From unknown Thu Jun 19 16:19:19 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#21350 <21350@debbugs.gnu.org> To: bug#21350 <21350@debbugs.gnu.org> Subject: Status: 25.0.50; Do not automatically include authorization header in HTTP redirects Reply-To: bug#21350 <21350@debbugs.gnu.org> Date: Thu, 19 Jun 2025 23:19:19 +0000 retitle 21350 25.0.50; Do not automatically include authorization header in= HTTP redirects reassign 21350 emacs submitter 21350 Thomas Fitzsimmons severity 21350 normal tag 21350 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Tue Aug 25 22:37:59 2015 Received: (at submit) by debbugs.gnu.org; 26 Aug 2015 02:37:59 +0000 Received: from localhost ([127.0.0.1]:38467 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZUQb9-0004iw-6S for submit@debbugs.gnu.org; Tue, 25 Aug 2015 22:37:59 -0400 Received: from eggs.gnu.org ([208.118.235.92]:48278) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZUQb6-0004in-54 for submit@debbugs.gnu.org; Tue, 25 Aug 2015 22:37:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZUQb4-0000mO-Oo for submit@debbugs.gnu.org; Tue, 25 Aug 2015 22:37:55 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:32830) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZUQb4-0000mK-La for submit@debbugs.gnu.org; Tue, 25 Aug 2015 22:37:54 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:58278) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZUQb3-0006nD-Ip for bug-gnu-emacs@gnu.org; Tue, 25 Aug 2015 22:37:54 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZUQaz-0000lL-IP for bug-gnu-emacs@gnu.org; Tue, 25 Aug 2015 22:37:53 -0400 Received: from mail-io0-f180.google.com ([209.85.223.180]:34312) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZUQaz-0000l9-EG for bug-gnu-emacs@gnu.org; Tue, 25 Aug 2015 22:37:49 -0400 Received: by iodb91 with SMTP id b91so3190170iod.1 for ; Tue, 25 Aug 2015 19:37:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:user-agent :mime-version:content-type; bh=wxPcgKTxtA4ZnTOUmpdBgrDtTSaAb6eFLxryHG6Qm7Y=; b=PN2LDZEFmPTvErDZ+ewaPZWPXHYRDvpX5bj6c4hE04DSIRBf+cVuO2UZHfFOCvWNHh QLQ/+s4PSsjCVR66tnz0rgveyBfrOyitqx3JZ7D3srC7LqcQIfzB//MvYLSLrB5RZJFd 0u+fB/ujnW3LUS4yOqmBH+kfydIBKm1R/mlOFygwUEJZYFKbXRxxxbZOTWSxni3GDhba AL8/c8QtM00wv/FEhRGlFk4ux73LO+G9KWUg93o2+SOxYWRF9M0C+BJcXUDJAQCP6t28 VmfJUL9ahfw7hnlMUn9XaQVUDq4exWyMjj7AKMTJGKcs/JQuj2T3N9uDt/zzsURrs1x1 b5OA== X-Gm-Message-State: ALoCoQkz8lClnJ98yvO/gIv41w1+ExMRw5H3Sj9BTDgJMjAASA+Mj+LfnBBzyIl+2YGil+pHzkYF X-Received: by 10.107.134.146 with SMTP id q18mr468641ioi.31.1440556668390; Tue, 25 Aug 2015 19:37:48 -0700 (PDT) Received: from hp-dv5t (69-165-165-189.dsl.teksavvy.com. [69.165.165.189]) by smtp.gmail.com with ESMTPSA id p79sm17026392iop.15.2015.08.25.19.37.47 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Aug 2015 19:37:47 -0700 (PDT) From: Thomas Fitzsimmons To: bug-gnu-emacs@gnu.org Subject: 25.0.50; Do not automatically include authorization header in HTTP redirects Date: Tue, 25 Aug 2015 22:37:46 -0400 Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) --=-=-= Content-Type: text/plain Hi, This patch is required for url-http-ntlm.el to handle redirects. I'd like someone more familiar with url-http.el to review it. Basically, this patch leaves it up to the authentication scheme to decide whether to include an "Authorization" across a redirect or not. I tested this on normal redirects (independent of