|
From: | Romain Ouabdelkader |
Subject: | bug#37187: 26.2; url-retrieve redirect lost Authorization headers |
Date: | Sat, 21 Sep 2019 10:26:04 +0200 |
Romain Ouabdelkader <romain.ouabdelkader@gmail.com> writes:
> Indeed, curl does the same thing:
> https://curl.haxx.se/docs/CVE-2018-1000007.html
>
> But it seems to only strip the Authorization header if the redirect is on
> another host:
>
> https://github.com/curl/curl/commit/af32cd3859336ab.patch
Right. But Thomas seems to imply in Bug#21350 that url.el will
determine when doing the redirected call whether to include auth again,
so if that new URL requires auth, then it'll be regenerated at that
point.
Is that not the case?
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
[Prev in Thread] | Current Thread | [Next in Thread] |