bug#21350: 25.0.50; Do not automatically include authorization header in HTTP redirects

[Thomas Fitzsimmons <fitzsim@fitzsim.org>]

[-- Attachment #1: Type: text/plain, Size: 1088 bytes --]

Stefan Monnier <monnier@iro.umontreal.ca> writes:

>> looks like it would be faster.  I'm not sure why I would use remq since
>> I'm overwriting url-http-extra-headers anyway.
>
> It depends on where that list comes from and where it might have been
> stored in the mean time.  If we know that noone else points to that
> list, then `delq' is the best option.
>
>> but should I avoid using cl-lib in this context?
>
> No, you can feel free to use cl-lib.
>
>> Another consideration is that I want to be able to backport this
>> change (as an ELPA-installed patch) all the way back to Emacs 24.1, so
>> maybe that's another reason not to use cl-lib.
>
> cl-lib is in GNU ELPA and works fine for Emacs-24.1 (and AFAICT it also
> works on Emacs-22 and XEmacs).

Here's the updated patch that I tested.  Does it look OK stylistically?

I'm going to try to set up some sort of reproducible test for the
various auth schemes across redirects before pushing this, to try to
prove that I'm not breaking some redirect scenarios with this.  I'll see
how far I get with that before pushing.

Thomas

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0002-Do-not-include-authorization-header-in-an-HTTP-redir.patch --]
[-- Type: text/x-patch, Size: 1245 bytes --]

From 5a3c80ca5323cde23eca4638a28e4f8cc28dd2df Mon Sep 17 00:00:00 2001
From: Thomas Fitzsimmons <fitzsim@cisco.com>
Date: Sun, 6 Sep 2015 15:56:53 -0400
Subject: [PATCH 2/2] Do not include authorization header in an HTTP redirect

* lisp/url/url-http.el (url-http-parse-headers): Do not
automatically include Authorization header in redirect.
---
 lisp/url/url-http.el | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lisp/url/url-http.el b/lisp/url/url-http.el
index 6a7d8e2..b5c1a33 100644
--- a/lisp/url/url-http.el
+++ b/lisp/url/url-http.el
@@ -646,6 +646,12 @@ should be shown to the user."
                ;; compute the redirection relative to the URL of the proxy.
 	       (setq redirect-uri
 		     (url-expand-file-name redirect-uri url-http-target-url)))
+	   ;; Do not automatically include an authorization header in the
+	   ;; redirect.  If needed it will be regenerated by the relevant
+	   ;; auth scheme when the new request happens.
+	   (setq url-http-extra-headers
+		 (cl-remove "Authorization"
+			    url-http-extra-headers :key 'car :test 'equal))
            (let ((url-request-method url-http-method)
 		 (url-request-data url-http-data)
 		 (url-request-extra-headers url-http-extra-headers))
-- 
1.8.3.1