Re: Patch for bug 56909

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Patch for bug 56909

From:	Darshit Shah
Subject:	Re: Patch for bug 56909
Date:	Tue, 07 Sep 2021 18:11:31 +0000
User-agent:	Cyrus-JMAP/3.5.0-alpha0-1126-g6962059b07-fm-20210901.001-g6962059b

Hi Aleksander,

Thank you for the patch to GNU Wget!

I think the new --keep-auth-header option is a misnomer. Since it only applies 
to the case where the user explicitly passes a "Authorization" header, going 
around Wget's knowledge of it.
Thus, if this feature is to be implemented, I would rather that it is 
implemented with an option like "--remove-on-redir" or something else that 
accepts a list of headers to remove. The user can then pass whatever headers 
they want to remove on a redirection to a different domain.

Also, we would need to document the new option in the man and info pages as 
well.

On Tue, Sep 7, 2021, at 13:13, Aleksander Bułanowski via Primary discussion 
list for GNU Wget wrote:
> Hello wget maintainers,
> 
> Attached there is a patch file that strips sending Authentication headers
> on redirects.
> This should solve the https://savannah.gnu.org/bugs/?56909 / CVE-2021-31879.
> 
> Regards,
> Aleksander Bułanowski
> 
> Attachments:
> * wget-redirect-auth.patch

[Prev in Thread]

Current Thread

[Next in Thread]

Patch for bug 56909, Aleksander Bułanowski, 2021/09/07
- Re: Patch for bug 56909, Darshit Shah <=

Prev by Date: Patch for bug 56909
Next by Date: wget-1.21.2 released [stable]
Previous by thread: Patch for bug 56909
Next by thread: wget-1.21.2 released [stable]
Index(es):
- Date
- Thread