url-http-ntlm.el) and it seems to work fine, with the built-in Basic authorization scheme re-adding the header where required. Thanks, Thomas --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-Do-not-include-authorization-header-in-an-HTTP-redir.patch >From 26b71ed091d23853d1345295004a93c28ef287b9 Mon Sep 17 00:00:00 2001 From: Thomas Fitzsimmons Date: Tue, 25 Aug 2015 22:27:44 -0400 Subject: [PATCH] Do not include authorization header in an HTTP redirect * lisp/url/url-http.el (url-http-parse-headers): Do not automatically include Authorization header in redirect. --- lisp/url/url-http.el | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lisp/url/url-http.el b/lisp/url/url-http.el index 6a7d8e2..4f3213d 100644 --- a/lisp/url/url-http.el +++ b/lisp/url/url-http.el @@ -646,6 +646,15 @@ (defun url-http-parse-headers () ;; compute the redirection relative to the URL of the proxy. (setq redirect-uri (url-expand-file-name redirect-uri url-http-target-url))) + ;; Don't automatically include authorization header in redirect. + ;; If needed it will be regenerated by the relevant auth scheme + ;; when the new request happens. + (setq url-http-extra-headers + (let (result) + (dolist (header url-http-extra-headers) + (if (not (equal (car header) "Authorization")) + (push header result))) + (nreverse result))) (let ((url-request-method url-http-method) (url-request-data url-http-data) (url-request-extra-headers url-http-extra-headers)) -- 2.4.2 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Thu Aug 27 22:37:30 2015 Received: (at control) by debbugs.gnu.org; 28 Aug 2015 02:37:31 +0000 Received: from localhost ([127.0.0.1]:40693 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZV9Xm-0007x6-9p for submit@debbugs.gnu.org; Thu, 27 Aug 2015 22:37:30 -0400 Received: from mail-io0-f177.google.com ([209.85.223.177]:34225) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZV9Xk-0007wy-F8 for control@debbugs.gnu.org; Thu, 27 Aug 2015 22:37:28 -0400 Received: by iofe124 with SMTP id e124so13524610iof.1 for ; Thu, 27 Aug 2015 19:37:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:date:message-id:to:subject; bh=PfpK5FFAX0X4F+mIc8rB/E9dmMkWj1rzYxohW6R7Sgs=; b=f6p/GjALVzrq8k4H7QZlOGxi19sbETXbYuxnwrCuc1JLMwQ6XVkpAs6+DBj4Ocv/fN 7WbQDgA5VeoMRbPhAEXhpohxel15qmXgbt+hX0D1pxtauMEJCWH1nEPscN39ALUguIVV NFiqHFEdWdx/3q1cSrWzugNu4s+XEsMRiELPj57gPJY2fqooYVLlqwa/IOo1i2QKc7Pg OB+aahZmKoQ5MaajNYFiDzRGwJzC1Eb9/u1MrhWBtpBZGBrWuBgx2pzXzS+Qc/BAC5rw 1VUUWwZDsJ1k9Y9VAf1VEobWZJKrdHxNnxUZL0IOf7k0q5nZyXInZyRDTknp8jIBOEgY WXaQ== X-Received: by 10.107.36.140 with SMTP id k134mr12176886iok.5.1440729447826; Thu, 27 Aug 2015 19:37:27 -0700 (PDT) Received: from hp-dv5t (69-165-165-189.dsl.teksavvy.com. [69.165.165.189]) by smtp.gmail.com with ESMTPSA id g85sm3018276iod.32.2015.08.27.19.37.26 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 27 Aug 2015 19:37:27 -0700 (PDT) From: Thomas Fitzsimmons X-Google-Original-From: Thomas Fitzsimmons Date: Thu, 27 Aug 2015 22:37:26 -0400 Message-Id: To: control@debbugs.gnu.org Subject: control message for bug #21350 X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) tags 21350 patch From debbugs-submit-bounces@debbugs.gnu.org Sat Aug 29 11:21:39 2015 Received: (at 21350) by debbugs.gnu.org; 29 Aug 2015 15:21:39 +0000 Received: from localhost ([127.0.0.1]:42203 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZVhwo-0002IC-S6 for