GNU bug report logs - #21350
25.0.50; Do not automatically include authorization header in HTTP redirects

Previous Next

Package: emacs;

Reported by: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>

Date: Wed, 26 Aug 2015 02:38:01 UTC

Severity: normal

Tags: patch

Found in version 25.0.50

Done: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#21350: closed (25.0.50; Do not automatically include
 authorization header in HTTP redirects)
Date: Wed, 23 Sep 2015 06:10:01 +0000

[Message part 1 (text/plain, inline)]
Your message dated Wed, 23 Sep 2015 02:09:32 -0400
with message-id <m3eghpk6oz.fsf <at> fitzsim.org>
and subject line Re: bug#21350: 25.0.50; Do not automatically include authorization header in HTTP redirects
has caused the debbugs.gnu.org bug report #21350,
regarding 25.0.50; Do not automatically include authorization header in HTTP redirects
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
21350: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=21350
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
To: bug-gnu-emacs <at> gnu.org
Subject: 25.0.50;
 Do not automatically include authorization header in HTTP redirects
Date: Tue, 25 Aug 2015 22:37:46 -0400

[Message part 3 (text/plain, inline)]
Hi,

This patch is required for url-http-ntlm.el to handle redirects.  I'd
like someone more familiar with url-http.el to review it.  Basically,
this patch leaves it up to the authentication scheme to decide whether
to include an "Authorization" across a redirect or not.

I tested this on normal redirects (independent of url-http-ntlm.el) and
it seems to work fine, with the built-in Basic authorization scheme
re-adding the header where required.

Thanks,
Thomas

[0001-Do-not-include-authorization-header-in-an-HTTP-redir.patch (text/x-patch, attachment)]
[Message part 5 (message/rfc822, inline)]
From: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
To: Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: 21350-done <at> debbugs.gnu.org
Subject: Re: bug#21350: 25.0.50;
 Do not automatically include authorization header in HTTP redirects
Date: Wed, 23 Sep 2015 02:09:32 -0400

Stefan Monnier <monnier <at> iro.umontreal.ca> writes:

>> Here's the updated patch that I tested.  Does it look OK stylistically?
>
> Yes, but you need to change the beginning of the file so cl-lib is not
> only require when compiling but also at run-time (since cl-remove is
> not a macro but a function).

OK, I pushed the patch.  Thanks for reviewing.

I had hoped to publish a Docker image that would allow testing the
various authorization schemes across redirects, but configuring a server
to authenticate with NTLM using Free Software proved too difficult.  I
did test against a proprietary NTLM implementation, and against the two
built-in auth schemes as well.  The results were:

   |          Authenticated Redirect          |
   |-------------+---------------+------------|
   | Auth Scheme | Without Patch | With Patch |
   |-------------+---------------+------------|
   | Basic       | Works         | Works      |
   | Digest      | Fails         | Fails      |
   | NTLM        | Fails         | Works      |

I'm not sure what's wrong with the digest scheme (Firefox works), but
this patch doesn't make digest redirects worse.

Thomas
This bug report was last modified 9 years and 243 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.