[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Wget passes Authorization header cross-domain upon redirect
From: |
Dolev Farhi |
Subject: |
Wget passes Authorization header cross-domain upon redirect |
Date: |
Fri, 22 Jan 2021 23:35:50 -0500 |
hi Wget team!
When making an HTTP GET request with Authorization header, together with
the follow redirect flag (-L), e.g.:
wget -v --header="Authorization: zzzzz==" http://1.1.1.1:8000 -L
If the remote server (1.1.1.1) redirects to 2.2.2.2:8181 (different host +
port), the Authorization header will be passed to the redirected new host
on the new port.
1. Client sends HTTP GET with Authorization header to Server1:8080
2. Server1 redirects Client to Server2:8081
3. Server2:8081 receives the Authorization header
My understanding is, if the scheme, host or port are different, then it
makes a different origin, and is effectively cross origin. Which means the
Header shouldn't be passed on in this case, and needs to be stripped?
This is reproducible in the following versions:
GNU Wget 1.21 built on MacOSX
GNU Wget 1.18 on Ubuntu
cURL apparently experienced the same issue in 2018, described here:
https://curl.se/docs/CVE-2018-1000007.html
Thanks!
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Wget passes Authorization header cross-domain upon redirect,
Dolev Farhi <=