GNU bug report logs - #37187
26.2; url-retrieve redirect lost Authorization headers

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: emacs; Reported by: Romain Ouabdelkader <romain.ouabdelkader@HIDDEN>; dated Mon, 26 Aug 2019 00:02:01 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.

Message received at 37187 <at> debbugs.gnu.org:


Received: (at 37187) by debbugs.gnu.org; 21 Sep 2019 09:28:04 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Sep 21 05:28:04 2019
Received: from localhost ([127.0.0.1]:59136 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iBbgR-0002sm-Vu
	for submit <at> debbugs.gnu.org; Sat, 21 Sep 2019 05:28:04 -0400
Received: from mail-io1-f43.google.com ([209.85.166.43]:43543)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <romain.ouabdelkader@HIDDEN>) id 1iBbgP-0002sI-GU
 for 37187 <at> debbugs.gnu.org; Sat, 21 Sep 2019 05:28:02 -0400
Received: by mail-io1-f43.google.com with SMTP id v2so21730554iob.10
 for <37187 <at> debbugs.gnu.org>; Sat, 21 Sep 2019 02:28:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=OyIVQGFrdBSN47Fitqh++f+ceBuicFs2vFPV7BjcSds=;
 b=foYjaCoD13TD7jxJgVvz0PSxZzVcAocEkmcb3DIENjUZYfV2iCgL2FbkZsf0LP0h8S
 nF1uwRPvBfotwhBcawhhWw8CA7/hSL3pasP70da1DAKmQ3YNVsucpnXXko6Zu5xs6l8o
 2bJ9NlmyIRQf1YFjFJnyQsCGIbVzhev4ZEVta/KlM5AZxTnCYcipjCV1inxISZ5tbH4x
 lvptr6BhsRfSbwa6jVHn+4s5sa7zGzr2cOZqcqjVMiuZJ7HICc5k18yZ4Xebb4zbLRF2
 E8UsMuRPIS/Jik1qRLuk2FRyu5JFrDDGbqNAd+a4wqXZ6w62UNsn3cP9IrTFdHinW+lB
 ucWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=OyIVQGFrdBSN47Fitqh++f+ceBuicFs2vFPV7BjcSds=;
 b=i+YwpFNr7chB92cB+BzBB0nsatH5xoVk0qO+GfEwUdELaetevbXX2kegIq90qvNMX8
 OCkaz5I1sa5ZSS4oDHfCl6iwG2cN8HnXM8UPZouaJQmJmu/UtTRpelDo4GTcVnH7lHNE
 +v24NYOv/5ynb2asvkspD9qLvYaTSQZluf/5XuhYeSHEnTYz5a5snMP5HElLRE2ywqKX
 9K05M8LsMa9hQLVgydz9toK6wW8Dvnzn41VbFi512iYDJ88ok9c4AS+p1KscR9NxFD+5
 6N+uwpVLOBYjDWTz4rEO/8/7TC2spBz5UEgngxeR3hXxmHg1bGX+XFRWGLben8n2sHx/
 MAnw==
X-Gm-Message-State: APjAAAXI2GRNlJP1rnAYXp+AG9lG2Vz7YyeNV9Ylb34gXGvUVwwUiG1r
 bC3yVdbH+LEHvKzlVO6f5R1A2GMN8o4FlQeIlBQ=
X-Google-Smtp-Source: APXvYqxr3kfX9tL/74W2BG9FxGH/XYzLRAGujr01kiVTtQZv2i6I6N6fy61VZ+WpDcHTK03B0e1Q5pnhqf2kYDEPbj4=
X-Received: by 2002:a5d:9dd4:: with SMTP id 20mr25485048ioo.1.1569058075680;
 Sat, 21 Sep 2019 02:27:55 -0700 (PDT)
MIME-Version: 1.0
References: <CAJ8YToZhdbiRPrpBT=MeTZO6Eu2v5+mFL3Z10T6E7Er5bdn=rQ@HIDDEN>
 <877e627lj1.fsf@HIDDEN>
 <CAJ8YToYw9iDOUXXZoh2K9VG1+nEPNjLCi_MwC0kSzUd5Er-fUg@HIDDEN>
 <87ftkq2j19.fsf@HIDDEN>
 <CAJ8YToZyH+6u85gr_vNOfWZs7N1hpR3WDU_meLM9sJfKvdYR0Q@HIDDEN>
 <875zlm11po.fsf@HIDDEN>
In-Reply-To: <875zlm11po.fsf@HIDDEN>
From: Romain Ouabdelkader <romain.ouabdelkader@HIDDEN>
Date: Sat, 21 Sep 2019 11:27:19 +0200
Message-ID: <CAJ8YTob-QfH92fM9Sm-OwVFGB9ovBkL+yKm4uHZCMEtT2D_Rzg@HIDDEN>
Subject: Re: bug#37187: 26.2; url-retrieve redirect lost Authorization headers
To: Lars Ingebrigtsen <larsi@HIDDEN>
Content-Type: multipart/alternative; boundary="0000000000003ba38905930ccde6"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 37187
Cc: Thomas Fitzsimmons <fitzsim@HIDDEN>, 37187 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--0000000000003ba38905930ccde6
Content-Type: text/plain; charset="UTF-8"

Oh alright I didn't realize emacs was prompting for credentials on
Unauthorized.

Thanks.

On Sat, Sep 21, 2019 at 10:40 AM Lars Ingebrigtsen <larsi@HIDDEN> wrote:

> Romain Ouabdelkader <romain.ouabdelkader@HIDDEN> writes:
>
> > It doesn't forward the auth on the first example I sent with flask.
> > I'm adding the header in 'url-request-extra-headers',
> > perhaps there is another way to do it.
>
> The normal way auth happens is that the server returns 401 Unauthorized
> and then the client sends the credentials...
>
> --
> (domestic pets only, the antidote for overdose, milk.)
>    bloggy blog: http://lars.ingebrigtsen.no
>

