From unknown Sun Jun 15 08:55:40 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27022: url-retrieve + .authinfo bug Resent-From: Andy Wingo Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 22 May 2017 18:11:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 27022 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: 27022@debbugs.gnu.org X-Debbugs-Original-To: bug-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.149547661610670 (code B ref -1); Mon, 22 May 2017 18:11:02 +0000 Received: (at submit) by debbugs.gnu.org; 22 May 2017 18:10:16 +0000 Received: from localhost ([127.0.0.1]:33189 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dCrma-0002m2-Fl for submit@debbugs.gnu.org; Mon, 22 May 2017 14:10:16 -0400 Received: from eggs.gnu.org ([208.118.235.92]:52162) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dCrmY-0002lp-F9 for submit@debbugs.gnu.org; Mon, 22 May 2017 14:10:14 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dCrmS-0001RH-Ex for submit@debbugs.gnu.org; Mon, 22 May 2017 14:10:09 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:60124) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dCrmS-0001RB-C3 for submit@debbugs.gnu.org; Mon, 22 May 2017 14:10:08 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43133) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dCrmR-0007Un-AP for bug-gnu-emacs@gnu.org; Mon, 22 May 2017 14:10:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dCrmQ-0001OE-Ej for bug-gnu-emacs@gnu.org; Mon, 22 May 2017 14:10:07 -0400 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:45089) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dCrmQ-0001O8-Br for bug-gnu-emacs@gnu.org; Mon, 22 May 2017 14:10:06 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35744) by fencepost.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dCrmQ-0001UH-09 for bug-emacs@gnu.org; Mon, 22 May 2017 14:10:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dCrmM-0001N9-E6 for bug-emacs@gnu.org; Mon, 22 May 2017 14:10:05 -0400 Received: from pb-sasl1.pobox.com ([64.147.108.66]:61809 helo=sasl.smtp.pobox.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dCrmM-0001Mc-90 for bug-emacs@gnu.org; Mon, 22 May 2017 14:10:02 -0400 Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-sasl1.pobox.com (Postfix) with ESMTP id 564226C73F for ; Mon, 22 May 2017 14:09:58 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=from:to :subject:date:message-id:mime-version:content-type; s=sasl; bh=A RQd2UDWNoyWxFlJZ6dXNf3fslw=; b=AsWf5tZgtsBKZykFWJfGuVIv34GsRhWSf F9+X9t3/C8IA8oAIA1AOBKhv3DpacpjSOjCuMRwdcSjTQ/xN2W2OWUbwZh/8ruR4 Lj6nQ5Z2bckYfbS3rR3WBDEaFFqg6D1LeK+W6siQFIgQAlA7VlXnET0pkIiXFlb+ 75woug008s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=from:to:subject :date:message-id:mime-version:content-type; q=dns; s=sasl; b=BJC bzpnC7ydhjtYoF8LVADRgXV/j/bcWIuchsdSvYARlLdS4TSTqTzyxJTdQq7AiBzE PDWDRhk/CP4YQZlfBogqZ1wo24Fds0QUC6h9hB+6dSsW2k0/odIEF4JO7bqYbE6s ycrHsIyvnLYvxV8FixPYHx0ybXMJiY39448Q6tiY= Received: from pb-sasl1.nyi.icgroup.com (unknown [127.0.0.1]) by pb-sasl1.pobox.com (Postfix) with ESMTP id 4F5F66C73E for ; Mon, 22 May 2017 14:09:58 -0400 (EDT) Received: from clucks (unknown [81.34.20.186]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pb-sasl1.pobox.com (Postfix) with ESMTPSA id 8BC986C73C for ; Mon, 22 May 2017 14:09:57 -0400 (EDT) From: Andy Wingo Date: Mon, 22 May 2017 20:09:49 +0200 Message-ID: <87r2zgbw5u.fsf@pobox.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Pobox-Relay-ID: DD452BAC-3F19-11E7-AAF2-9BB2D5707B88-02397024!pb-sasl1.pobox.com X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.3 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.3 (----) Hi, If you try to do a url-retrieve over HTTP on a URL that requires HTTP basic authentication, and you have an .authinfo file, and that .authinfo contains an incorrect login, then Emacs will keep appending the same Authorization: header to the request -- over and over, making the request larger and larger, with no stop condition. Eventually nginx produces a "400 Bad Request" error because there were too many headers. Emacs should instead error after the first attempt at authentication fails. $ emacs --version GNU Emacs 25.2.1 Andy From unknown Sun Jun 15 08:55:40 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27022: url-retrieve + .authinfo bug Resent-From: Lars Ingebrigtsen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 26 Jul 2019 08:47:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27022 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: Andy Wingo Cc: 27022@debbugs.gnu.org Received: via spool by 27022-submit@debbugs.gnu.org id=B27022.156413081012939 (code B ref 27022); Fri, 26 Jul 2019 08:47:01 +0000 Received: (at 27022) by debbugs.gnu.org; 26 Jul 2019 08:46:50 +0000 Received: from localhost ([127.0.0.1]:40807 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hqvsH-0003MP-SM for submit@debbugs.gnu.org; Fri, 26 Jul 2019 04:46:50 -0400 Received: from quimby.gnus.org ([80.91.231.51]:57596) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hqvsE-0003J6-Qy