submit@debbugs.gnu.org; Sat, 29 Aug 2015 11:21:39 -0400 Received: from ironport2-out.teksavvy.com ([206.248.154.181]:52192) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZVhwm-0002I3-9g for 21350@debbugs.gnu.org; Sat, 29 Aug 2015 11:21:37 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0A7FgA731xV/8Fw3mhcgxBUgy6FVbtAhH6CTQQCAoE8OhMBAQEBAQEBgQpBBYNdAQEDAVYjBQsLDiYSFBgNJIg3CM8jAQEBAQEBBAEBAQEeizqFBQeELQW1BCNhgVqBWSKCeAEBAQ X-IPAS-Result: A0A7FgA731xV/8Fw3mhcgxBUgy6FVbtAhH6CTQQCAoE8OhMBAQEBAQEBgQpBBYNdAQEDAVYjBQsLDiYSFBgNJIg3CM8jAQEBAQEBBAEBAQEeizqFBQeELQW1BCNhgVqBWSKCeAEBAQ X-IronPort-AV: E=Sophos;i="5.13,465,1427774400"; d="scan'208";a="161793155" Received: from 104-222-112-193.cpe.teksavvy.com (HELO ceviche.home) ([104.222.112.193]) by ironport2-out.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 29 Aug 2015 11:21:35 -0400 Received: by ceviche.home (Postfix, from userid 20848) id 081596615C; Sat, 29 Aug 2015 11:21:35 -0400 (EDT) From: Stefan Monnier To: Thomas Fitzsimmons Subject: Re: bug#21350: 25.0.50; Do not automatically include authorization header in HTTP redirects Message-ID: References: Date: Sat, 29 Aug 2015 11:21:35 -0400 In-Reply-To: (Thomas Fitzsimmons's message of "Tue, 25 Aug 2015 22:37:46 -0400") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 21350 Cc: 21350@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) > This patch is required for url-http-ntlm.el to handle redirects. I'd > like someone more familiar with url-http.el to review it. I'm not sure if there is such a someone, to tell you the truth. I can give you comments about Elisp style: + ;; Don't automatically include authorization header in redirect. + ;; If needed it will be regenerated by the relevant auth scheme + ;; when the new request happens. + (setq url-http-extra-headers + (let (result) + (dolist (header url-http-extra-headers) + (if (not (equal (car header) "Authorization")) + (push header result))) + (nreverse result))) IIUC this is like: (let ((a (assoc "Authorization" url-http-extra-headers))) (if a (setq url-http-extra-headers (delq a url-http-extra-headers)))) Tho maybe it should be `remq' rather than `delq'. Stefan From debbugs-submit-bounces@debbugs.gnu.org Mon Aug 31 22:33:11 2015 Received: (at 21350) by debbugs.gnu.org; 1 Sep 2015 02:33:11 +0000 Received: from localhost ([127.0.0.1]:44535 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZWbNm-000200-WC for submit@debbugs.gnu.org; Mon, 31 Aug 2015 22:33:11 -0400 Received: from mail-io0-f177.google.com ([209.85.223.177]:35001) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZWbNl-0001zs-1V for 21350@debbugs.gnu.org; Mon, 31 Aug 2015 22:33:09 -0400 Received: by iog7 with SMTP id 7so56604246iog.2 for <21350@debbugs.gnu.org>; Mon, 31 Aug 2015 19:33:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-type; bh=y2VnLVOab0+rsYOh7akWxWylhR8ZwiR26MYuiilfuuc=; b=WjoRokvsGye7omuO2HDDUWCze1jzeVZLQya+5OEo7Lqp2I1phqYUp0qFQb9zci0khk DbQgtegs8+hpvaGQGxpXV0QuSHhO49j5D+46vIyMmcYmTdUJL0G0j2gyx4USIZaHbjQG qHkfH9FB0p11IgmvmSnE/JJT273hjJ1Yxsc9Js0RfYtGG9dYu5j00SppXsXVeqzPPXjY pXAV+QTW2/+csQ3GLcHNXDD8blx3frYZ87zHzJA+3qdrpenRdiYN0Q8IbOzLvDTi/1Gv 8ryQiEOsSFKAxn0jINTKjQGsa7uJ1oGEbF/mxWQJ+hD2OH5xNcRsHXuANueQnCS4CQXl a0Cw== X-Gm-Message-State: ALoCoQnlKmc3efxZxS/Sz51ROAiFW17R/UmF4N5HwJEvx3lPdEWkMktcwGQAuAdJ6S/cHJPqphqM X-Received: by 10.107.155.4 with SMTP id d4mr7409672ioe.121.1441074788415; Mon, 31 Aug 