GNU bug report logs - #21350
25.0.50; Do not automatically include authorization header in HTTP redirects

Previous Next

Package: emacs;

Reported by: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>

Date: Wed, 26 Aug 2015 02:38:01 UTC

Severity: normal

Tags: patch

Found in version 25.0.50

Done: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
Subject: bug#21350: closed (Re: bug#21350: 25.0.50; Do not automatically
 include authorization header in HTTP redirects)
Date: Wed, 23 Sep 2015 06:10:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#21350: 25.0.50; Do not automatically include authorization header in HTTP redirects

which was filed against the emacs package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 21350 <at> debbugs.gnu.org.

-- 
21350: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=21350
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
To: Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: 21350-done <at> debbugs.gnu.org
Subject: Re: bug#21350: 25.0.50;
 Do not automatically include authorization header in HTTP redirects
Date: Wed, 23 Sep 2015 02:09:32 -0400

Stefan Monnier <monnier <at> iro.umontreal.ca> writes:

>> Here's the updated patch that I tested.  Does it look OK stylistically?
>
> Yes, but you need to change the beginning of the file so cl-lib is not
> only require when compiling but also at run-time (since cl-remove is
> not a macro but a function).

OK, I pushed the patch.  Thanks for reviewing.

I had hoped to publish a Docker image that would allow testing the
various authorization schemes across redirects, but configuring a server
to authenticate with NTLM using Free Software proved too difficult.  I
did test against a proprietary NTLM implementation, and against the two
built-in auth schemes as well.  The results were:

   |          Authenticated Redirect          |
   |-------------+---------------+------------|
   | Auth Scheme | Without Patch | With Patch |
   |-------------+---------------+------------|
   | Basic       | Works         | Works      |
   | Digest      | Fails         | Fails      |
   | NTLM        | Fails         | Works      |

I'm not sure what's wrong with the digest scheme (Firefox works), but
this patch doesn't make digest redirects worse.

Thomas


[Message part 3 (message/rfc822, inline)]
From: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
To: bug-gnu-emacs <at> gnu.org
Subject: 25.0.50;
 Do not automatically include authorization header in HTTP redirects
Date: Tue, 25 Aug 2015 22:37:46 -0400

[Message part 4 (text/plain, inline)]
Hi,

This patch is required for url-http-ntlm.el to handle redirects.  I'd
like someone more familiar with url-http.el to review it.  Basically,
this patch leaves it up to the authentication scheme to decide whether
to include an "Authorization" across a redirect or not.

I tested this on normal redirects (independent of url-http-ntlm.el) and
it seems to work fine, with the built-in Basic authorization scheme
re-adding the header where required.

Thanks,
Thomas

[0001-Do-not-include-authorization-header-in-an-HTTP-redir.patch (text/x-patch, attachment)]
This bug report was last modified 9 years and 243 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.