bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#37187: 26.2; url-retrieve redirect lost Authorization headers

From: Romain Ouabdelkader
Subject: bug#37187: 26.2; url-retrieve redirect lost Authorization headers
Date: Sat, 21 Sep 2019 10:26:04 +0200
It doesn't forward the auth on the first example I sent with flask.
I'm adding the header in 'url-request-extra-headers',
perhaps there is another way to do it.

On Sat, Sep 21, 2019 at 9:41 AM Lars Ingebrigtsen <larsi@gnus.org> wrote:
Romain Ouabdelkader <romain.ouabdelkader@gmail.com> writes:

> Indeed, curl does the same thing:
> https://curl.haxx.se/docs/CVE-2018-1000007.html
>
> But it seems to only strip the Authorization header if the redirect is on
> another host:
>
> https://github.com/curl/curl/commit/af32cd3859336ab.patch

Right.  But Thomas seems to imply in Bug#21350 that url.el will
determine when doing the redirected call whether to include auth again,
so if that new URL requires auth, then it'll be regenerated at that
point.

Is that not the case?

--
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
reply via email to
[Prev in Thread] Current Thread [Next in Thread]