2015 19:33:08 -0700 (PDT) Received: from hp-dv5t (69-165-165-189.dsl.teksavvy.com. [69.165.165.189]) by smtp.gmail.com with ESMTPSA id i125sm14765520ioi.36.2015.08.31.19.33.06 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 31 Aug 2015 19:33:06 -0700 (PDT) From: Thomas Fitzsimmons To: Stefan Monnier Subject: Re: bug#21350: 25.0.50; Do not automatically include authorization header in HTTP redirects References: Date: Mon, 31 Aug 2015 22:33:05 -0400 In-Reply-To: (Stefan Monnier's message of "Sat, 29 Aug 2015 11:21:35 -0400") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 21350 Cc: 21350@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Stefan Monnier writes: >> This patch is required for url-http-ntlm.el to handle redirects. I'd >> like someone more familiar with url-http.el to review it. > > I'm not sure if there is such a someone, to tell you the truth. I can > give you comments about Elisp style: OK, thanks. > + ;; Don't automatically include authorization header in redirect. > + ;; If needed it will be regenerated by the relevant auth scheme > + ;; when the new request happens. > + (setq url-http-extra-headers > + (let (result) > + (dolist (header url-http-extra-headers) > + (if (not (equal (car header) "Authorization")) > + (push header result))) > + (nreverse result))) > > IIUC this is like: > > (let ((a (assoc "Authorization" url-http-extra-headers))) > (if a (setq url-http-extra-headers (delq a url-http-extra-headers)))) > > Tho maybe it should be `remq' rather than `delq'. I was trying to remove all occurrences of "Authorization", just in case, since that's what url-http-ntlm did. I looked at remq and delq. delq looks like it would be faster. I'm not sure why I would use remq since I'm overwriting url-http-extra-headers anyway. url-http-ntlm did this: (defun url-http-ntlm-rmssoc (key alist) (remove* key alist :key 'car :test 'equal)) but should I avoid using cl-lib in this context? Another consideration is that I want to be able to backport this change (as an ELPA-installed patch) all the way back to Emacs 24.1, so maybe that's another reason not to use cl-lib. Thomas From debbugs-submit-bounces@debbugs.gnu.org Mon Aug 31 23:58:22 2015 Received: (at 21350) by debbugs.gnu.org; 1 Sep 2015 03:58:22 +0000 Received: from localhost ([127.0.0.1]:44562 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZWciD-0003vk-Ff for submit@debbugs.gnu.org; Mon, 31 Aug 2015 23:58:21 -0400 Received: from ironport2-out.teksavvy.com ([206.248.154.181]:18866) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZWciB-0003vc-OW for 21350@debbugs.gnu.org; Mon, 31 Aug 2015 23:58:20 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0A7FgA731xV//rn92hcgxBUgy6FVbtAhH6CTQQCAoE8OxIBAQEBAQEBgQpBBYNdAQEDAVYjBQsLDiYSFBgNJIg3CM8jAQEBAQEFAgEfizqFBQeELQW1BCNhgVqBWSKCeAEBAQ X-IPAS-Result: A0A7FgA731xV//rn92hcgxBUgy6FVbtAhH6CTQQCAoE8OxIBAQEBAQEBgQpBBYNdAQEDAVYjBQsLDiYSFBgNJIg3CM8jAQEBAQEFAgEfizqFBQeELQW1BCNhgVqBWSKCeAEBAQ X-IronPort-AV: E=Sophos;i="5.13,465,1427774400"; d="scan'208";a="162024295" Received: from 104-247-231-250.cpe.teksavvy.com (HELO ceviche.home) ([104.247.231.250]) by ironport2-out.