--0000000000003ba38905930ccde6
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Oh alright I didn&#39;t realize emacs was prompting for cr=
edentials on Unauthorized.<div><br>Thanks.</div></div><br><div class=3D"gma=
il_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Sat, Sep 21, 2019 at 10:=
40 AM Lars Ingebrigtsen &lt;<a href=3D"mailto:larsi@HIDDEN">larsi@HIDDEN=
g</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin=
:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"=
>Romain Ouabdelkader &lt;<a href=3D"mailto:romain.ouabdelkader@HIDDEN" t=
arget=3D"_blank">romain.ouabdelkader@HIDDEN</a>&gt; writes:<br>
<br>
&gt; It doesn&#39;t forward the auth on the first example I sent with flask=
.<br>
&gt; I&#39;m adding the header in &#39;url-request-extra-headers&#39;,<br>
&gt; perhaps there is another way to do it.<br>
<br>
The normal way auth happens is that the server returns 401 Unauthorized<br>
and then the client sends the credentials...<br>
<br>
-- <br>
(domestic pets only, the antidote for overdose, milk.)<br>
=C2=A0 =C2=A0bloggy blog: <a href=3D"http://lars.ingebrigtsen.no" rel=3D"no=
referrer" target=3D"_blank">http://lars.ingebrigtsen.no</a><br>
</blockquote></div>

--0000000000003ba38905930ccde6--




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37187; Package emacs. Full text available.

Message received at 37187 <at> debbugs.gnu.org:


Received: (at 37187) by debbugs.gnu.org; 21 Sep 2019 08:40:58 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Sep 21 04:40:58 2019
Received: from localhost ([127.0.0.1]:59080 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iBaws-0001jV-Im
	for submit <at> debbugs.gnu.org; Sat, 21 Sep 2019 04:40:58 -0400
Received: from quimby.gnus.org ([80.91.231.51]:49302)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@HIDDEN>) id 1iBawp-0001jL-1h
 for 37187 <at> debbugs.gnu.org; Sat, 21 Sep 2019 04:40:55 -0400
Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie)
 by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.89) (envelope-from <larsi@HIDDEN>)
 id 1iBawl-0008Hb-Oz; Sat, 21 Sep 2019 10:40:54 +0200
From: Lars Ingebrigtsen <larsi@HIDDEN>
To: Romain Ouabdelkader <romain.ouabdelkader@HIDDEN>
Subject: Re: bug#37187: 26.2; url-retrieve redirect lost Authorization headers
References: <CAJ8YToZhdbiRPrpBT=MeTZO6Eu2v5+mFL3Z10T6E7Er5bdn=rQ@HIDDEN>
 <877e627lj1.fsf@HIDDEN>
 <CAJ8YToYw9iDOUXXZoh2K9VG1+nEPNjLCi_MwC0kSzUd5Er-fUg@HIDDEN>
 <87ftkq2j19.fsf@HIDDEN>
 <CAJ8YToZyH+6u85gr_vNOfWZs7N1hpR3WDU_meLM9sJfKvdYR0Q@HIDDEN>
Date: Sat, 21 Sep 2019 10:40:51 +0200
In-Reply-To: <CAJ8YToZyH+6u85gr_vNOfWZs7N1hpR3WDU_meLM9sJfKvdYR0Q@HIDDEN>
 (Romain Ouabdelkader's message of "Sat, 21 Sep 2019 10:26:04 +0200")
Message-ID: <875zlm11po.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 @@CONTACT_ADDRESS@@ for details.
 Content preview: Romain Ouabdelkader <romain.ouabdelkader@HIDDEN> writes:
 > It doesn't forward the auth on the first example I sent with flask. > I'm
 adding the header in 'url-request-extra-headers', > perhaps there is another
 way to do it. 
 Content analysis details:   (-2.9 points, 5.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
 [score: 0.0000]
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 37187
Cc: Thomas Fitzsimmons <fitzsim@HIDDEN>, 37187 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Romain Ouabdelkader <romain.ouabdelkader@HIDDEN> writes:

> It doesn't forward the auth on the first example I sent with flask.
> I'm adding the header in 'url-request-extra-headers',
> perhaps there is another way to do it.

The normal way auth happens is that the server returns 401 Unauthorized
and then the client sends the credentials...

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37187; Package emacs. Full text available.

Message received at 37187 <at> debbugs.gnu.org:


Received: (at 37187) by debbugs.gnu.org; 21 Sep 2019 08:26:47 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Sep 21 04:26:47 2019
Received: from localhost ([127.0.0.1]:59062 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iBaj9-0007mR-8X
	for submit <at> debbugs.gnu.org; Sat, 21 Sep 2019 04:26:47 -0400
Received: from mail-io1-f43.google.com ([209.85.166.43]:39575)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <romain.ouabdelkader@HIDDEN>) id 1iBaj8-0007mE-5D
 for 37187 <at> debbugs.gnu.org; Sat, 21 Sep 2019 04:26:46 -0400
Received: by mail-io1-f43.google.com with SMTP id a1so21618756ioc.6
 for <37187 <at> debbugs.gnu.org>; Sat, 21 Sep 2019 01:26:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=B21Rc/5ra+IS6ax0JgjDIPmweQuZPJzZAa2gk8VsJWs=;
 b=RB9loMqRQQ2TpF9iI8zYg08i0nE/GpvJdKIcZ8l1avuA5SpX5y6dGIiKQXTyyiKRiU
 iaEki2vJkxXQrwfxr7FS5zCmwhl2WmKzpah2XSKdIm5r+iTwNuGartMXLSNBofU/jQyK
 QwWmT6RhCsqgvIJBV6AjtkTil+WfJELFB2YUXZ4Z7l9ozZmi5A1Qc4BksPokoey/L55j
 tJaupJgaMlX8x/oTV/ocwKG7a/q/MyeY2KSRU583T5Nwg0H4cVIkJ3o6zoS6Pp1bnNKY
 vX/l+lBrYNlipEJiCsV61vM0znzxxmLIr7CObIsvr0Ol5J4FAnu2YKdTvPJBZ4qTeGhG
 qX8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=B21Rc/5ra+IS6ax0JgjDIPmweQuZPJzZAa2gk8VsJWs=;
 b=KARCC6xUtjx8YguZMNlcJ0oj9TyeSwrhsJvsk/5jWDSnuu7V82tOx+knwAgqd33lTH
 kaUJ9iaHbmhj3Q5Q/yZbKJ/SzkulDKqsA4Yqs1jSGLfCF7VlXqoskJYN+XeZLferFHcY
 +OpUX9vbFUECaUNuDxFYrmhiJqAQI7xXJurw701rdOBk3YLasLwO68xUyGEZpb7E8wkG
 lETa6EhYSRVrIScp1lyvwk3v5g4gBnOF3hl3AsOEHl5GTEtLeNNNBG+Oprdxfce3ZIr3
 tWFhGZVZNRLKHMZXC09iXC6RHgDjaoNFtmm89OCkNSfpkE5v6bgWHkEG6cP23+/vNv+g
 7IWQ==
X-Gm-Message-State: APjAAAVmvesxE3cX21ZREf8xrMKE7k+VYHbuqoVqoRpiw3mBp5OPnukA
 EQj9WbzpZcqIA3cEeD7VJMi3MUakgeyt9DlFYfY=
X-Google-Smtp-Source: APXvYqwZl/yJ2iVwKMy+4ukLV8pe8Uur9BtdWfjGn04Boa9xBs+MsyfSxIijs++CQVmiuuXbwAZIM6MXGuUFZYhQlbU=
X-Received: by 2002:a5e:d817:: with SMTP id l23mr21341928iok.142.1569054400338; 
 Sat, 21 Sep 2019 01:26:40 -0700 (PDT)
MIME-Version: 1.0
References: <CAJ8YToZhdbiRPrpBT=MeTZO6Eu2v5+mFL3Z10T6E7Er5bdn=rQ@HIDDEN>
 <877e627lj1.fsf@HIDDEN>
 <CAJ8YToYw9iDOUXXZoh2K9VG1+nEPNjLCi_MwC0kSzUd5Er-fUg@HIDDEN>
 <87ftkq2j19.fsf@HIDDEN>
In-Reply-To: <87ftkq2j19.fsf@HIDDEN>
From: Romain Ouabdelkader <romain.ouabdelkader@HIDDEN>
Date: Sat, 21 Sep 2019 10:26:04 +0200
Message-ID: <CAJ8YToZyH+6u85gr_vNOfWZs7N1hpR3WDU_meLM9sJfKvdYR0Q@HIDDEN>
Subject: Re: bug#37187: 26.2; url-retrieve redirect lost Authorization headers
To: Lars Ingebrigtsen <larsi@HIDDEN>
Content-Type: multipart/alternative; boundary="0000000000002a636705930bf28e"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 37187
Cc: Thomas Fitzsimmons <fitzsim@HIDDEN>, 37187 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--0000000000002a636705930bf28e
Content-Type: text/plain; charset="UTF-8"

