bug#37187: 26.2; url-retrieve redirect lost Authorization headers

[Romain Ouabdelkader]

Indeed, curl does the same thing:

https://curl.haxx.se/docs/CVE-2018-1000007.html

But it seems to only strip the Authorization header if the redirect is on 

another host:

https://github.com/curl/curl/commit/af32cd3859336ab.patch

On Fri, Sep 20, 2019 at 10:36 PM Lars Ingebrigtsen <larsi@gnus.org> wrote:

Romain Ouabdelkader <romain.ouabdelkader@gmail.com> writes:

> I have an issue with the 'url-retrieve' function:
> If the target url returns a redirect, the 'Authorization' header is not
> sent on the redirect url.

This is apparently on purpose:

           ;; Do not automatically include an authorization header in the
           ;; redirect.  If needed it will be regenerated by the relevant
           ;; auth scheme when the new request happens.
           (setq url-http-extra-headers
                 (cl-remove "Authorization"
                            url-http-extra-headers :key 'car :test 'equal))

It's from this patch:

commit 325200ac1dcf5bed6918ea827d8a48d89487e083
Author: Thomas Fitzsimmons <fitzsim@fitzsim.org>
Date:   Wed Sep 23 01:45:29 2015 -0400

    Do not include authorization header in an HTTP redirect

    * lisp/url/url-http.el (url-http-parse-headers): Do not
    automatically include Authorization header in redirect.
    (Bug#21350)

And I think that makes sense -- when there's a redirect, the domain may
be new, and the auth should perhaps not be sent there.

I've had a look at the standards, but I can't see that they say anything
about this, so I think that perhaps this works as it's supposed to.  But
I haven't checked what Firefox does, for instance.

--
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no