GNU bug report logs - #24490
25.1; restclient no longer sends auth header upon redirect

Previous Next

Package: emacs;

Reported by: Alain Picard <alain <at> gocatch.com>

Date: Wed, 21 Sep 2016 05:47:01 UTC

Severity: normal

Tags: moreinfo

Found in version 25.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 24490 in the body.
You can then email your comments to 24490 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#24490; Package emacs. (Wed, 21 Sep 2016 05:47:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alain Picard <alain <at> gocatch.com>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Wed, 21 Sep 2016 05:47:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Alain Picard <alain <at> gocatch.com>
To: bug-gnu-emacs <at> gnu.org
Cc: Alain Picard <alain <at> gocatch.com>
Subject: 25.1; restclient no longer sends auth header upon redirect
Date: Wed, 21 Sep 2016 14:19:18 +1000
[Message part 1 (text/plain, inline)]
Dear Maintainers,

In emacs 25.1,
the code in url-http.el, line 638, states:

  ;; Do not automatically include an authorization header in the
  ;; redirect.  If needed it will be regenerated by the relevant
  ;; auth scheme when the new request happens.
  (setq url-http-extra-headers
(cl-remove "Authorization"
   url-http-extra-headers :key 'car :test 'equal))


I suspect this automatic regenration does not occur.
Problem: I am using restclient.el, and hitting a server which
issues a redirect, and I receive a 400 Forbidden response because
the redirected call does not receive the authentication header
(I can see this from the log of my server).

Here is a subset of my test http file in restclient mode:
------------------
:host = http://localhost:4348
:driver-2 = goCatch 9999

#
GET :host/api/v2/jobs
X-Gocatch-State: {"available" : true, "lat": -33.1, "lng":150.9,
"speed":15, "error":5, "direction":310 }
Authorization: :driver-2
------------------

In emacs 24, this used to return:
  [lots of text here snipped]
// GET http://localhost:4348/api/v2/jobs
// HTTP/1.1 200 OK
// Content-Type: application/json; charset=utf-8
// Cache-Control: max-age=0
// Content-Length: 1222
// Server: http-kit
// Date: Wed, 21 Sep 2016 04:13:46 GMT
// Request duration: 0.247260s


But in emacs 25 it now returns:

No or invalid authentication details are provided
// GET http://localhost:4348/api/v2/jobs
// HTTP/1.1 401 Unauthorized
// Cache-Control: max-age=0
// Content-Length: 49
// Server: http-kit
// Date: Wed, 21 Sep 2016 04:14:29 GMT
// Request duration: 0.131224s


If I comment out the 3 lines starting at line 642:
  (setq url-http-extra-headers
(cl-remove "Authorization"
   url-http-extra-headers :key 'car :test 'equal))

I get back the original, correct behaviour.


Thanks in advance, and thanks for all the great work on
emacs... I've been appreciating your hard work (and emacs) for nearly 25
years.  :-)


                   Alain Picard

================================================================


In GNU Emacs 25.1.1 (x86_64-apple-darwin13.4.0, NS appkit-1265.21 Version
10.9.5 (Build 13F1911))
 of 2016-09-18 built on builder10-9.porkrind.org
Windowing system distributor 'Apple', version 10.3.1404
Configured using:
 'configure --with-ns '--enable-locallisppath=/Library/Application
 Support/Emacs/${version}/site-lisp:/Library/Application
 Support/Emacs/site-lisp''

Configured features:
NOTIFY ACL GNUTLS LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS

Important settings:
  value of $LANG: en_AU.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Ediff

Minor modes in effect:
  magit-auto-revert-mode: t
  global-git-commit-mode: t
  async-bytecomp-package-mode: t
  show-paren-mode: t
  shell-dirtrack-mode: t
  diff-auto-refine-mode: t
  flx-ido-mode: t
  ido-everywhere: t
  winner-mode: t
  auto-insert-mode: t
  global-company-mode: t
  company-mode: t
  override-global-mode: t
  tooltip-mode: t
  global-eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  buffer-read-only: t
  line-number-mode: t
  transient-mark-mode: t