It doesn't forward the auth on the first example I sent with flask.
I'm adding the header in 'url-request-extra-headers',
perhaps there is another way to do it.

On Sat, Sep 21, 2019 at 9:41 AM Lars Ingebrigtsen <larsi@HIDDEN> wrote:

> Romain Ouabdelkader <romain.ouabdelkader@HIDDEN> writes:
>
> > Indeed, curl does the same thing:
> > https://curl.haxx.se/docs/CVE-2018-1000007.html
> >
> > But it seems to only strip the Authorization header if the redirect is
> on
> > another host:
> >
> > https://github.com/curl/curl/commit/af32cd3859336ab.patch
>
> Right.  But Thomas seems to imply in Bug#21350 that url.el will
> determine when doing the redirected call whether to include auth again,
> so if that new URL requires auth, then it'll be regenerated at that
> point.
>
> Is that not the case?
>
> --
> (domestic pets only, the antidote for overdose, milk.)
>    bloggy blog: http://lars.ingebrigtsen.no
>

--0000000000002a636705930bf28e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">It doesn&#39;t forward the auth on the first example I sen=
t with flask.<div>I&#39;m adding the header in &#39;url-request-extra-heade=
rs&#39;,</div><div>perhaps there is another way to do it.<br></div></div><b=
r><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Sat, =
Sep 21, 2019 at 9:41 AM Lars Ingebrigtsen &lt;<a href=3D"mailto:larsi@gnus.=
org">larsi@HIDDEN</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204)=
;padding-left:1ex">Romain Ouabdelkader &lt;<a href=3D"mailto:romain.ouabdel=
kader@HIDDEN" target=3D"_blank">romain.ouabdelkader@HIDDEN</a>&gt; wr=
ites:<br>
<br>
&gt; Indeed, curl does the same thing:<br>
&gt; <a href=3D"https://curl.haxx.se/docs/CVE-2018-1000007.html" rel=3D"nor=
eferrer" target=3D"_blank">https://curl.haxx.se/docs/CVE-2018-1000007.html<=
/a><br>
&gt;<br>
&gt; But it seems to only strip the Authorization header if the redirect is=
 on <br>
&gt; another host:<br>
&gt;<br>
&gt; <a href=3D"https://github.com/curl/curl/commit/af32cd3859336ab.patch" =
rel=3D"noreferrer" target=3D"_blank">https://github.com/curl/curl/commit/af=
32cd3859336ab.patch</a><br>
<br>
Right.=C2=A0 But Thomas seems to imply in Bug#21350 that url.el will<br>
determine when doing the redirected call whether to include auth again,<br>
so if that new URL requires auth, then it&#39;ll be regenerated at that<br>
point.<br>
<br>
Is that not the case?<br>
<br>
-- <br>
(domestic pets only, the antidote for overdose, milk.)<br>
=C2=A0 =C2=A0bloggy blog: <a href=3D"http://lars.ingebrigtsen.no" rel=3D"no=
referrer" target=3D"_blank">http://lars.ingebrigtsen.no</a><br>
</blockquote></div>

--0000000000002a636705930bf28e--




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37187; Package emacs. Full text available.

Message received at 37187 <at> debbugs.gnu.org:


Received: (at 37187) by debbugs.gnu.org; 21 Sep 2019 07:41:34 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Sep 21 03:41:34 2019
Received: from localhost ([127.0.0.1]:58995 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iBa1O-0004c0-Bm
	for submit <at> debbugs.gnu.org; Sat, 21 Sep 2019 03:41:34 -0400
Received: from quimby.gnus.org ([80.91.231.51]:48166)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@HIDDEN>) id 1iBa1H-0004bm-D6
 for 37187 <at> debbugs.gnu.org; Sat, 21 Sep 2019 03:41:30 -0400
Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie)
 by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.89) (envelope-from <larsi@HIDDEN>)
 id 1iBa1D-0007bV-5u; Sat, 21 Sep 2019 09:41:25 +0200
From: Lars Ingebrigtsen <larsi@HIDDEN>
To: Romain Ouabdelkader <romain.ouabdelkader@HIDDEN>
Subject: Re: bug#37187: 26.2; url-retrieve redirect lost Authorization headers
References: <CAJ8YToZhdbiRPrpBT=MeTZO6Eu2v5+mFL3Z10T6E7Er5bdn=rQ@HIDDEN>
 <877e627lj1.fsf@HIDDEN>
 <CAJ8YToYw9iDOUXXZoh2K9VG1+nEPNjLCi_MwC0kSzUd5Er-fUg@HIDDEN>
Date: Sat, 21 Sep 2019 09:41:22 +0200
In-Reply-To: <CAJ8YToYw9iDOUXXZoh2K9VG1+nEPNjLCi_MwC0kSzUd5Er-fUg@HIDDEN>
 (Romain Ouabdelkader's message of "Sat, 21 Sep 2019 02:01:24 +0200")
Message-ID: <87ftkq2j19.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 @@CONTACT_ADDRESS@@ for details.
 Content preview: Romain Ouabdelkader <romain.ouabdelkader@HIDDEN> writes:
 > Indeed,
 curl does the same thing: > https://curl.haxx.se/docs/CVE-2018-1000007.html
 > > But it seems to only strip the Authorization header if the redirect is
 on > another host: > > https://github.c [...] 
 Content analysis details:   (-2.9 points, 5.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
 [score: 0.0000]
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 37187
Cc: Thomas Fitzsimmons <fitzsim@HIDDEN>, 37187 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Romain Ouabdelkader <romain.ouabdelkader@HIDDEN> writes:

> Indeed, curl does the same thing:
> https://curl.haxx.se/docs/CVE-2018-1000007.html
>
> But it seems to only strip the Authorization header if the redirect is on 
> another host:
>
> https://github.com/curl/curl/commit/af32cd3859336ab.patch

Right.  But Thomas seems to imply in Bug#21350 that url.el will
determine when doing the redirected call whether to include auth again,
so if that new URL requires auth, then it'll be regenerated at that
point.

Is that not the case?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37187; Package emacs. Full text available.

Message received at 37187 <at> debbugs.gnu.org:


Received: (at 37187) by debbugs.gnu.org; 21 Sep 2019 00:09:20 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Sep 20 20:09:20 2019
Received: from localhost ([127.0.0.1]:58813 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iBSxj-0007bK-T6
	for submit <at> debbugs.gnu.org; Fri, 20 Sep 2019 20:09:20 -0400
Received: from mail-io1-f48.google.com ([209.85.166.48]:40579)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <romain.ouabdelkader@HIDDEN>) id 1iBSql-0007Lp-EE
 for 37187 <at> debbugs.gnu.org; Fri, 20 Sep 2019 20:02:07 -0400
Received: by mail-io1-f48.google.com with SMTP id h144so20012421iof.7
 for <37187 <at> debbugs.gnu.org>; Fri, 20 Sep 2019 17:02:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=qC2Mvhr/nzxMgIbBlTtOUyqIZoeIbQNpY1FEbKnFCPo=;
 b=HLkltR2c5avVBxLRxg7HGQJoygWflTeyNZqZEZLgs/QKfw2DhOxMvfVG9MqYrPJqUU
 1idt1BEsU/ogd08D1wl2CQoTyf5132/1z2i0u5cUkHbRVhBVlutA0+8Ftzw20bWDaHWX
 Tw9KvnadA9tm4kEdTot7P7cG+7OvNnPvm8H51GOlRMhLx2GtReW87UoNGANouKrasiRj
 uKzeX9KEZzGPtmBku+kACV94cVudwOLJ58s3RSiBpr8anI6cjUfuoY+lfE1fHxJokq6z
 Q7IY1+iPdEF5hDO0S53IMLzH5Tf9ojfpGYOQyWaVn4ERE2lG7VVdnzwmP4dUZ2wXjre+
 isIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=qC2Mvhr/nzxMgIbBlTtOUyqIZoeIbQNpY1FEbKnFCPo=;
 b=BcZnudqNmF6kA6ZNfOB9nUeVGO3IRuEKDliBHHbyh8P5Ay9Yu8Kuk9EEgWpFyoJFmQ
 4HITVd4Jmx/05jsAs5H8U43UjTXnnhPd5WMNhmg+0zwcErpK4ttlFR++9DVEbSMwR0BB
 bn/o68zxpVO3KWH3tNXpuyzezpQ42mZilpWh1O+wDKEWknamTY0uitAuAWOCNbhVkcvV
 T/UY9Hi3rzOxpykCe1o0E1nBi9HXECaD/BzrocMRo4nCAI6uVKIypWl2dB+arMirLhIm
 S8WNmEZvGMbYrk44AGb/VdY2LKh5d+cm2dx5nR0CXY9CnfjGJUgWCZEYNNgXJ+QFKSjg
 U2rg==
X-Gm-Message-State: APjAAAXkXvQG1MEMK6bFosjVBWzHUq80GmmXwl+TyXT2+rARo6mGd6xz
 3dgXmpk6a5qoKbYpm+EdKHjPf6sA16qQbwxGuJo7s8uH3qGIBA==
X-Google-Smtp-Source: APXvYqzWRllyDS8T8904pXRPp+xogEplEbvwp7mmcH7ptVMXer4o60RYeLNShmNqKDM5Azg2fzECler8l/63nVVibYQ=
X-Received: by 2002:a5e:d817:: with SMTP id l23mr19620059iok.142.1569024121463; 
 Fri, 20 Sep 2019 17:02:01 -0700 (PDT)
MIME-Version: 1.0
References: <CAJ8YToZhdbiRPrpBT=MeTZO6Eu2v5+mFL3Z10T6E7Er5bdn=rQ@HIDDEN>
 <877e627lj1.fsf@HIDDEN>
In-Reply-To: <877e627lj1.fsf@HIDDEN>
From: Romain Ouabdelkader <romain.ouabdelkader@HIDDEN>
Date: Sat, 21 Sep 2019 02:01:24 +0200
Message-ID: <CAJ8YToYw9iDOUXXZoh2K9VG1+nEPNjLCi_MwC0kSzUd5Er-fUg@HIDDEN>
Subject: Re: bug#37187: 26.2; url-retrieve redirect lost Authorization headers
To: Lars Ingebrigtsen <larsi@HIDDEN>
Content-Type: multipart/alternative; boundary="000000000000676bd8059304e530"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 37187
X-Mailman-Approved-At: Fri, 20 Sep 2019 20:09:18 -0400
Cc: Thomas Fitzsimmons <fitzsim@HIDDEN>, 37187 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--000000000000676bd8059304e530
Content-Type: text/plain; charset="UTF-8"

