[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-wget] [bug #56909] wget Authorization header leak via 3xx redirects
|
From: |
Ryan Blakley |
|
Subject: |
[Bug-wget] [bug #56909] wget Authorization header leak via 3xx redirects |
|
Date: |
Mon, 14 Oct 2019 10:58:30 -0400 (EDT) |
|
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36 |
Follow-up Comment #5, bug #56909 (project wget):
Hi, I originally reported this issue. The only reason I reported it as a
security issue was due to it matching the cve for curl. I was originally going
to report it as a bug, due to the fact it breaks pulling down files from a
generated(redirected) presigned aws s3 download link.
I use the header option because I'd prefer not to store, and/or use raw
passwords on a system. Storing the auth header isn't secure by no means, but
it's better than raw username and password stored in a file. But as it stands
I have to use raw username and password to be able to pull down files from a
presigned s3 link if using wget. This is because when using the auth header it
is forwarded to aws, and aws throws a "ERROR 400: Bad Request" every time.
Would it be possible to add a parameter to not forward the auth header on
redirects, or make it default to not forwarding unless you pass a parameter
telling it to forward the header like curl implemented?
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?56909>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/