Recent messages:
Region 29 in buffer A is empty [2 times]
Refining difference region 30 ...
ediff-next-difference: At end of the difference list
Region 29 in buffer A is empty [2 times]
Region 28 in buffer A is empty [2 times]
Region 27 in buffer A is empty [2 times]
Region 26 in buffer A is empty [2 times]
Region 19 in buffer A is empty [4 times]
Quit
Saved text until " Type"

Load-path shadows:
/Users/ap/.emacs.d/elpa/cider-browse-ns-20140725.2249/cider-browse-ns hides
/Users/ap/.emacs.d/elpa/cider-0.13.0/cider-browse-ns
/Users/ap/.emacs.d/elpa/helm-20160413.2223/helm-multi-match hides
/Users/ap/.emacs.d/elpa/helm-core-20160415.1131/helm-multi-match
/Users/ap/.emacs.d/elpa/circe-20160413.1027/lcs hides
/Users/ap/.emacs.d/elpa/lcs-20121201.555/lcs
/Users/ap/.emacs.d/elpa/circe-20160413.1027/lui hides
/Users/ap/.emacs.d/elpa/lui-20140910.112/lui
/Users/ap/.emacs.d/elpa/circe-20160413.1027/lui-logging hides
/Users/ap/.emacs.d/elpa/lui-20140910.112/lui-logging
/Users/ap/.emacs.d/elpa/circe-20160413.1027/lui-irc-colors hides
/Users/ap/.emacs.d/elpa/lui-20140910.112/lui-irc-colors
/Users/ap/.emacs.d/elpa/circe-20160413.1027/lui-format hides
/Users/ap/.emacs.d/elpa/lui-20140910.112/lui-format
/Users/ap/.emacs.d/elpa/circe-20160413.1027/lui-autopaste hides
/Users/ap/.emacs.d/elpa/lui-20140910.112/lui-autopaste
/Users/ap/.emacs.d/elpa/circe-20160413.1027/shorten hides
/Users/ap/.emacs.d/elpa/shorten-20131201.620/shorten
/Users/ap/.emacs.d/elpa/color-theme-solarized-20160219.924/solarized-theme
hides /Users/ap/.emacs.d/elpa/solarized-theme-20160408.1143/solarized-theme
/Users/ap/.emacs.d/elpa/circe-20160413.1027/tracking hides
/Users/ap/.emacs.d/elpa/tracking-20151129.319/tracking
/Users/ap/.emacs.d/elpa/circe-20160413.1027/shorten hides
/Users/ap/.emacs.d/elpa/tracking-20151129.319/shorten
/Users/ap/.emacs.d/emacs-hacks/whitespace hides
/Applications/Emacs.app/Contents/Resources/lisp/whitespace
/Users/ap/.emacs.d/elpa/org-20160411/ox hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox
/Users/ap/.emacs.d/elpa/org-20160411/ox-texinfo hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-texinfo
/Users/ap/.emacs.d/elpa/org-20160411/ox-publish hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-publish
/Users/ap/.emacs.d/elpa/org-20160411/ox-org hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-org
/Users/ap/.emacs.d/elpa/org-20160411/ox-odt hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-odt
/Users/ap/.emacs.d/elpa/org-20160411/ox-md hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-md
/Users/ap/.emacs.d/elpa/org-20160411/ox-man hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-man
/Users/ap/.emacs.d/elpa/org-20160411/ox-latex hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-latex
/Users/ap/.emacs.d/elpa/org-20160411/ox-icalendar hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-icalendar
/Users/ap/.emacs.d/elpa/org-20160411/ox-html hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-html
/Users/ap/.emacs.d/elpa/org-20160411/ox-beamer hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-beamer
/Users/ap/.emacs.d/elpa/org-20160411/ox-ascii hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ox-ascii
/Users/ap/.emacs.d/elpa/org-20160411/org hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org
/Users/ap/.emacs.d/elpa/org-20160411/org-w3m hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-w3m
/Users/ap/.emacs.d/elpa/org-20160411/org-version hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-version
/Users/ap/.emacs.d/elpa/org-20160411/org-timer hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-timer
/Users/ap/.emacs.d/elpa/org-20160411/org-table hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-table
/Users/ap/.emacs.d/elpa/org-20160411/org-src hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-src
/Users/ap/.emacs.d/elpa/org-20160411/org-rmail hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-rmail
/Users/ap/.emacs.d/elpa/org-20160411/org-protocol hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-protocol
/Users/ap/.emacs.d/elpa/org-20160411/org-plot hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-plot
/Users/ap/.emacs.d/elpa/org-20160411/org-pcomplete hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-pcomplete
/Users/ap/.emacs.d/elpa/org-20160411/org-mouse hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-mouse
/Users/ap/.emacs.d/elpa/org-20160411/org-mobile hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-mobile