Indeed, curl does the same thing:
https://curl.haxx.se/docs/CVE-2018-1000007.html

But it seems to only strip the Authorization header if the redirect is on
another host:

https://github.com/curl/curl/commit/af32cd3859336ab.patch

On Fri, Sep 20, 2019 at 10:36 PM Lars Ingebrigtsen <larsi@HIDDEN> wrote:

> Romain Ouabdelkader <romain.ouabdelkader@HIDDEN> writes:
>
> > I have an issue with the 'url-retrieve' function:
> > If the target url returns a redirect, the 'Authorization' header is not
> > sent on the redirect url.
>
> This is apparently on purpose:
>
>            ;; Do not automatically include an authorization header in the
>            ;; redirect.  If needed it will be regenerated by the relevant
>            ;; auth scheme when the new request happens.
>            (setq url-http-extra-headers
>                  (cl-remove "Authorization"
>                             url-http-extra-headers :key 'car :test 'equal))
>
> It's from this patch:
>
> commit 325200ac1dcf5bed6918ea827d8a48d89487e083
> Author: Thomas Fitzsimmons <fitzsim@HIDDEN>
> Date:   Wed Sep 23 01:45:29 2015 -0400
>
>     Do not include authorization header in an HTTP redirect
>
>     * lisp/url/url-http.el (url-http-parse-headers): Do not
>     automatically include Authorization header in redirect.
>     (Bug#21350)
>
> And I think that makes sense -- when there's a redirect, the domain may
> be new, and the auth should perhaps not be sent there.
>
> I've had a look at the standards, but I can't see that they say anything
> about this, so I think that perhaps this works as it's supposed to.  But
> I haven't checked what Firefox does, for instance.
>
> --
> (domestic pets only, the antidote for overdose, milk.)
>    bloggy blog: http://lars.ingebrigtsen.no
>

--000000000000676bd8059304e530
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Indeed, curl does the same thing:<div><a href=3D"https://c=
url.haxx.se/docs/CVE-2018-1000007.html">https://curl.haxx.se/docs/CVE-2018-=
1000007.html</a><br></div><div><br></div><div>But it seems to only strip th=
e Authorization header if the redirect is on=C2=A0</div><div>another host:<=
/div><div><br></div><div><a href=3D"https://github.com/curl/curl/commit/af3=
2cd3859336ab.patch">https://github.com/curl/curl/commit/af32cd3859336ab.pat=
ch</a></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"=
gmail_attr">On Fri, Sep 20, 2019 at 10:36 PM Lars Ingebrigtsen &lt;<a href=
=3D"mailto:larsi@HIDDEN">larsi@HIDDEN</a>&gt; wrote:<br></div><blockquo=
te class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px =
solid rgb(204,204,204);padding-left:1ex">Romain Ouabdelkader &lt;<a href=3D=
"mailto:romain.ouabdelkader@HIDDEN" target=3D"_blank">romain.ouabdelkade=
r@HIDDEN</a>&gt; writes:<br>
<br>
&gt; I have an issue with the &#39;url-retrieve&#39; function:<br>
&gt; If the target url returns a redirect, the &#39;Authorization&#39; head=
er is not<br>
&gt; sent on the redirect url.<br>
<br>
This is apparently on purpose:<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0;; Do not automatically include an=
 authorization header in the<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0;; redirect.=C2=A0 If needed it wi=
ll be regenerated by the relevant<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0;; auth scheme when the new reques=
t happens.<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(setq url-http-extra-headers<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(cl-remove &q=
uot;Authorization&quot;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 url-http-extra-headers :key &#39;car :test &#39;eq=
ual))<br>
<br>
It&#39;s from this patch:<br>
<br>
commit 325200ac1dcf5bed6918ea827d8a48d89487e083<br>
Author: Thomas Fitzsimmons &lt;<a href=3D"mailto:fitzsim@HIDDEN" targe=
t=3D"_blank">fitzsim@HIDDEN</a>&gt;<br>
Date:=C2=A0 =C2=A0Wed Sep 23 01:45:29 2015 -0400<br>
<br>
=C2=A0 =C2=A0 Do not include authorization header in an HTTP redirect<br>
<br>
=C2=A0 =C2=A0 * lisp/url/url-http.el (url-http-parse-headers): Do not<br>
=C2=A0 =C2=A0 automatically include Authorization header in redirect.<br>
=C2=A0 =C2=A0 (Bug#21350)<br>
<br>
And I think that makes sense -- when there&#39;s a redirect, the domain may=
<br>
be new, and the auth should perhaps not be sent there.<br>
<br>
I&#39;ve had a look at the standards, but I can&#39;t see that they say any=
thing<br>
about this, so I think that perhaps this works as it&#39;s supposed to.=C2=
=A0 But<br>
I haven&#39;t checked what Firefox does, for instance.<br>
<br>
-- <br>
(domestic pets only, the antidote for overdose, milk.)<br>
=C2=A0 =C2=A0bloggy blog: <a href=3D"http://lars.ingebrigtsen.no" rel=3D"no=
referrer" target=3D"_blank">http://lars.ingebrigtsen.no</a><br>
</blockquote></div>

--000000000000676bd8059304e530--




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37187; Package emacs. Full text available.