for 27022@debbugs.gnu.org; Fri, 26 Jul 2019 04:46:47 -0400 Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie) by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hqvs9-0004eB-Em; Fri, 26 Jul 2019 10:46:44 +0200 From: Lars Ingebrigtsen References: <87r2zgbw5u.fsf@pobox.com> Date: Fri, 26 Jul 2019 10:46:40 +0200 In-Reply-To: <87r2zgbw5u.fsf@pobox.com> (Andy Wingo's message of "Mon, 22 May 2017 20:09:49 +0200") Message-ID: <87h879p4i7.fsf@mouse.gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Andy Wingo writes: > If you try to do a url-retrieve over HTTP on a URL that requires HTTP > basic authentication, and you have an .authinfo file, and that .authinfo > contains an incorrect login, then Emacs will keep a [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Andy Wingo writes: > If you try to do a url-retrieve over HTTP on a URL that requires HTTP > basic authentication, and you have an .authinfo file, and that .authinfo > contains an incorrect login, then Emacs will keep appending the same > Authorization: header to the request -- over and over, making the > request larger and larger, with no stop condition. Eventually nginx > produces a "400 Bad Request" error because there were too many headers. > > Emacs should instead error after the first attempt at authentication > fails. I'm able to reproduce this with this in my .authinfo file: machine jigsaw.w3.org:443 login guest password wrong and then: (url-retrieve "https://jigsaw.w3.org/HTTP/Basic/" #'ignore) -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From unknown Sun Jun 15 08:55:40 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27022: url-retrieve + .authinfo bug Resent-From: Lars Ingebrigtsen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 26 Jul 2019 08:57:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27022 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: Andy Wingo Cc: 27022@debbugs.gnu.org Received: via spool by 27022-submit@debbugs.gnu.org id=B27022.156413139016082 (code B ref 27022); Fri, 26 Jul 2019 08:57:01 +0000 Received: (at 27022) by debbugs.gnu.org; 26 Jul 2019 08:56:30 +0000 Received: from localhost ([127.0.0.1]:40812 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hqw1e-0004BD-0v for submit@debbugs.gnu.org; Fri, 26 Jul 2019 04:56:30 -0400 Received: from quimby.gnus.org ([80.91.231.51]:57660) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hqw1b-0004B1-36 for 27022@debbugs.gnu.org; Fri, 26 Jul 2019 04:56:27 -0400 Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie) by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hqw1V-0004hS-V2; Fri, 26 Jul 2019 10:56:25 +0200 From: Lars Ingebrigtsen References: <87r2zgbw5u.fsf@pobox.com> <87h879p4i7.fsf@mouse.gnus.org> Date: Fri, 26 Jul 2019 10:56:21 +0200 In-Reply-To: <87h879p4i7.fsf@mouse.gnus.org> (Lars Ingebrigtsen's message of "Fri, 26 Jul 2019 10:46:40 +0200") Message-ID: <87d0hxp422.fsf@mouse.gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Lars Ingebrigtsen writes: > Andy Wingo writes: > >> If you try to do a url-retrieve over HTTP on a URL that requires HTTP >> basic authentication, and you have an .authinfo file, and that .authinfo >> contain [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Lars Ingebrigtsen writes: > Andy Wingo writes: > >> If you try to do a url-retrieve over HTTP on a URL that requires HTTP >> basic authentication, and you have an .authinfo file, and that .authinfo >> contains an incorrect login, then Emacs will keep appending the same >> Authorization: header to the request -- over and over, making the >> request larger and larger, with no stop condition. Eventually nginx >> produces a "400 Bad Request" error because there were too many headers. >> >> Emacs should instead error after the first attempt at authentication >> fails. > > I'm able to reproduce this with this in my .authinfo file: > > machine jigsaw.w3.org:443 login guest password wrong > > and then: > > (url-retrieve "https://jigsaw.w3.org/HTTP/Basic/" #'ignore) And this should now be fixed on the Emacs trunk. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 26 04:56:38 2019 Received: (at control) by debbugs.gnu.org; 26 Jul 2019 08:56:38 +0000 Received: from localhost ([127.0.0.1]:40817 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hqw1m-0004Bl-L4 for submit@debbugs.gnu.org; Fri, 26 Jul 2019 04:56:38 -0400 Received: from quimby.gnus.org ([80.91.231.51]:57674) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hqw1i-0004BS-Ln for control@debbugs.gnu.org; Fri, 26 Jul 2019 04:56:35 -0400 Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie) by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hqw1d-0004ha-Gy for control@debbugs.gnu.org; Fri, 26 Jul 2019 10:56:31 +0200 Date: Fri, 26 Jul 2019 10:56:28 +0200 Message-Id: <87blxhp41v.fsf@mouse.gnus.org> To: control@debbugs.gnu.org From: Lars Ingebrigtsen Subject: control message for bug #27022 X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: tags 27022 fixed close 27022 27.1 quit Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) tags 27022 fixed close 27022 27.1 quit