Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not allow forwarding of authorization headers on redirect. #89

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Do not allow forwarding of authorization headers on redirect. #89

wants to merge 3 commits into from

Conversation

makrsmark
Copy link

There is now a flag auth_on_redirect that can be set if you need to pass authorization headers. This is similar to
https://curl.se/docs/CVE-2018-1000007.html
and
https://nvd.nist.gov/vuln/detail/CVE-2021-31879

@makrsmark
Do not allow forwarding of authorization headers on redirect.
346779b 
There is now a flag `auth_on_redirect` that can be set if you need to pass authorization headers.
This is similar to
https://curl.se/docs/CVE-2018-1000007.html
and
https://nvd.nist.gov/vuln/detail/CVE-2021-31879
@pcriv
Copy link

pcriv commented Nov 10, 2023

Having this same issue with redirects and the HTTPrb client, maybe you can update the PR to include that client?

@makrsmark
Copy link
Author

which backend? from what i can tell the net_http backend is the only one that implements redirects as part of this library. I would assume that's a bug/issue for the client library

@janko
Copy link
Owner

janko commented Nov 11, 2023

Thanks for the pull request. It seems that this will apply only on Down::NetHttp#download but not Down::NetHttp#open. Could we add support for the latter as well? I don't remember now why these redirects implementations don't seem to share any common code.

@makrsmark
Copy link
Author

Sure, I'll take a crack at it

@pcriv
Copy link

pcriv commented Nov 13, 2023

@janko does the fix for HTTPrb and HTTPX need to be done here or on their respective repos?

makrsmark
makrsmark commented Nov 13, 2023
View reviewed changes
lib/down/net_http.rb Outdated
Comment on lines 241 to 242
uri.user = nil unless auth_on_redirect
uri.password = nil unless auth_on_redirect
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do i need this? or asked another way, should credentials stay when it's a relative redirect?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

going to remove if it's not a relative redirect

makrsmark
makrsmark commented Nov 13, 2023
View reviewed changes
lib/down/net_http.rb
@@ -155,6 +157,10 @@ def open_uri(uri, options, follows_remaining:)
raise ResponseError.new("Invalid Redirect URI: #{exception.uri}", response: response)
end

# do not leak credentials on redirect
options.delete("Authorization") unless auth_on_redirect
options.delete(:http_basic_authentication) unless auth_on_redirect
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same question in a different place - should there be some logic to keep the creds if it's a relative redirect?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there's not a good way to preserve on a relative redirect - i can check to see if the host is the same, but that doesn't help from a test perspective. for now, i'm keping the logic as-is.

@makrsmark
allow keeping BasicAuth credentials for relative redirects. This only…
00010c9 
… works for #open as #download does not have the same informtion
@makrsmark
Copy link
Author

@janko would you mind taking another look at this pr?

@HoneyryderChuck
Copy link
Contributor

Fwiw httpx does this already (do try with a recent version).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@makrsmark @pcriv @janko @HoneyryderChuck