Message received at 37187 <at> debbugs.gnu.org:


Received: (at 37187) by debbugs.gnu.org; 20 Sep 2019 20:36:25 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Sep 20 16:36:25 2019
Received: from localhost ([127.0.0.1]:58615 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iBPdg-0007vP-UJ
	for submit <at> debbugs.gnu.org; Fri, 20 Sep 2019 16:36:25 -0400
Received: from quimby.gnus.org ([80.91.231.51]:35812)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@HIDDEN>) id 1iBPdf-0007vH-0c
 for 37187 <at> debbugs.gnu.org; Fri, 20 Sep 2019 16:36:23 -0400
Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie)
 by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.89) (envelope-from <larsi@HIDDEN>)
 id 1iBPda-0005z1-Tm; Fri, 20 Sep 2019 22:36:21 +0200
From: Lars Ingebrigtsen <larsi@HIDDEN>
To: Romain Ouabdelkader <romain.ouabdelkader@HIDDEN>
Subject: Re: bug#37187: 26.2; url-retrieve redirect lost Authorization headers
References: <CAJ8YToZhdbiRPrpBT=MeTZO6Eu2v5+mFL3Z10T6E7Er5bdn=rQ@HIDDEN>
Date: Fri, 20 Sep 2019 22:36:18 +0200
In-Reply-To: <CAJ8YToZhdbiRPrpBT=MeTZO6Eu2v5+mFL3Z10T6E7Er5bdn=rQ@HIDDEN>
 (Romain Ouabdelkader's message of "Mon, 26 Aug 2019 00:08:35 +0200")
Message-ID: <877e627lj1.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 @@CONTACT_ADDRESS@@ for details.
 Content preview: Romain Ouabdelkader <romain.ouabdelkader@HIDDEN> writes:
 > I have an issue with the 'url-retrieve' function: > If the target url
 returns
 a redirect, the 'Authorization' header is not > sent on the redirect url.
 Content analysis details:   (-2.9 points, 5.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
 [score: 0.0000]
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 37187
Cc: Thomas Fitzsimmons <fitzsim@HIDDEN>, 37187 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Romain Ouabdelkader <romain.ouabdelkader@HIDDEN> writes:

> I have an issue with the 'url-retrieve' function:
> If the target url returns a redirect, the 'Authorization' header is not
> sent on the redirect url.

This is apparently on purpose:

	   ;; Do not automatically include an authorization header in the
	   ;; redirect.  If needed it will be regenerated by the relevant
	   ;; auth scheme when the new request happens.
	   (setq url-http-extra-headers
		 (cl-remove "Authorization"
			    url-http-extra-headers :key 'car :test 'equal))

It's from this patch:

commit 325200ac1dcf5bed6918ea827d8a48d89487e083
Author: Thomas Fitzsimmons <fitzsim@HIDDEN>
Date:   Wed Sep 23 01:45:29 2015 -0400

    Do not include authorization header in an HTTP redirect
    
    * lisp/url/url-http.el (url-http-parse-headers): Do not
    automatically include Authorization header in redirect.
    (Bug#21350)

And I think that makes sense -- when there's a redirect, the domain may
be new, and the auth should perhaps not be sent there.

I've had a look at the standards, but I can't see that they say anything
about this, so I think that perhaps this works as it's supposed to.  But
I haven't checked what Firefox does, for instance.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37187; Package emacs. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 26 Aug 2019 00:01:06 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Aug 25 20:01:06 2019
Received: from localhost ([127.0.0.1]:45248 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1i22RV-0008O0-AT
	for submit <at> debbugs.gnu.org; Sun, 25 Aug 2019 20:01:06 -0400
Received: from lists.gnu.org ([209.51.188.17]:59861)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <romain.ouabdelkader@HIDDEN>) id 1i20hJ-0005Pi-6r
 for submit <at> debbugs.gnu.org; Sun, 25 Aug 2019 18:09:17 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:33887)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <romain.ouabdelkader@HIDDEN>) id 1i20hH-0002cP-Cx
 for bug-gnu-emacs@HIDDEN; Sun, 25 Aug 2019 18:09:17 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
 HTML_MESSAGE,URIBL_BLOCKED,WEIRD_PORT autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <romain.ouabdelkader@HIDDEN>) id 1i20hF-0006yh-Ck
 for bug-gnu-emacs@HIDDEN; Sun, 25 Aug 2019 18:09:15 -0400
Received: from mail-io1-xd2c.google.com ([2607:f8b0:4864:20::d2c]:44384)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <romain.ouabdelkader@HIDDEN>)
 id 1i20hF-0006yJ-7M
 for bug-gnu-emacs@HIDDEN; Sun, 25 Aug 2019 18:09:13 -0400
Received: by mail-io1-xd2c.google.com with SMTP id j4so24327379iog.11
 for <bug-gnu-emacs@HIDDEN>; Sun, 25 Aug 2019 15:09:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to;
 bh=gZ0fkbQ3PkVuxw27b/VgXuwyD+48wfDD3jFx7V6tLnU=;
 b=XKn0VQd/AyuuKUhDcSB5bEQQlRlBazUsAqpmKcAFUlByAkdKXHGYhy9vf8r+0sL9mO
 V/fVkFiDqSk/HYq5EsW1xCDebNkiiK7QHa4UGtNMzO0edYf4V4hiM9bN6RkJv2fHNEG0
 utwfyKT5gGn9QIlBtFCaYU4OW6SCqVaPHrNQhNVtMBxD16ZAEVEkI/kNOQ5crwOUdKIP
 W+3MpR7+EtsvHEl5w/T7S4SmKnZqADfKkKvhrFnUrpV1HqzKiyTEPHV4yYJcEaF989eW
 anwyrFWTSQnYT9OgoFDiw+HpXRNeBt2TZqGPeLqFSD4KY2HES6OIV8HpUEM5vFEk0iEN
 Bxcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=gZ0fkbQ3PkVuxw27b/VgXuwyD+48wfDD3jFx7V6tLnU=;
 b=NvGAjjXf4cZWRBZdLaG5/d+Mwy4stGFlnF6caIbWC5qpUybzgbKcP9kXazyP39m27R
 V31h76B+uNk8q4LfW46efeHOAPtOa+0mVBGmGxx9vYKImZRzwoTPfG91o1iC/WD1KHVI
 14Egt8bHndBcZEEOUNPCGS+e0e0Tw8AWEM7SduiZeqmvdfpNo6odD2ZDbIjxMMf9kK8y
 vV+/NaSXPWNsPwYU0yRpYCpQLbrOU7dJRt8c5h6g2t+TiFWAqmB1S8rzOvmwywzqP0T+
 bi9YGIU2JWPtbCpw5Xg1HDIPaWlMYhqEc7KsmNpLhVywun4ZwibsPXdPP0pmDheSWQQE
 kD5w==
X-Gm-Message-State: APjAAAUF8zsQtiZoNPsreOg8TPjsgUh/LCs9Ikw9MWrX0B8nsh+gcJg/
 rVrbzq7kYt99ma4fcZ4okLxYuJ5H4TvsSzPFjHwO4+gvZR8=
X-Google-Smtp-Source: APXvYqyDomcg71z7mjrCPbZaCSRl5IZ7S2lS+vETP8NDtzdHjuT9SqqamkiQshgXPed5TS4rZdsj6lgellMRDdHNeLE=
X-Received: by 2002:a5e:db0a:: with SMTP id q10mr19787735iop.58.1566770951519; 
 Sun, 25 Aug 2019 15:09:11 -0700 (PDT)
MIME-Version: 1.0
From: Romain Ouabdelkader <romain.ouabdelkader@HIDDEN>
Date: Mon, 26 Aug 2019 00:08:35 +0200
Message-ID: <CAJ8YToZhdbiRPrpBT=MeTZO6Eu2v5+mFL3Z10T6E7Er5bdn=rQ@HIDDEN>
Subject: 26.2; url-retrieve redirect lost Authorization headers
To: bug-gnu-emacs@HIDDEN
Content-Type: multipart/alternative; boundary="00000000000002844e0590f84ac3"
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-Received-From: 2607:f8b0:4864:20::d2c
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Sun, 25 Aug 2019 20:01:03 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

