bug#24490: 25.1; restclient no longer sends auth header upon redirect

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#24490: 25.1; restclient no longer sends auth header upon redirect

From:	Lars Ingebrigtsen
Subject:	bug#24490: 25.1; restclient no longer sends auth header upon redirect
Date:	Tue, 06 Jul 2021 17:44:00 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)

Alain Picard <alain@gocatch.com> writes:

> Dear Maintainers,
>
> In emacs 25.1,
> the code in url-http.el, line 638, states:
>
>   ;; Do not automatically include an authorization header in the
>   ;; redirect.  If needed it will be regenerated by the relevant
>   ;; auth scheme when the new request happens.
>   (setq url-http-extra-headers
> (cl-remove "Authorization"
>    url-http-extra-headers :key 'car :test 'equal))
>
> I suspect this automatic regenration does not occur.

I think this code is basically correct -- if the auth scheme has added
something to url-http-extra-headers, then that has to be removed when
doing the redirect, because otherwise we might be sending the auth to a
completely wrong server, with the security implications of that.

> Problem: I am using restclient.el, and hitting a server which
> issues a redirect, and I receive a 400 Forbidden response because
> the redirected call does not receive the authentication header
> (I can see this from the log of my server).

I think this must be a bug in restclient.el -- it should instead use an
auth scheme that re-adds the Authorization header.

I think.  The URL interface is pretty vague here, as it is with many
other things...

Hm...

Reading

(defun url-http-create-request ()
[...]
         (auth (if (cdr-safe (assoc "Authorization" url-http-extra-headers))
                   nil
                 (url-get-authentication (or
                                          (and (boundp 'proxy-info)
                                               proxy-info)
                                          url-http-target-url) nil 'any nil)))

the auth is never added to `url-http-extra-headers', so perhaps that's
not correct anyway -- it should be possible for the user to put
Authorization in `url-http-extra-headers', and then have that be heeded
even over the redirect.

I've added Thomas to the CCs; perhaps he has some insights here.  (Also
see Bug#21350.)

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

[Prev in Thread]

Current Thread

[Next in Thread]

bug#24490: 25.1; restclient no longer sends auth header upon redirect, Lars Ingebrigtsen <=
- bug#24490: 25.1; restclient no longer sends auth header upon redirect, Thomas Fitzsimmons, 2021/07/08
  - bug#24490: 25.1; restclient no longer sends auth header upon redirect, Thomas Fitzsimmons, 2021/07/14
    - bug#24490: 25.1; restclient no longer sends auth header upon redirect, Lars Ingebrigtsen, 2021/07/14

Prev by Date: bug#24875: 26.0.50; In Dotted Pair Notation, the read function returns CDR if CAR is absent
Next by Date: bug#27442: Un-obsolete x-clipboard-yank, or provide analogous functional
Previous by thread: bug#24875: 26.0.50; In Dotted Pair Notation, the read function returns CDR if CAR is absent
Next by thread: bug#24490: 25.1; restclient no longer sends auth header upon redirect
Index(es):
- Date
- Thread