/Users/ap/.emacs.d/elpa/org-20160411/org-mhe hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-mhe
/Users/ap/.emacs.d/elpa/org-20160411/org-macs hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-macs
/Users/ap/.emacs.d/elpa/org-20160411/org-macro hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-macro
/Users/ap/.emacs.d/elpa/org-20160411/org-loaddefs hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-loaddefs
/Users/ap/.emacs.d/elpa/org-20160411/org-list hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-list
/Users/ap/.emacs.d/elpa/org-20160411/org-irc hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-irc
/Users/ap/.emacs.d/elpa/org-20160411/org-install hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-install
/Users/ap/.emacs.d/elpa/org-20160411/org-inlinetask hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-inlinetask
/Users/ap/.emacs.d/elpa/org-20160411/org-info hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-info
/Users/ap/.emacs.d/elpa/org-20160411/org-indent hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-indent
/Users/ap/.emacs.d/elpa/org-20160411/org-id hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-id
/Users/ap/.emacs.d/elpa/org-20160411/org-habit hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-habit
/Users/ap/.emacs.d/elpa/org-20160411/org-gnus hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-gnus
/Users/ap/.emacs.d/elpa/org-20160411/org-footnote hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-footnote
/Users/ap/.emacs.d/elpa/org-20160411/org-feed hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-feed
/Users/ap/.emacs.d/elpa/org-20160411/org-faces hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-faces
/Users/ap/.emacs.d/elpa/org-20160411/org-eshell hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-eshell
/Users/ap/.emacs.d/elpa/org-20160411/org-entities hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-entities
/Users/ap/.emacs.d/elpa/org-20160411/org-element hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-element
/Users/ap/.emacs.d/elpa/org-20160411/org-docview hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-docview
/Users/ap/.emacs.d/elpa/org-20160411/org-datetree hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-datetree
/Users/ap/.emacs.d/elpa/org-20160411/org-ctags hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-ctags
/Users/ap/.emacs.d/elpa/org-20160411/org-crypt hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-crypt
/Users/ap/.emacs.d/elpa/org-20160411/org-compat hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-compat
/Users/ap/.emacs.d/elpa/org-20160411/org-colview hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-colview
/Users/ap/.emacs.d/elpa/org-20160411/org-clock hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-clock
/Users/ap/.emacs.d/elpa/org-20160411/org-capture hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-capture
/Users/ap/.emacs.d/elpa/org-20160411/org-bibtex hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-bibtex
/Users/ap/.emacs.d/elpa/org-20160411/org-bbdb hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-bbdb
/Users/ap/.emacs.d/elpa/org-20160411/org-attach hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-attach
/Users/ap/.emacs.d/elpa/org-20160411/org-archive hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-archive
/Users/ap/.emacs.d/elpa/org-20160411/org-agenda hides
/Applications/Emacs.app/Contents/Resources/lisp/org/org-agenda
/Users/ap/.emacs.d/elpa/org-20160411/ob hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob
/Users/ap/.emacs.d/elpa/org-20160411/ob-tangle hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-tangle
/Users/ap/.emacs.d/elpa/org-20160411/ob-table hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-table
/Users/ap/.emacs.d/elpa/org-20160411/ob-sqlite hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-sqlite
/Users/ap/.emacs.d/elpa/org-20160411/ob-sql hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-sql
/Users/ap/.emacs.d/elpa/org-20160411/ob-shen hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-shen
/Users/ap/.emacs.d/elpa/org-20160411/ob-screen hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-screen
/Users/ap/.emacs.d/elpa/org-20160411/ob-scheme hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-scheme
