[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#24490: 25.1; restclient no longer sends auth header upon redirect
From: |
Lars Ingebrigtsen |
Subject: |
bug#24490: 25.1; restclient no longer sends auth header upon redirect |
Date: |
Tue, 06 Jul 2021 17:44:00 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) |
Alain Picard <alain@gocatch.com> writes:
> Dear Maintainers,
>
> In emacs 25.1,
> the code in url-http.el, line 638, states:
>
> ;; Do not automatically include an authorization header in the
> ;; redirect. If needed it will be regenerated by the relevant
> ;; auth scheme when the new request happens.
> (setq url-http-extra-headers
> (cl-remove "Authorization"
> url-http-extra-headers :key 'car :test 'equal))
>
> I suspect this automatic regenration does not occur.
I think this code is basically correct -- if the auth scheme has added
something to url-http-extra-headers, then that has to be removed when
doing the redirect, because otherwise we might be sending the auth to a
completely wrong server, with the security implications of that.
> Problem: I am using restclient.el, and hitting a server which
> issues a redirect, and I receive a 400 Forbidden response because
> the redirected call does not receive the authentication header
> (I can see this from the log of my server).
I think this must be a bug in restclient.el -- it should instead use an
auth scheme that re-adds the Authorization header.
I think. The URL interface is pretty vague here, as it is with many
other things...
Hm...
Reading
(defun url-http-create-request ()
[...]
(auth (if (cdr-safe (assoc "Authorization" url-http-extra-headers))
nil
(url-get-authentication (or
(and (boundp 'proxy-info)
proxy-info)
url-http-target-url) nil 'any nil)))
the auth is never added to `url-http-extra-headers', so perhaps that's
not correct anyway -- it should be possible for the user to put
Authorization in `url-http-extra-headers', and then have that be heeded
even over the redirect.
I've added Thomas to the CCs; perhaps he has some insights here. (Also
see Bug#21350.)
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
- bug#24490: 25.1; restclient no longer sends auth header upon redirect,
Lars Ingebrigtsen <=