--00000000000002844e0590f84ac3
Content-Type: text/plain; charset="UTF-8"

Hello,

I have an issue with the 'url-retrieve' function:
If the target url returns a redirect, the 'Authorization' header is not
sent on the redirect url.

Example:

List of endpoint:

http://localhost/a: 308 redirect to http://localhost/b
http://localhost/b: display all received headers

I will be using 'url-retrieve' on url 'http://localhost/a' with headers:

Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l
X-ExampleHeader: foo

The response shows 'X-ExampleHeader' but not 'Authorization'.
Is there a way to forward 'Authorization' aswell?

Here is a code sample:

(let ((url-request-extra-headers '(("Authorization" . "Basic
YWxhZGRpbjpvcGVuc2VzYW1l")
                                   ("X-ExampleHeader" . "foo"))))
  (url-retrieve "http://localhost:5000/a" (lambda (status)
                                            (display-buffer
(current-buffer) t))))

Server in Python with flask (pip install flask):

from flask import Flask, redirect, request, jsonify

app = Flask(__name__)

@app.route('/a')
def a():
    return redirect("http://localhost:5000/b", code=308)

@app.route('/b')
def b():
    return jsonify(dict(request.headers))

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000)

In GNU Emacs 26.2 (build 1, x86_64-apple-darwin18.2.0, NS appkit-1671.20
Version 10.14.3 (Build 18D109))
 of 2019-04-13 built on builder10-14.porkrind.org
Windowing system distributor 'Apple', version 10.3.1671
Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.
Mark set
user-error: Beginning of history; no preceding item
Contacting host: localhost:8080
Undo!
Making completion list... [2 times]

Configured using:
 'configure --with-ns '--enable-locallisppath=/Library/Application
 Support/Emacs/${version}/site-lisp:/Library/Application
 Support/Emacs/site-lisp' --with-modules'

Configured features:
NOTIFY ACL GNUTLS LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS MODULES THREADS

Important settings:
  value of $LC_CTYPE: UTF-8
  value of $LANG: en_FR.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message dired dired-loaddefs format-spec
rfc822 mml easymenu mml-sec epa derived epg epg-config gnus-util rmail
rmail-loaddefs mm-decode mm-bodies mm-encode mailabbrev gmm-utils
mailheader sendmail mail-utils network-stream starttls url-cache
url-http tls gnutls mail-parse rfc2231 rfc2047 rfc2045 mm-util
ietf-drums mail-prsvr url-gw nsm rmc puny seq url-auth url url-proxy
url-privacy url-expand url-methods url-history url-cookie url-domsuf
url-util url-parse auth-source cl-seq eieio byte-opt bytecomp
byte-compile cconv eieio-core cl-macs gv eieio-loaddefs cl-loaddefs
cl-lib password-cache url-vars mailcap elec-pair time-date tooltip eldoc
electric uniquify ediff-hook vc-hooks lisp-float-type mwheel term/ns-win
ns-win ucs-normalize mule-util term/common-win tool-bar dnd fontset
image regexp-opt fringe tabulated-list replace newcomment text-mode
elisp-mode lisp-mode prog-mode register page menu-bar rfn-eshadow
isearch timer select scroll-bar mouse jit-lock font-lock syntax facemenu
font-core term/tty-colors frame cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese composite charscript charprop case-table epa-hook
jka-cmpr-hook help simple abbrev obarray minibuffer cl-preloaded nadvice
loaddefs button faces cus-face macroexp files text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote threads kqueue cocoa ns multi-tty
make-network-process emacs)

Memory information:
((conses 16 215729 11157)
 (symbols 48 21206 1)
 (miscs 40 48 218)
 (strings 32 32992 1542)
 (string-bytes 1 877912)
 (vectors 16 36759)
 (vector-slots 8 744932 10148)
 (floats 8 51 242)
 (intervals 56 379 360)
 (buffers 992 13))