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 31 Aug 2015 23:58:17 -0400 Received: by ceviche.home (Postfix, from userid 20848) id 191776615C; Mon, 31 Aug 2015 23:58:17 -0400 (EDT) From: Stefan Monnier To: Thomas Fitzsimmons Subject: Re: bug#21350: 25.0.50; Do not automatically include authorization header in HTTP redirects Message-ID: References: Date: Mon, 31 Aug 2015 23:58:17 -0400 In-Reply-To: (Thomas Fitzsimmons's message of "Mon, 31 Aug 2015 22:33:05 -0400") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 21350 Cc: 21350@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) > looks like it would be faster. I'm not sure why I would use remq since > I'm overwriting url-http-extra-headers anyway. It depends on where that list comes from and where it might have been stored in the mean time. If we know that noone else points to that list, then `delq' is the best option. > but should I avoid using cl-lib in this context? No, you can feel free to use cl-lib. > Another consideration is that I want to be able to backport this > change (as an ELPA-installed patch) all the way back to Emacs 24.1, so > maybe that's another reason not to use cl-lib. cl-lib is in GNU ELPA and works fine for Emacs-24.1 (and AFAICT it also works on Emacs-22 and XEmacs). Stefan From debbugs-submit-bounces@debbugs.gnu.org Sun Sep 06 20:10:33 2015 Received: (at 21350) by debbugs.gnu.org; 7 Sep 2015 00:10:34 +0000 Received: from localhost ([127.0.0.1]:51020 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZYk13-0003jl-Av for submit@debbugs.gnu.org; Sun, 06 Sep 2015 20:10:33 -0400 Received: from mail-ig0-f181.google.com ([209.85.213.181]:37589) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZYk10-0003jc-BP for 21350@debbugs.gnu.org; Sun, 06 Sep 2015 20:10:31 -0400 Received: by igbni9 with SMTP id ni9so47388650igb.0 for <21350@debbugs.gnu.org>; Sun, 06 Sep 2015 17:10:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-type; bh=zqIdI8j6jz76281K9ZGHUQCJbnSzCJ6gq1/m58fWjos=; b=Zaq78XGAtrrzmNsB4k+gQ1FXgMFKTV70DvLIZDwn8yibBo1NT/YgO7Cri0ga6LnRNa 0Nut06zwulfq+nM+FZKy/UopxmgftvbU6vvC4xM8bZYrDRV8R2EfqC4Tff55TnPUdNxf HXVqiLCgVHp+96owj3Q4WQBBjTHhFxUnjIVMznWS0ql4Adqzf3Ghpo9x7LEP/kFS7Uyp UsThMdlnPMswmdv7Pnuppn3u/S7Dmc5ipTv5Wr/jdH3I3eVUT6mkEA3AlbJIbf0l5f+o N4/XIuh5ZrtN8xbmwQ+7UPXSx6kphX3+vZq2sIMaM3FxJpBVDe9ZDOEfa1rKN/TFBcXn ifAw== X-Gm-Message-State: ALoCoQl+AymOYLhGK+c1U7CZ469dgJD9WQHYZ51/YNPX0PMMYjK0SfBA08lZ87ZovGGUcfEDuLpg X-Received: by 10.50.44.73 with SMTP id c9mr25550399igm.3.1441584629560; Sun, 06 Sep 2015 17:10:29 -0700 (PDT) Received: from hp-dv5t (69-165-165-189.dsl.teksavvy.com. [69.165.165.189]) by smtp.gmail.com with ESMTPSA id k2sm4711107igx.0.2015.09.06.17.10.28 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Sep 2015 17:10:28 -0700 (PDT) From: Thomas Fitzsimmons To: Stefan Monnier Subject: Re: bug#21350: 25.0.50; Do not automatically include authorization header in HTTP redirects References: Date: Sun, 06 Sep 2015 20:10:27 -0400 In-Reply-To: (Stefan Monnier's message of "Mon, 31 Aug 2015 23:58:17 -0400") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 21350 Cc: 21350@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain Stefan Monnier writes: >> looks like it would be faster. I'm not sure why I would use remq since >> I'm overwriting url-http-extra-headers anyway. > > It depends on where that list comes from and where it might have been > stored in the mean time. If we know that noone else points to that > list, then `delq' is the best option. > >> but should I avoid using cl-lib in this context? > > No, you can feel free to use cl-lib. > >> Another consideration is that I want to be able to backport this >> change (as an ELPA-installed patch) all the way back to Emacs 24.1, so >> maybe that's another reason not to use cl-lib. > > cl-lib is in GNU ELPA and works fine for Emacs-24.1 (and AFAICT it also > works on Emacs-22 and XEmacs). Here's the updated patch that I tested. Does it look OK stylistically? I'm going to try to set up some sort of reproducible test for the various auth schemes across redirects before pushing this, to try to prove that I'm not breaking some redirect scenarios with this. I'll see how far I get with that before pushing. Thomas --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0002-Do-not-include-authorization-header-in-an-HTTP-redir.patch >From 5a3c80ca5323cde23eca4638a28e4f8cc28dd2df Mon Sep 17 00:00:00 2001 From: Thomas Fitzsimmons Date: Sun, 6 Sep 2015 15:56:53 -0400 Subject: [PATCH 2/2] Do not include authorization header in an HTTP redirect * lisp/url/url-http.el (url-http-parse-headers): Do not automatically include Authorization header in redirect. --- lisp/url/url-http.el | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lisp/url/url-http.el b/lisp/url/url-http.el index 6a7d8e2..b5c1a33 100644 --- a/lisp/url/url-http.el +++ b/lisp/url/url-http.el @@ -646,6 +646,12 @@ should be shown to the user." ;; compute the redirection relative to the URL of the proxy. (setq redirect-uri (url-expand-file-name redirect-uri url-http-target-url))) + ;; Do not automatically include an authorization header in the + ;; redirect. If needed it will be regenerated by the relevant + ;; auth scheme when the new request happens. + (setq url-http-extra-headers + (cl-remove "Authorization" + url-http-extra-headers :key 'car :test 'equal)) (let ((url-request-method url-http-method) (url-request-data url-http-data) (url-request-extra-headers url-http-extra-headers)) -- 1.8.3.1 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 07 11:23:11 2015 Received: (at 21350) by debbugs.gnu.org; 7 Sep 2015 15:23:11 +0000 Received: from localhost ([127.0.0.1]:51775 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZYyGF-0006jo-Hs for submit@debbugs.gnu.org; Mon, 07 Sep 2015 11:23:11 -0400 Received: from ironport2-out.teksavvy.com ([206.248.154.181]:37313) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZYyGD-0006jc-9p for 21350@debbugs.gnu.org; Mon, 07 Sep 2015 11:23:09 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0A7FgA731xV/5Wg+M5cgxBUgy6FVbtAhH6CTQQCAoE8OxIBAQEBAQEBgQpBBYNdAQEDAVYjBQsLDiYSFBgNJIg3CM8jAQEBAQEFAQEBAR6LOoUFB4QtAQSzP4FFI2GBWoFZIoJ4AQEB X-IPAS-Result: A0A7FgA731xV/5Wg+M5cgxBUgy6FVbtAhH6CTQQCAoE8OxIBAQEBAQEBgQpBBYNdAQEDAVYjBQsLDiYSFBgNJIg3CM8jAQEBAQEFAQEBAR6LOoUFB4QtAQSzP4FFI2GBWoFZIoJ4AQEB X-IronPort-AV: E=Sophos;i="5.13,465,1427774400"; d="scan'208";a="162790965" Received: from 206-248-160-149.dsl.teksavvy.com (HELO fmsmemgm.homelinux.net) ([206.248.160.149]) by ironport2-out.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 07 Sep 2015 11:23:08 -0400 Received: by fmsmemgm.homelinux.net (Postfix, from userid 20848) id 3E475AE11E; Mon, 7 Sep 2015 11:23:08 -0400 (EDT) From: Stefan Monnier To: Thomas Fitzsimmons Subject: Re: bug#21350: 25.0.50; Do not automatically include authorization header in HTTP redirects Message-ID: References: Date: Mon, 07 Sep 2015 11:23:08 -0400 In-Reply-To: (Thomas Fitzsimmons's message of "Sun, 06 Sep 2015 20:10:27 -0400") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 21350 Cc: 