emacs-bug-tracker
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debbugs-tracker] bug#21350: closed (25.0.50; Do not automatically inclu

From: GNU bug Tracking System
Subject: [debbugs-tracker] bug#21350: closed (25.0.50; Do not automatically include authorization header in HTTP redirects)
Date: Wed, 23 Sep 2015 06:10:01 +0000 
Your message dated Wed, 23 Sep 2015 02:09:32 -0400
with message-id <address@hidden>
and subject line Re: bug#21350: 25.0.50; Do not automatically include 
authorization header in HTTP redirects
has caused the debbugs.gnu.org bug report #21350,
regarding 25.0.50; Do not automatically include authorization header in HTTP 
redirects
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
21350: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=21350
GNU Bug Tracking System
Contact address@hidden with problems
--- Begin Message --- Subject: 25.0.50; Do not automatically include authorization header in HTTP redirects Date: Tue, 25 Aug 2015 22:37:46 -0400 User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) 
Hi,

This patch is required for url-http-ntlm.el to handle redirects.  I'd
like someone more familiar with url-http.el to review it.  Basically,
this patch leaves it up to the authentication scheme to decide whether
to include an "Authorization" across a redirect or not.

I tested this on normal redirects (independent of url-http-ntlm.el) and
it seems to work fine, with the built-in Basic authorization scheme
re-adding the header where required.

Thanks,
Thomas

Attachment: 0001-Do-not-include-authorization-header-in-an-HTTP-redir.patch
Description: Text Data


--- End Message ---
--- Begin Message --- Subject: Re: bug#21350: 25.0.50; Do not automatically include authorization header in HTTP redirects Date: Wed, 23 Sep 2015 02:09:32 -0400 User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) 
Stefan Monnier <address@hidden> writes:

>> Here's the updated patch that I tested.  Does it look OK stylistically?
>
> Yes, but you need to change the beginning of the file so cl-lib is not
> only require when compiling but also at run-time (since cl-remove is
> not a macro but a function).

OK, I pushed the patch.  Thanks for reviewing.

I had hoped to publish a Docker image that would allow testing the
various authorization schemes across redirects, but configuring a server
to authenticate with NTLM using Free Software proved too difficult.  I
did test against a proprietary NTLM implementation, and against the two
built-in auth schemes as well.  The results were:

   |          Authenticated Redirect          |
   |-------------+---------------+------------|
   | Auth Scheme | Without Patch | With Patch |
   |-------------+---------------+------------|
   | Basic       | Works         | Works      |
   | Digest      | Fails         | Fails      |
   | NTLM        | Fails         | Works      |

I'm not sure what's wrong with the digest scheme (Firefox works), but
this patch doesn't make digest redirects worse.

Thomas

--- End Message ---
reply via email to
[Prev in Thread] Current Thread [Next in Thread]