down icon indicating copy to clipboard operation
down copied to clipboard
verified publisher icon janko

Do not allow forwarding of authorization headers on redirect.

Open makrsmark opened this issue 2 years ago • 7 comments

There is now a flag auth_on_redirect that can be set if you need to pass authorization headers. This is similar to https://curl.se/docs/CVE-2018-1000007.html and https://nvd.nist.gov/vuln/detail/CVE-2021-31879

makrsmark avatar Oct 06 '23 20:10 makrsmark

Having this same issue with redirects and the HTTPrb client, maybe you can update the PR to include that client?

pcriv avatar Nov 10 '23 15:11 pcriv

which backend? from what i can tell the net_http backend is the only one that implements redirects as part of this library. I would assume that's a bug/issue for the client library

makrsmark avatar Nov 10 '23 18:11 makrsmark

Thanks for the pull request. It seems that this will apply only on Down::NetHttp#download but not Down::NetHttp#open. Could we add support for the latter as well? I don't remember now why these redirects implementations don't seem to share any common code.

janko avatar Nov 11 '23 06:11 janko

Sure, I'll take a crack at it

makrsmark avatar Nov 11 '23 13:11 makrsmark

@janko does the fix for HTTPrb and HTTPX need to be done here or on their respective repos?

pcriv avatar Nov 13 '23 12:11 pcriv

@janko would you mind taking another look at this pr?

makrsmark avatar Dec 01 '23 11:12 makrsmark

Fwiw httpx does this already (do try with a recent version).

HoneyryderChuck avatar May 30 '24 22:05 HoneyryderChuck