GNU bug report logs -
#21350
25.0.50; Do not automatically include authorization header in HTTP redirects
Previous Next
Reported by: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
Date: Wed, 26 Aug 2015 02:38:01 UTC
Severity: normal
Tags: patch
Found in version 25.0.50
Done: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 21350 in the body.
You can then email your comments to 21350 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#21350; Package
emacs.
(Wed, 26 Aug 2015 02:38:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Thomas Fitzsimmons <fitzsim <at> fitzsim.org>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Wed, 26 Aug 2015 02:38:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
This patch is required for url-http-ntlm.el to handle redirects. I'd
like someone more familiar with url-http.el to review it. Basically,
this patch leaves it up to the authentication scheme to decide whether
to include an "Authorization" across a redirect or not.
I tested this on normal redirects (independent of url-http-ntlm.el) and
it seems to work fine, with the built-in Basic authorization scheme
re-adding the header where required.
Thanks,
Thomas
[0001-Do-not-include-authorization-header-in-an-HTTP-redir.patch (text/x-patch, attachment)]
Added tag(s) patch.
Request was from
Thomas Fitzsimmons <fitzsim <at> gmail.com>
to
control <at> debbugs.gnu.org.
(Fri, 28 Aug 2015 02:38:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#21350; Package
emacs.
(Sat, 29 Aug 2015 15:22:01 GMT)
Full text and
rfc822 format available.
Message #10 received at 21350 <at> debbugs.gnu.org (full text, mbox):
> This patch is required for url-http-ntlm.el to handle redirects. I'd
> like someone more familiar with url-http.el to review it.
I'm not sure if there is such a someone, to tell you the truth. I can
give you comments about Elisp style:
+ ;; Don't automatically include authorization header in redirect.
+ ;; If needed it will be regenerated by the relevant auth scheme
+ ;; when the new request happens.
+ (setq url-http-extra-headers
+ (let (result)
+ (dolist (header url-http-extra-headers)
+ (if (not (equal (car header) "Authorization"))
+ (push header result)))
+ (nreverse result)))
IIUC this is like:
(let ((a (assoc "Authorization" url-http-extra-headers)))
(if a (setq url-http-extra-headers (delq a url-http-extra-headers))))
Tho maybe it should be `remq' rather than `delq'.
Stefan
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#21350; Package
emacs.
(Tue, 01 Sep 2015 02:34:01 GMT)
Full text and
rfc822 format available.
Message #13 received at 21350 <at> debbugs.gnu.org (full text, mbox):
Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
>> This patch is required for url-http-ntlm.el to handle redirects. I'd
>> like someone more familiar with url-http.el to review it.
>
> I'm not sure if there is such a someone, to tell you the truth. I can
> give you comments about Elisp style:
OK, thanks.
> + ;; Don't automatically include authorization header in redirect.
> + ;; If needed it will be regenerated by the relevant auth scheme
> + ;; when the new request happens.
> + (setq url-http-extra-headers
> + (let (result)
> + (dolist (header url-http-extra-headers)
> + (if (not (equal (car header) "Authorization"))
> + (push header result)))
> + (nreverse result)))
>
> IIUC this is like:
>
> (let ((a (assoc "Authorization" url-http-extra-headers)))
> (if a (setq url-http-extra-headers (delq a url-http-extra-headers))))
>
> Tho maybe it should be `remq' rather than `delq'.
I was trying to remove all occurrences of "Authorization", just in case,
since that's what url-http-ntlm did. I looked at remq and delq. delq
looks like it would be faster. I'm not sure why I would use remq since
I'm overwriting url-http-extra-headers anyway.
url-http-ntlm did this:
(defun url-http-ntlm-rmssoc (key alist)
(remove* key alist :key 'car :test 'equal))
but should I avoid using cl-lib in this context? Another consideration
is that I want to be able to backport this change (as an ELPA-installed
patch) all the way back to Emacs 24.1, so maybe that's another reason
not to use cl-lib.