21350@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) > Here's the updated patch that I tested. Does it look OK stylistically? Yes, but you need to change the beginning of the file so cl-lib is not only require when compiling but also at run-time (since cl-remove is not a macro but a function). Stefan From debbugs-submit-bounces@debbugs.gnu.org Wed Sep 23 02:09:39 2015 Received: (at 21350-done) by debbugs.gnu.org; 23 Sep 2015 06:09:39 +0000 Received: from localhost ([127.0.0.1]:42228 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZedFL-0000Xg-BK for submit@debbugs.gnu.org; Wed, 23 Sep 2015 02:09:39 -0400 Received: from mail-io0-f174.google.com ([209.85.223.174]:34470) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZedFJ-0000XS-DU for 21350-done@debbugs.gnu.org; Wed, 23 Sep 2015 02:09:38 -0400 Received: by iofb144 with SMTP id b144so35510220iof.1 for <21350-done@debbugs.gnu.org>; Tue, 22 Sep 2015 23:09:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-type; bh=ksr2reroXx9hG93S1JqltOi0wXGQyvGgKYmSSbHcJAU=; b=iY/syO0xmgPlqInfOShQ0Gmbwt3XZr6ZSFnM3fRJUYXz5AtqRMvyTyhVliopc6AulT UaN4Oo4HKw2I79lg7GYB/zKXPdyRlthGHfhcIUAfx+XUmyl0RVlgkso9lzm/b9SnrcEQ xP+clFVLb5xW1PYB9mPQlJ3HvAGT8TY3Np/epXmpUBOo/g6CuZnxuMUUQhfqDEqboAps Hvo/6VoZ+WjrQk3L/jP9bTKml2cNCHPEGa96sKHN4cXzGXGpe7jrMVxQMRVnxJvggT/r eTWayKNrjwVyW6HJRgZ4/0Lln+xZomSM69sneAS15MkFYFEQblk7uDfbfePo5QlYxz9x DN7w== X-Gm-Message-State: ALoCoQmNBMbNBEntk6YOFNiGMhg4K62ifW0soKyhaXdXSIhI58XiysJgq1m6VSvEdAdccSklrV9n X-Received: by 10.107.46.101 with SMTP id i98mr37369917ioo.17.1442988573761; Tue, 22 Sep 2015 23:09:33 -0700 (PDT) Received: from hp-dv5t (69-165-165-189.dsl.teksavvy.com. [69.165.165.189]) by smtp.gmail.com with ESMTPSA id 10sm2897117ios.28.2015.09.22.23.09.32 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 22 Sep 2015 23:09:33 -0700 (PDT) From: Thomas Fitzsimmons To: Stefan Monnier Subject: Re: bug#21350: 25.0.50; Do not automatically include authorization header in HTTP redirects References: Date: Wed, 23 Sep 2015 02:09:32 -0400 In-Reply-To: (Stefan Monnier's message of "Mon, 07 Sep 2015 11:23:08 -0400") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 21350-done Cc: 21350-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Stefan Monnier writes: >> Here's the updated patch that I tested. Does it look OK stylistically? > > Yes, but you need to change the beginning of the file so cl-lib is not > only require when compiling but also at run-time (since cl-remove is > not a macro but a function). OK, I pushed the patch. Thanks for reviewing. I had hoped to publish a Docker image that would allow testing the various authorization schemes across redirects, but configuring a server to authenticate with NTLM using Free Software proved too difficult. I did test against a proprietary NTLM implementation, and against the two built-in auth schemes as well. The results were: | Authenticated Redirect | |-------------+---------------+------------| | Auth Scheme | Without Patch | With Patch | |-------------+---------------+------------| | Basic | Works | Works | | Digest | Fails | Fails | | NTLM | Fails | Works | I'm not sure what's wrong with the digest scheme (Firefox works), but this patch doesn't make digest redirects worse. Thomas From unknown Thu Jun 19 16:19:19 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 21 Oct 2015 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator