Wget passes Authorization header cross-domain upon redirect

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Wget passes Authorization header cross-domain upon redirect

From:	Dolev Farhi
Subject:	Wget passes Authorization header cross-domain upon redirect
Date:	Fri, 22 Jan 2021 23:35:50 -0500

hi Wget team!

When making an HTTP GET request with Authorization header, together with
the follow redirect flag (-L), e.g.:

wget -v --header="Authorization: zzzzz==" http://1.1.1.1:8000 -L

If the remote server (1.1.1.1) redirects to 2.2.2.2:8181 (different host +
port), the Authorization header will be passed to the redirected new host
on the new port.

1. Client sends HTTP GET with Authorization header to Server1:8080
2. Server1 redirects Client to Server2:8081
3. Server2:8081 receives the Authorization header

My understanding is, if the scheme, host or port are different, then it
makes a different origin, and is effectively cross origin. Which means the
Header shouldn't be passed on in this case, and needs to be stripped?

This is reproducible in the following versions:

GNU Wget 1.21 built on MacOSX
GNU Wget 1.18 on Ubuntu

cURL apparently experienced the same issue in 2018, described here:
https://curl.se/docs/CVE-2018-1000007.html

Thanks!

[Prev in Thread]

Current Thread

[Next in Thread]

Wget passes Authorization header cross-domain upon redirect, Dolev Farhi <=

Prev by Date: Re: implicit declaration of function 'utime' in trailing slashes test
Next by Date: Re: wget 1.21.1 configuration
Previous by thread: AX_CODE_COVERAGE: command not found
Next by thread: wget 1.21.1 fails to build on macOS (10.14, 10.15, 11.1)
Index(es):
- Date
- Thread