Thomas
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#21350; Package
emacs.
(Tue, 01 Sep 2015 03:59:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 21350 <at> debbugs.gnu.org (full text, mbox):
> looks like it would be faster. I'm not sure why I would use remq since
> I'm overwriting url-http-extra-headers anyway.
It depends on where that list comes from and where it might have been
stored in the mean time. If we know that noone else points to that
list, then `delq' is the best option.
> but should I avoid using cl-lib in this context?
No, you can feel free to use cl-lib.
> Another consideration is that I want to be able to backport this
> change (as an ELPA-installed patch) all the way back to Emacs 24.1, so
> maybe that's another reason not to use cl-lib.
cl-lib is in GNU ELPA and works fine for Emacs-24.1 (and AFAICT it also
works on Emacs-22 and XEmacs).
Stefan
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#21350; Package
emacs.
(Mon, 07 Sep 2015 00:11:01 GMT)
Full text and
rfc822 format available.
Message #19 received at 21350 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
>> looks like it would be faster. I'm not sure why I would use remq since
>> I'm overwriting url-http-extra-headers anyway.
>
> It depends on where that list comes from and where it might have been
> stored in the mean time. If we know that noone else points to that
> list, then `delq' is the best option.
>
>> but should I avoid using cl-lib in this context?
>
> No, you can feel free to use cl-lib.
>
>> Another consideration is that I want to be able to backport this
>> change (as an ELPA-installed patch) all the way back to Emacs 24.1, so
>> maybe that's another reason not to use cl-lib.
>
> cl-lib is in GNU ELPA and works fine for Emacs-24.1 (and AFAICT it also
> works on Emacs-22 and XEmacs).
Here's the updated patch that I tested. Does it look OK stylistically?
I'm going to try to set up some sort of reproducible test for the
various auth schemes across redirects before pushing this, to try to
prove that I'm not breaking some redirect scenarios with this. I'll see
how far I get with that before pushing.
Thomas
[0002-Do-not-include-authorization-header-in-an-HTTP-redir.patch (text/x-patch, attachment)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#21350; Package
emacs.
(Mon, 07 Sep 2015 15:24:01 GMT)
Full text and
rfc822 format available.
Message #22 received at 21350 <at> debbugs.gnu.org (full text, mbox):
> Here's the updated patch that I tested. Does it look OK stylistically?
Yes, but you need to change the beginning of the file so cl-lib is not
only require when compiling but also at run-time (since cl-remove is
not a macro but a function).
Stefan
Reply sent
to
Thomas Fitzsimmons <fitzsim <at> fitzsim.org>:
You have taken responsibility.
(Wed, 23 Sep 2015 06:10:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Thomas Fitzsimmons <fitzsim <at> fitzsim.org>:
bug acknowledged by developer.
(Wed, 23 Sep 2015 06:10:02 GMT)
Full text and
rfc822 format available.
Message #27 received at 21350-done <at> debbugs.gnu.org (full text, mbox):
Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
>> Here's the updated patch that I tested. Does it look OK stylistically?
>
> Yes, but you need to change the beginning of the file so cl-lib is not
> only require when compiling but also at run-time (since cl-remove is
> not a macro but a function).
OK, I pushed the patch. Thanks for reviewing.
I had hoped to publish a Docker image that would allow testing the
various authorization schemes across redirects, but configuring a server
to authenticate with NTLM using Free Software proved too difficult. I
did test against a proprietary NTLM implementation, and against the two
built-in auth schemes as well. The results were:
| Authenticated Redirect |
|-------------+---------------+------------|
| Auth Scheme | Without Patch | With Patch |
|-------------+---------------+------------|
| Basic | Works | Works |
| Digest | Fails | Fails |
| NTLM | Fails | Works |
I'm not sure what's wrong with the digest scheme (Firefox works), but
this patch doesn't make digest redirects worse.
Thomas
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 21 Oct 2015 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 9 years and 243 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.