/Users/ap/.emacs.d/elpa/org-20160411/ob-scala hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-scala
/Users/ap/.emacs.d/elpa/org-20160411/ob-sass hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-sass
/Users/ap/.emacs.d/elpa/org-20160411/ob-ruby hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-ruby
/Users/ap/.emacs.d/elpa/org-20160411/ob-ref hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-ref
/Users/ap/.emacs.d/elpa/org-20160411/ob-R hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-R
/Users/ap/.emacs.d/elpa/org-20160411/ob-python hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-python
/Users/ap/.emacs.d/elpa/org-20160411/ob-plantuml hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-plantuml
/Users/ap/.emacs.d/elpa/org-20160411/ob-picolisp hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-picolisp
/Users/ap/.emacs.d/elpa/org-20160411/ob-perl hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-perl
/Users/ap/.emacs.d/elpa/org-20160411/ob-org hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-org
/Users/ap/.emacs.d/elpa/org-20160411/ob-octave hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-octave
/Users/ap/.emacs.d/elpa/org-20160411/ob-ocaml hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-ocaml
/Users/ap/.emacs.d/elpa/org-20160411/ob-mscgen hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-mscgen
/Users/ap/.emacs.d/elpa/org-20160411/ob-maxima hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-maxima
/Users/ap/.emacs.d/elpa/org-20160411/ob-matlab hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-matlab
/Users/ap/.emacs.d/elpa/org-20160411/ob-makefile hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-makefile
/Users/ap/.emacs.d/elpa/org-20160411/ob-lob hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-lob
/Users/ap/.emacs.d/elpa/org-20160411/ob-lisp hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-lisp
/Users/ap/.emacs.d/elpa/org-20160411/ob-lilypond hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-lilypond
/Users/ap/.emacs.d/elpa/org-20160411/ob-ledger hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-ledger
/Users/ap/.emacs.d/elpa/org-20160411/ob-latex hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-latex
/Users/ap/.emacs.d/elpa/org-20160411/ob-keys hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-keys
/Users/ap/.emacs.d/elpa/org-20160411/ob-js hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-js
/Users/ap/.emacs.d/elpa/org-20160411/ob-java hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-java
/Users/ap/.emacs.d/elpa/org-20160411/ob-io hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-io
/Users/ap/.emacs.d/elpa/org-20160411/ob-haskell hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-haskell
/Users/ap/.emacs.d/elpa/org-20160411/ob-gnuplot hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-gnuplot
/Users/ap/.emacs.d/elpa/org-20160411/ob-fortran hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-fortran
/Users/ap/.emacs.d/elpa/org-20160411/ob-exp hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-exp
/Users/ap/.emacs.d/elpa/org-20160411/ob-eval hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-eval
/Users/ap/.emacs.d/elpa/org-20160411/ob-emacs-lisp hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-emacs-lisp
/Users/ap/.emacs.d/elpa/org-20160411/ob-dot hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-dot
/Users/ap/.emacs.d/elpa/org-20160411/ob-ditaa hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-ditaa
/Users/ap/.emacs.d/elpa/org-20160411/ob-css hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-css
/Users/ap/.emacs.d/elpa/org-20160411/ob-core hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-core
/Users/ap/.emacs.d/elpa/org-20160411/ob-comint hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-comint
/Users/ap/.emacs.d/elpa/org-20160411/ob-clojure hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-clojure
/Users/ap/.emacs.d/elpa/org-20160411/ob-calc hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-calc
/Users/ap/.emacs.d/elpa/org-20160411/ob-C hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-C
/Users/ap/.emacs.d/elpa/org-20160411/ob-awk hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-awk
/Users/ap/.emacs.d/elpa/org-20160411/ob-asymptote hides
/Applications/Emacs.app/Contents/Resources/lisp/org/ob-asymptote
/Users/ap/.emacs.d/elpa/seq-2.15/seq hides
/Applications/Emacs.app/Contents/Resources/lisp/emacs-lisp/seq

