all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* bug#21350: 25.0.50; Do not automatically include authorization header in HTTP redirects
@ 2015-08-26  2:37 Thomas Fitzsimmons
  2015-08-29 15:21 ` Stefan Monnier
  0 siblings, 1 reply; 7+ messages in thread
From: Thomas Fitzsimmons @ 2015-08-26  2:37 UTC (permalink / raw)
  To: 21350

[-- Attachment #1: Type: text/plain, Size: 466 bytes --]

Hi,

This patch is required for url-http-ntlm.el to handle redirects.  I'd
like someone more familiar with url-http.el to review it.  Basically,
this patch leaves it up to the authentication scheme to decide whether
to include an "Authorization" across a redirect or not.

I tested this on normal redirects (independent of url-http-ntlm.el) and
it seems to work fine, with the built-in Basic authorization scheme
re-adding the header where required.

Thanks,
Thomas

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Do-not-include-authorization-header-in-an-HTTP-redir.patch --]
[-- Type: text/x-patch, Size: 1325 bytes --]

From 26b71ed091d23853d1345295004a93c28ef287b9 Mon Sep 17 00:00:00 2001
From: Thomas Fitzsimmons <fitzsim@fitzsim.org>
Date: Tue, 25 Aug 2015 22:27:44 -0400
Subject: [PATCH] Do not include authorization header in an HTTP redirect

* lisp/url/url-http.el (url-http-parse-headers): Do not
automatically include Authorization header in redirect.
---
 lisp/url/url-http.el | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lisp/url/url-http.el b/lisp/url/url-http.el
index 6a7d8e2..4f3213d 100644
--- a/lisp/url/url-http.el
+++ b/lisp/url/url-http.el
@@ -646,6 +646,15 @@ (defun url-http-parse-headers ()
                ;; compute the redirection relative to the URL of the proxy.
 	       (setq redirect-uri
 		     (url-expand-file-name redirect-uri url-http-target-url)))
+	   ;; Don't automatically include authorization header in redirect.
+	   ;; If needed it will be regenerated by the relevant auth scheme
+	   ;; when the new request happens.
+	   (setq url-http-extra-headers
+		 (let (result)
+		   (dolist (header url-http-extra-headers)
+		     (if (not (equal (car header) "Authorization"))
+			 (push header result)))
+		   (nreverse result)))
            (let ((url-request-method url-http-method)
 		 (url-request-data url-http-data)
 		 (url-request-extra-headers url-http-extra-headers))
-- 
2.4.2


^ permalink raw reply related	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2015-09-23  6:09 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-26  2:37 bug#21350: 25.0.50; Do not automatically include authorization header in HTTP redirects Thomas Fitzsimmons
2015-08-29 15:21 ` Stefan Monnier
2015-09-01  2:33   ` Thomas Fitzsimmons
2015-09-01  3:58     ` Stefan Monnier
2015-09-07  0:10       ` Thomas Fitzsimmons
2015-09-07 15:23         ` Stefan Monnier
2015-09-23  6:09           ` Thomas Fitzsimmons

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.