GNU bug report logs - #27022
url-retrieve + .authinfo bug

Previous Next

Package: emacs;

Reported by: Andy Wingo <wingo <at> pobox.com>

Date: Mon, 22 May 2017 18:11:02 UTC

Severity: normal

Tags: fixed

Fixed in version 27.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27022 in the body.
You can then email your comments to 27022 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#27022; Package emacs. (Mon, 22 May 2017 18:11:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Andy Wingo <wingo <at> pobox.com>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Mon, 22 May 2017 18:11:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Andy Wingo <wingo <at> pobox.com>
To: bug-emacs <at> gnu.org
Subject: url-retrieve + .authinfo bug
Date: Mon, 22 May 2017 20:09:49 +0200

Hi,

If you try to do a url-retrieve over HTTP on a URL that requires HTTP
basic authentication, and you have an .authinfo file, and that .authinfo
contains an incorrect login, then Emacs will keep appending the same
Authorization: header to the request -- over and over, making the
request larger and larger, with no stop condition.  Eventually nginx
produces a "400 Bad Request" error because there were too many headers.

Emacs should instead error after the first attempt at authentication
fails.

  $ emacs --version
  GNU Emacs 25.2.1

Andy
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#27022; Package emacs. (Fri, 26 Jul 2019 08:47:01 GMT) Full text and rfc822 format available.

Message #8 received at 27022 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Andy Wingo <wingo <at> pobox.com>
Cc: 27022 <at> debbugs.gnu.org
Subject: Re: bug#27022: url-retrieve + .authinfo bug
Date: Fri, 26 Jul 2019 10:46:40 +0200

Andy Wingo <wingo <at> pobox.com> writes:

> If you try to do a url-retrieve over HTTP on a URL that requires HTTP
> basic authentication, and you have an .authinfo file, and that .authinfo
> contains an incorrect login, then Emacs will keep appending the same
> Authorization: header to the request -- over and over, making the
> request larger and larger, with no stop condition.  Eventually nginx
> produces a "400 Bad Request" error because there were too many headers.
>
> Emacs should instead error after the first attempt at authentication
> fails.

I'm able to reproduce this with this in my .authinfo file:

machine jigsaw.w3.org:443 login guest password wrong

and then:

(url-retrieve "https://jigsaw.w3.org/HTTP/Basic/" #'ignore)

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#27022; Package emacs. (Fri, 26 Jul 2019 08:57:01 GMT) Full text and rfc822 format available.

Message #11 received at 27022 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Andy Wingo <wingo <at> pobox.com>
Cc: 27022 <at> debbugs.gnu.org
Subject: Re: bug#27022: url-retrieve + .authinfo bug
Date: Fri, 26 Jul 2019 10:56:21 +0200

Lars Ingebrigtsen <larsi <at> gnus.org> writes:

> Andy Wingo <wingo <at> pobox.com> writes:
>
>> If you try to do a url-retrieve over HTTP on a URL that requires HTTP
>> basic authentication, and you have an .authinfo file, and that .authinfo
>> contains an incorrect login, then Emacs will keep appending the same
>> Authorization: header to the request -- over and over, making the
>> request larger and larger, with no stop condition.  Eventually nginx
>> produces a "400 Bad Request" error because there were too many headers.
>>
>> Emacs should instead error after the first attempt at authentication
>> fails.
>
> I'm able to reproduce this with this in my .authinfo file:
>
> machine jigsaw.w3.org:443 login guest password wrong
>
> and then:
>
> (url-retrieve "https://jigsaw.w3.org/HTTP/Basic/" #'ignore)

And this should now be fixed on the Emacs trunk.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
Added tag(s) fixed. Request was from Lars Ingebrigtsen <larsi <at> gnus.org> to control <at> debbugs.gnu.org. (Fri, 26 Jul 2019 08:57:02 GMT) Full text and rfc822 format available.
bug marked as fixed in version 27.1, send any further explanations to 27022 <at> debbugs.gnu.org and Andy Wingo <wingo <at> pobox.com> Request was from Lars Ingebrigtsen <larsi <at> gnus.org> to control <at> debbugs.gnu.org. (Fri, 26 Jul 2019 08:57:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 23 Aug 2019 11:24:05 GMT) Full text and rfc822 format available.
This bug report was last modified 4 years and 240 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.