Features:
(shadow sort emacsbug tramp-cache ediff-merg ediff-wind ediff-diff
ediff-mult ediff-help ediff-init ediff-util ediff eieio-opt speedbar
sb-image ezimage dframe em-unix em-term term ehelp em-script em-prompt
em-ls em-hist em-pred em-glob em-dirs em-cmpl em-basic em-banner
em-alias nroff-mode man log4j-mode esh-var esh-io esh-cmd esh-opt
esh-ext esh-proc esh-arg esh-groups eshell esh-module esh-mode esh-util
vc vc-dispatcher log-view grep macros mail-extr cider-apropos apropos
linum magit-blame magit-stash magit-bisect magit-remote magit-commit
magit-sequence magit magit-apply magit-wip magit-log magit-diff
smerge-mode magit-core magit-autorevert autorevert filenotify
magit-process magit-popup magit-mode magit-git crm magit-section
magit-utils git-commit log-edit pcvs-util add-log with-editor
async-bytecomp async cider-macroexpansion pulse js cc-mode cc-fonts
cc-guess cc-menus cc-cmds cc-styles cc-align cc-engine cc-vars cc-defs
url-cache restclient warnings tabify org-capture dabbrev dired-aux
face-remap reposition sql browse-url network-stream nsm starttls
misearch multi-isearch paren find-file-in-project bookmark pp view
cal-china lunar solar cal-dst cal-bahai cal-islam cal-hebrew holidays
hol-loaddefs diary-lib diary-loaddefs cal-iso disp-table org-rmail
org-mhe org-irc org-info org-gnus org-docview doc-view subr-x jka-compr
image-mode org-bibtex bibtex org-bbdb org-w3m hl-line server
color-theme-solarized solarized-definitions color-theme wid-edit
google-this clj-refactor pkg-info url-http tls gnutls url url-proxy
url-privacy url-expand url-methods url-history mailcap url-auth
url-cookie url-domsuf url-util url-gw json map lisp-mnt epl derived rx
hydra lv inflections sgml-mode edn peg cider tramp-sh cider-debug
cider-browse-ns cider-inspector cider-mode cider-interaction compile
arc-mode archive-mode cider-repl cider-resolve cider-test cider-overlays
cider-stacktrace cider-doc cider-grimoire cider-popup cider-eldoc
cider-client cider-common cider-util nrepl-client tramp tramp-compat
tramp-loaddefs trampver shell queue nrepl-dict cider-compat ewoc spinner
clojure-mode align imenu multiple-cursors-core rect paredit yasnippet cl
s whitespace-mode ob-ditaa org-timer org-table org-colview org-clock
org-attach vc-git diff-mode org-id org-element avl-tree org-archive
org-agenda org org-macro org-footnote org-pcomplete pcomplete org-list
org-faces org-entities noutline outline org-version ob-emacs-lisp ob
ob-tangle ob-ref ob-lob ob-table ob-exp org-src ob-keys ob-comint comint
ansi-color ob-core ob-eval org-compat org-macs org-loaddefs find-func
cal-menu calendar cal-loaddefs smex flx-ido flx ido winner whitespace
autoinsert bbdb-message sendmail message dired format-spec rfc822 mml
mml-sec epg mm-decode mm-bodies mm-encode mail-parse rfc2231 rfc2047
rfc2045 ietf-drums mailabbrev mail-utils gmm-utils mailheader bbdb
bbdb-site timezone ffap thingatpt url-parse auth-source gnus-util
mm-util help-fns mail-prsvr password-cache url-vars company-oddmuse
company-keywords company-etags etags xref cl-seq project eieio
eieio-core cl-macs company-gtags company-dabbrev-code company-dabbrev
company-files company-capf company-cmake company-xcode company-clang
company-semantic company-eclim company-template company-css company-nxml
company-bbdb company advice bookmark-ring ring my-kbd-map edmacro kmacro
solarized-dark-theme solarized dash use-package diminish bind-key
easy-mmode finder-inf cider-tracing-autoloads
closure-lint-mode-autoloads color-theme-autoloads
fringe-helper-autoloads lcs-autoloads shorten-autoloads
windata-autoloads info package epg-config seq byte-opt gv bytecomp
byte-compile cl-extra help-mode easymenu cconv cl-loaddefs pcase cl-lib
time-date mule-util tooltip eldoc electric uniquify ediff-hook vc-hooks
lisp-float-type mwheel ns-win ucs-normalize term/common-win tool-bar dnd
fontset image regexp-opt fringe tabulated-list newcomment elisp-mode
lisp-mode prog-mode register page menu-bar rfn-eshadow timer select
scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame
cl-generic cham georgian utf-8-lang misc-lang vietnamese tibetan thai
tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek romanian
slovak czech european ethiopic indian cyrillic chinese charscript
case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer
cl-preloaded nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote kqueue cocoa ns
multi-tty make-network-process emacs)

