[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Wget passes Authorization header cross-domain upon redirect

From: Dolev Farhi
Subject: Re: Wget passes Authorization header cross-domain upon redirect
Date: Thu, 4 Feb 2021 11:39:19 -0500

hi team,

Is this mailing list the right address for these issues?

On Fri, Jan 22, 2021 at 11:35 PM Dolev Farhi <dfarhi@wealthsimple.com>

> hi Wget team!
> When making an HTTP GET request with Authorization header, together with
> the follow redirect flag (-L), e.g.:
> wget -v --header="Authorization: zzzzz==" -L
> If the remote server ( redirects to (different host
> + port), the Authorization header will be passed to the redirected new host
> on the new port.
> 1. Client sends HTTP GET with Authorization header to Server1:8080
> 2. Server1 redirects Client to Server2:8081
> 3. Server2:8081 receives the Authorization header
> My understanding is, if the scheme, host or port are different, then it
> makes a different origin, and is effectively cross origin. Which means the
> Header shouldn't be passed on in this case, and needs to be stripped?
> This is reproducible in the following versions:
> GNU Wget 1.21 built on MacOSX
> GNU Wget 1.18 on Ubuntu
> cURL apparently experienced the same issue in 2018, described here:
> https://curl.se/docs/CVE-2018-1000007.html
> Thanks!

Dolev Farhi
Principal Security Engineer | Wealthsimple

reply via email to

[Prev in Thread] Current Thread [Next in Thread]