--00000000000002844e0590f84ac3
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br>Hello,<br><br>I have an issue with the &#39;url-retrie=
ve&#39; function:<br>If the target url returns a redirect, the &#39;Authori=
zation&#39; header is not<br>sent on the redirect url.<br><br>Example:<br><=
br>List of endpoint:<br><br><a href=3D"http://localhost/a" target=3D"_blank=
">http://localhost/a</a>: 308 redirect to <a href=3D"http://localhost/b" ta=
rget=3D"_blank">http://localhost/b</a><br><a href=3D"http://localhost/b" ta=
rget=3D"_blank">http://localhost/b</a>: display all received headers<br><br=
>I will be using &#39;url-retrieve&#39; on url &#39;<a href=3D"http://local=
host/a" target=3D"_blank">http://localhost/a</a>&#39; with headers:<br><br>=
Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l<br>X-ExampleHeader: foo<br><b=
r>The response shows &#39;X-ExampleHeader&#39; but not &#39;Authorization&#=
39;.<div>Is there a way to forward &#39;Authorization&#39; aswell?</div><di=
v><br></div><div>Here is a code sample:</div><div><br></div><div><font face=
=3D"monospace">(let ((url-request-extra-headers &#39;((&quot;Authorization&=
quot; . &quot;Basic YWxhZGRpbjpvcGVuc2VzYW1l&quot;)<br>=C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(&quot;X-ExampleHeader&quot; . &quot;foo&quo=
t;))))<br>=C2=A0 (url-retrieve &quot;<a href=3D"http://localhost:5000/a">ht=
tp://localhost:5000/a</a>&quot; (lambda (status)=C2=A0</font></div><div><fo=
nt face=3D"monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 (display-buffer (current-buffer) t))))<br></fon=
t></div><div><br></div><div>Server in Python with flask (pip install flask)=
:=C2=A0</div><div><br></div><div><font face=3D"monospace">from flask import=
 Flask, redirect, request, jsonify<br><br>app =3D Flask(__name__)<br><br>@a=
pp.route(&#39;/a&#39;)<br>def a():<br>=C2=A0 =C2=A0 return redirect(&quot;<=
a href=3D"http://localhost:5000/b">http://localhost:5000/b</a>&quot;, code=
=3D308)<br><br>@app.route(&#39;/b&#39;)<br>def b():<br>=C2=A0 =C2=A0 return=
 jsonify(dict(request.headers))<br><br>if __name__ =3D=3D &#39;__main__&#39=
;:<br>=C2=A0 =C2=A0 app.run(host=3D&#39;0.0.0.0&#39;, port=3D5000)</font></=
div><div><br>In GNU Emacs 26.2 (build 1, x86_64-apple-darwin18.2.0, NS appk=
it-1671.20 Version 10.14.3 (Build 18D109))<br>=C2=A0of 2019-04-13 built on =
<a href=3D"http://builder10-14.porkrind.org" target=3D"_blank">builder10-14=
.porkrind.org</a><br>Windowing system distributor &#39;Apple&#39;, version =
10.3.1671<br>Recent messages:<br>For information about GNU Emacs and the GN=
U system, type C-h C-a.<br>Mark set<br>user-error: Beginning of history; no=
 preceding item<br>Contacting host: localhost:8080<br>Undo!<br>Making compl=
etion list... [2 times]<br><br>Configured using:<br>=C2=A0&#39;configure --=
with-ns &#39;--enable-locallisppath=3D/Library/Application<br>=C2=A0Support=
/Emacs/${version}/site-lisp:/Library/Application<br>=C2=A0Support/Emacs/sit=
e-lisp&#39; --with-modules&#39;<br><br>Configured features:<br>NOTIFY ACL G=
NUTLS LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS MODULES THREADS<br><br>Important =
settings:<br>=C2=A0 value of $LC_CTYPE: UTF-8<br>=C2=A0 value of $LANG: en_=
FR.UTF-8<br>=C2=A0 locale-coding-system: utf-8-unix<br><br>Major mode: Lisp=
 Interaction<br><br>Minor modes in effect:<br>=C2=A0 tooltip-mode: t<br>=C2=
=A0 global-eldoc-mode: t<br>=C2=A0 eldoc-mode: t<br>=C2=A0 electric-indent-=
mode: t<br>=C2=A0 mouse-wheel-mode: t<br>=C2=A0 tool-bar-mode: t<br>=C2=A0 =
menu-bar-mode: t<br>=C2=A0 file-name-shadow-mode: t<br>=C2=A0 global-font-l=
ock-mode: t<br>=C2=A0 font-lock-mode: t<br>=C2=A0 blink-cursor-mode: t<br>=
=C2=A0 auto-composition-mode: t<br>=C2=A0 auto-encryption-mode: t<br>=C2=A0=
 auto-compression-mode: t<br>=C2=A0 line-number-mode: t<br>=C2=A0 transient=
-mark-mode: t<br><br>Load-path shadows:<br>None found.<br><br>Features:<br>=
(shadow sort mail-extr emacsbug message dired dired-loaddefs format-spec<br=
>rfc822 mml easymenu mml-sec epa derived epg epg-config gnus-util rmail<br>=
rmail-loaddefs mm-decode mm-bodies mm-encode mailabbrev gmm-utils<br>mailhe=
ader sendmail mail-utils network-stream starttls url-cache<br>url-http tls =
gnutls mail-parse rfc2231 rfc2047 rfc2045 mm-util<br>ietf-drums mail-prsvr =
url-gw nsm rmc puny seq url-auth url url-proxy<br>url-privacy url-expand ur=
l-methods url-history url-cookie url-domsuf<br>url-util url-parse auth-sour=
ce cl-seq eieio byte-opt bytecomp<br>byte-compile cconv eieio-core cl-macs =
gv eieio-loaddefs cl-loaddefs<br>cl-lib password-cache url-vars mailcap ele=
c-pair time-date tooltip eldoc<br>electric uniquify ediff-hook vc-hooks lis=
p-float-type mwheel term/ns-win<br>ns-win ucs-normalize mule-util term/comm=
on-win tool-bar dnd fontset<br>image regexp-opt fringe tabulated-list repla=
ce newcomment text-mode<br>elisp-mode lisp-mode prog-mode register page men=
u-bar rfn-eshadow<br>isearch timer select scroll-bar mouse jit-lock font-lo=
ck syntax facemenu<br>font-core term/tty-colors frame cl-generic cham georg=
ian utf-8-lang<br>misc-lang vietnamese tibetan thai tai-viet lao korean jap=
anese eucjp-ms<br>cp51932 hebrew greek romanian slovak czech european ethio=
pic indian<br>cyrillic chinese composite charscript charprop case-table epa=
-hook<br>jka-cmpr-hook help simple abbrev obarray minibuffer cl-preloaded n=
advice<br>loaddefs button faces cus-face macroexp files text-properties ove=
rlay<br>sha1 md5 base64 format env code-pages mule custom widget<br>hashtab=
le-print-readable backquote threads kqueue cocoa ns multi-tty<br>make-netwo=
rk-process emacs)<br><br>Memory information:<br>((conses 16 215729 11157)<b=
r>=C2=A0(symbols 48 21206 1)<br>=C2=A0(miscs 40 48 218)<br>=C2=A0(strings 3=
2 32992 1542)<br>=C2=A0(string-bytes 1 877912)<br>=C2=A0(vectors 16 36759)<=
br>=C2=A0(vector-slots 8 744932 10148)<br>=C2=A0(floats 8 51 242)<br>=C2=A0=
(intervals 56 379 360)<br>=C2=A0(buffers 992 13))<br></div></div>

--00000000000002844e0590f84ac3--




Acknowledgement sent to Romain Ouabdelkader <romain.ouabdelkader@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs@HIDDEN. Full text available.
Report forwarded to bug-gnu-emacs@HIDDEN:
bug#37187; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 25 Nov 2019 12:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.