Memory information:
((conses 16 1517046 206707)
 (symbols 48 58309 0)
 (miscs 40 8265 8483)
 (strings 32 229927 22382)
 (string-bytes 1 6528476)
 (vectors 16 135880)
 (vector-slots 8 3744387 160745)
 (floats 8 15254 10159)
 (intervals 56 72471 1258)
 (buffers 976 167))

-- 
 <http://www.gocatch.com>
<http://www.facebook.com/goCatch> <http://twitter.com/goCatchApp> 
<http://www.linkedin.com/company/gocatch> 
<https://www.instagram.com/gocatch/> 
<https://itunes.apple.com/au/app/gocatch/id444439909?mt=8> 
<https://play.google.com/store/apps/details?id=com.gocatchapp.goCatch&hl=en>
 
[Message part 2 (text/html, inline)]

Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#24490; Package emacs. (Wed, 21 Sep 2016 08:16:01 GMT) Full text and rfc822 format available.

Message #8 received at 24490 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Schwab <schwab <at> suse.de>
To: Alain Picard <alain <at> gocatch.com>
Cc: 24490 <at> debbugs.gnu.org
Subject: Re: bug#24490: 25.1;
 restclient no longer sends auth header upon redirect
Date: Wed, 21 Sep 2016 10:15:05 +0200
On Sep 21 2016, Alain Picard <alain <at> gocatch.com> wrote:

> Problem: I am using restclient.el, and hitting a server which
> issues a redirect, and I receive a 400 Forbidden response because
> the redirected call does not receive the authentication header
> (I can see this from the log of my server).

How does curl or wget handle this?

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab <at> suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."




Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#24490; Package emacs. (Thu, 22 Sep 2016 00:02:02 GMT) Full text and rfc822 format available.

Message #11 received at 24490 <at> debbugs.gnu.org (full text, mbox):

From: Alain Picard <alain <at> gocatch.com>
To: Andreas Schwab <schwab <at> suse.de>
Cc: 24490 <at> debbugs.gnu.org
Subject: Re: bug#24490: 25.1;
 restclient no longer sends auth header upon redirect
Date: Thu, 22 Sep 2016 10:01:50 +1000
[Message part 1 (text/plain, inline)]
Well, curl gives you back the 303 (See Other) with
the Location header, unless you add -L (follow redirection)
in which case it reposts any original header (including Authorization) to
the new location.  i.e. "it just works".

What would be nice for restclient is a separate keystroke
which either does or does not follow the redirection; sometimes
you want to debug the initial hop.  But the default should be
to do what it does now, which is to follow; i.e. "act like a browser".

Hope this helps.

