine when doing the redirected call whether to include auth again, > so if that new URL requires auth, then it'll be regenerated at that > point. > > Is that not the case? > > -- > (domestic pets only, the antidote for overdose, milk.) > bloggy blog: http://lars.ingebrigtsen.no > --0000000000002a636705930bf28e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
It doesn't forward the auth on the first example I sen= t with flask.
I'm adding the header in 'url-request-extra-heade= rs',
perhaps there is another way to do it.
On Sat, = Sep 21, 2019 at 9:41 AM Lars Ingebrigtsen <larsi@gnus.org> wrote:
Romain Ouabdelkader <romain.ouabdelkader@gmail.com> wr= ites:

> Indeed, curl does the same thing:
> https://curl.haxx.se/docs/CVE-2018-1000007.html<= /a>
>
> But it seems to only strip the Authorization header if the redirect is= on
> another host:
>
> https://github.com/curl/curl/commit/af= 32cd3859336ab.patch

Right.=C2=A0 But Thomas seems to imply in Bug#21350 that url.el will
determine when doing the redirected call whether to include auth again,
so if that new URL requires auth, then it'll be regenerated at that
point.

Is that not the case?

--
(domestic pets only, the antidote for overdose, milk.)
=C2=A0 =C2=A0bloggy blog: http://lars.ingebrigtsen.no
--0000000000002a636705930bf28e--