From: Thomas Fitzsimmons <fitzsim@fitzsim.org>
To: 21350@debbugs.gnu.org
Subject: bug#21350: 25.0.50; Do not automatically include authorization header in HTTP redirects
Date: Tue, 25 Aug 2015 22:37:46 -0400 [thread overview]
Message-ID: <m37foidbb9.fsf@fitzsim.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 466 bytes --]
Hi,
This patch is required for url-http-ntlm.el to handle redirects. I'd
like someone more familiar with url-http.el to review it. Basically,
this patch leaves it up to the authentication scheme to decide whether
to include an "Authorization" across a redirect or not.
I tested this on normal redirects (independent of url-http-ntlm.el) and
it seems to work fine, with the built-in Basic authorization scheme
re-adding the header where required.
Thanks,
Thomas
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Do-not-include-authorization-header-in-an-HTTP-redir.patch --]
[-- Type: text/x-patch, Size: 1325 bytes --]
From 26b71ed091d23853d1345295004a93c28ef287b9 Mon Sep 17 00:00:00 2001
From: Thomas Fitzsimmons <fitzsim@fitzsim.org>
Date: Tue, 25 Aug 2015 22:27:44 -0400
Subject: [PATCH] Do not include authorization header in an HTTP redirect
* lisp/url/url-http.el (url-http-parse-headers): Do not
automatically include Authorization header in redirect.
---
lisp/url/url-http.el | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/lisp/url/url-http.el b/lisp/url/url-http.el
index 6a7d8e2..4f3213d 100644
--- a/lisp/url/url-http.el
+++ b/lisp/url/url-http.el
@@ -646,6 +646,15 @@ (defun url-http-parse-headers ()
;; compute the redirection relative to the URL of the proxy.
(setq redirect-uri
(url-expand-file-name redirect-uri url-http-target-url)))
+ ;; Don't automatically include authorization header in redirect.
+ ;; If needed it will be regenerated by the relevant auth scheme
+ ;; when the new request happens.
+ (setq url-http-extra-headers
+ (let (result)
+ (dolist (header url-http-extra-headers)
+ (if (not (equal (car header) "Authorization"))
+ (push header result)))
+ (nreverse result)))
(let ((url-request-method url-http-method)
(url-request-data url-http-data)
(url-request-extra-headers url-http-extra-headers))
--
2.4.2
next reply other threads:[~2015-08-26 2:37 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-26 2:37 Thomas Fitzsimmons [this message]
2015-08-29 15:21 ` bug#21350: 25.0.50; Do not automatically include authorization header in HTTP redirects Stefan Monnier
2015-09-01 2:33 ` Thomas Fitzsimmons
2015-09-01 3:58 ` Stefan Monnier
2015-09-07 0:10 ` Thomas Fitzsimmons
2015-09-07 15:23 ` Stefan Monnier
2015-09-23 6:09 ` Thomas Fitzsimmons
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m37foidbb9.fsf@fitzsim.org \
--to=fitzsim@fitzsim.org \
--cc=21350@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).