GNU bug report logs - #21350
25.0.50; Do not automatically include authorization header in HTTP redirects

Previous Next

Package: emacs;

Reported by: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>

Date: Wed, 26 Aug 2015 02:38:01 UTC

Severity: normal

Tags: patch

Found in version 25.0.50

Done: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
To: Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: 21350 <at> debbugs.gnu.org
Subject: bug#21350: 25.0.50; Do not automatically include authorization header in HTTP redirects
Date: Mon, 31 Aug 2015 22:33:05 -0400

Stefan Monnier <monnier <at> iro.umontreal.ca> writes:

>> This patch is required for url-http-ntlm.el to handle redirects.  I'd
>> like someone more familiar with url-http.el to review it.
>
> I'm not sure if there is such a someone, to tell you the truth.  I can
> give you comments about Elisp style:

OK, thanks.

> +	   ;; Don't automatically include authorization header in redirect.
> +	   ;; If needed it will be regenerated by the relevant auth scheme
> +	   ;; when the new request happens.
> +	   (setq url-http-extra-headers
> +		 (let (result)
> +		   (dolist (header url-http-extra-headers)
> +		     (if (not (equal (car header) "Authorization"))
> +			 (push header result)))
> +		   (nreverse result)))
>
> IIUC this is like:
>
>   (let ((a (assoc "Authorization" url-http-extra-headers)))
>     (if a (setq url-http-extra-headers (delq a url-http-extra-headers))))
>
> Tho maybe it should be `remq' rather than `delq'.

I was trying to remove all occurrences of "Authorization", just in case,
since that's what url-http-ntlm did.  I looked at remq and delq.  delq
looks like it would be faster.  I'm not sure why I would use remq since
I'm overwriting url-http-extra-headers anyway.

url-http-ntlm did this:

(defun url-http-ntlm-rmssoc (key alist)
  (remove* key alist :key 'car :test 'equal))

but should I avoid using cl-lib in this context?  Another consideration
is that I want to be able to backport this change (as an ELPA-installed
patch) all the way back to Emacs 24.1, so maybe that's another reason
not to use cl-lib.

Thomas
This bug report was last modified 9 years and 243 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.