  Alain

On 21 September 2016 at 18:15, Andreas Schwab <schwab <at> suse.de> wrote:

> On Sep 21 2016, Alain Picard <alain <at> gocatch.com> wrote:
>
> > Problem: I am using restclient.el, and hitting a server which
> > issues a redirect, and I receive a 400 Forbidden response because
> > the redirected call does not receive the authentication header
> > (I can see this from the log of my server).
>
> How does curl or wget handle this?
>
> Andreas.
>
> --
> Andreas Schwab, SUSE Labs, schwab <at> suse.de
> GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
> "And now for something completely different."
>

-- 
 <http://www.gocatch.com>
<http://www.facebook.com/goCatch> <http://twitter.com/goCatchApp> 
<http://www.linkedin.com/company/gocatch> 
<https://www.instagram.com/gocatch/> 
<https://itunes.apple.com/au/app/gocatch/id444439909?mt=8> 
<https://play.google.com/store/apps/details?id=com.gocatchapp.goCatch&hl=en>
 
[Message part 2 (text/html, inline)]

Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#24490; Package emacs. (Tue, 06 Jul 2021 15:45:02 GMT) Full text and rfc822 format available.

Message #14 received at 24490 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Alain Picard <alain <at> gocatch.com>
Cc: 24490 <at> debbugs.gnu.org, Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
Subject: Re: bug#24490: 25.1; restclient no longer sends auth header upon
 redirect
Date: Tue, 06 Jul 2021 17:44:00 +0200
Alain Picard <alain <at> gocatch.com> writes:

> Dear Maintainers,
>
> In emacs 25.1,
> the code in url-http.el, line 638, states:
>
>   ;; Do not automatically include an authorization header in the
>   ;; redirect.  If needed it will be regenerated by the relevant
>   ;; auth scheme when the new request happens.
>   (setq url-http-extra-headers
> (cl-remove "Authorization"
>    url-http-extra-headers :key 'car :test 'equal))
>
> I suspect this automatic regenration does not occur.

I think this code is basically correct -- if the auth scheme has added
something to url-http-extra-headers, then that has to be removed when
doing the redirect, because otherwise we might be sending the auth to a
completely wrong server, with the security implications of that.

> Problem: I am using restclient.el, and hitting a server which
> issues a redirect, and I receive a 400 Forbidden response because
> the redirected call does not receive the authentication header
> (I can see this from the log of my server).

I think this must be a bug in restclient.el -- it should instead use an
auth scheme that re-adds the Authorization header.

I think.  The URL interface is pretty vague here, as it is with many
other things...

Hm...

Reading

(defun url-http-create-request ()
[...]
	 (auth (if (cdr-safe (assoc "Authorization" url-http-extra-headers))
		   nil
		 (url-get-authentication (or
					  (and (boundp 'proxy-info)
					       proxy-info)
					  url-http-target-url) nil 'any nil)))

the auth is never added to `url-http-extra-headers', so perhaps that's
not correct anyway -- it should be possible for the user to put
Authorization in `url-http-extra-headers', and then have that be heeded
even over the redirect.

I've added Thomas to the CCs; perhaps he has some insights here.  (Also
see Bug#21350.)

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no




Added tag(s) moreinfo. Request was from Lars Ingebrigtsen <larsi <at> gnus.org> to control <at> debbugs.gnu.org. (Tue, 06 Jul 2021 15:45:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#24490; Package emacs. (Thu, 08 Jul 2021 21:35:02 GMT) Full text and rfc822 format available.

Message #19 received at 24490 <at> debbugs.gnu.org (full text, mbox):

From: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: Alain Picard <alain <at> gocatch.com>, 24490 <at> debbugs.gnu.org
Subject: Re: bug#24490: 25.1; restclient no longer sends auth header upon
 redirect
Date: Thu, 08 Jul 2021 17:34:19 -0400
Lars Ingebrigtsen <larsi <at> gnus.org> writes:

> Alain Picard <alain <at> gocatch.com> writes:
>
>> Dear Maintainers,
>>
>> In emacs 25.1,
>> the code in url-http.el, line 638, states:
>>
>>   ;; Do not automatically include an authorization header in the
>>   ;; redirect.  If needed it will be regenerated by the relevant
>>   ;; auth scheme when the new request happens.
>>   (setq url-http-extra-headers
>> (cl-remove "Authorization"
>>    url-http-extra-headers :key 'car :test 'equal))
>>
>> I suspect this automatic regenration does not occur.
>
> I think this code is basically correct -- if the auth scheme has added
> something to url-http-extra-headers, then that has to be removed when
> doing the redirect, because otherwise we might be sending the auth to a
> completely wrong server, with the security implications of that.
>
>> Problem: I am using restclient.el, and hitting a server which
>> issues a redirect, and I receive a 400 Forbidden response because
>> the redirected call does not receive the authentication header
>> (I can see this from the log of my server).
>
> I think this must be a bug in restclient.el -- it should instead use an
> auth scheme that re-adds the Authorization header.

It looks like restclient.el uses advice to skip
url-http-handle-authentication if it (restclient) is in the middle of a
request.

Alain, to rule out that advice as being responsible, can you do:

M-: (ad-deactivate  'url-http-handle-authentication)

then try the API call again?

Thomas




Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#24490; Package emacs. (Wed, 14 Jul 2021 17:48:02 GMT) Full text and rfc822 format available.

Message #22 received at 24490 <at> debbugs.gnu.org (full text, mbox):

From: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: Alain Picard <alain <at> gocatch.com>, 24490 <at> debbugs.gnu.org
Subject: Re: bug#24490: 25.1; restclient no longer sends auth header upon
 redirect
Date: Wed, 14 Jul 2021 13:47:36 -0400
Thomas Fitzsimmons <fitzsim <at> fitzsim.org> writes:

> Lars Ingebrigtsen <larsi <at> gnus.org> writes:
>
>> Alain Picard <alain <at> gocatch.com> writes:
>>
>>> Dear Maintainers,
>>>
>>> In emacs 25.1,
>>> the code in url-http.el, line 638, states:
>>>
>>>   ;; Do not automatically include an authorization header in the
>>>   ;; redirect.  If needed it will be regenerated by the relevant
>>>   ;; auth scheme when the new request happens.
>>>   (setq url-http-extra-headers
>>> (cl-remove "Authorization"
>>>    url-http-extra-headers :key 'car :test 'equal))
>>>
>>> I suspect this automatic regenration does not occur.
>>
>> I think this code is basically correct -- if the auth scheme has added
>> something to url-http-extra-headers, then that has to be removed when
>> doing the redirect, because otherwise we might be sending the auth to a
>> completely wrong server, with the security implications of that.
>>
>>> Problem: I am using restclient.el, and hitting a server which
>>> issues a redirect, and I receive a 400 Forbidden response because
>>> the redirected call does not receive the authentication header
>>> (I can see this from the log of my server).
>>
>> I think this must be a bug in restclient.el -- it should instead use an
>> auth scheme that re-adds the Authorization header.
>
> It looks like restclient.el uses advice to skip
> url-http-handle-authentication if it (restclient) is in the middle of a
> request.
>
> Alain, to rule out that advice as being responsible, can you do:
>
> M-: (ad-deactivate  'url-http-handle-authentication)
>
> then try the API call again?

The email to "alain <at> gocatch.com" bounced, so I think we should probably
close this bug report.

Thomas




Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#24490; Package emacs. (Wed, 14 Jul 2021 18:24:01 GMT) Full text and rfc822 format available.

Message #25 received at 24490 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
Cc: Alain Picard <alain <at> gocatch.com>, 24490 <at> debbugs.gnu.org
Subject: Re: bug#24490: 25.1; restclient no longer sends auth header upon
 redirect
Date: Wed, 14 Jul 2021 20:23:45 +0200
Thomas Fitzsimmons <fitzsim <at> fitzsim.org> writes:

> The email to "alain <at> gocatch.com" bounced, so I think we should probably
> close this bug report.

OK; done.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no




bug closed, send any further explanations to 24490 <at> debbugs.gnu.org and Alain Picard <alain <at> gocatch.com> Request was from Lars Ingebrigtsen <larsi <at> gnus.org> to control <at> debbugs.gnu.org. (Wed, 14 Jul 2021 18:25:02 GMT) Full text and rfc822 format available.

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 12 Aug 2021 11:24:09 GMT) Full text and rfc822 format available.

This bug report was last modified 3 years and 325 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.