bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#37187: 26.2; url-retrieve redirect lost Authorization headers

From: Lars Ingebrigtsen
Subject: bug#37187: 26.2; url-retrieve redirect lost Authorization headers
Date: Sat, 21 Sep 2019 09:41:22 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) 
Romain Ouabdelkader <romain.ouabdelkader@gmail.com> writes:

> Indeed, curl does the same thing:
> https://curl.haxx.se/docs/CVE-2018-1000007.html
>
> But it seems to only strip the Authorization header if the redirect is on 
> another host:
>
> https://github.com/curl/curl/commit/af32cd3859336ab.patch

Right.  But Thomas seems to imply in Bug#21350 that url.el will
determine when doing the redirected call whether to include auth again,
so if that new URL requires auth, then it'll be regenerated at that
point.

Is that not the case?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
reply via email to
[Prev in Thread] Current Thread [Next in Thread]