From: Thomas Fitzsimmons Date: Wed, 23 Sep 2015 05:45:29 +0000 (-0400) Subject: Do not include authorization header in an HTTP redirect X-Git-Tag: emacs-25.0.90~1224^2~38 X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=325200ac1dcf5bed6918ea827d8a48d89487e083;p=emacs.git Do not include authorization header in an HTTP redirect * lisp/url/url-http.el (url-http-parse-headers): Do not automatically include Authorization header in redirect. (Bug#21350) --- diff --git a/lisp/url/url-http.el b/lisp/url/url-http.el index 6a7d8e2c947..7367a1eb3e9 100644 --- a/lisp/url/url-http.el +++ b/lisp/url/url-http.el @@ -25,8 +25,8 @@ ;;; Code: +(require 'cl-lib) (eval-when-compile - (require 'cl-lib) (require 'subr-x)) (defvar url-callback-arguments) @@ -646,6 +646,12 @@ should be shown to the user." ;; compute the redirection relative to the URL of the proxy. (setq redirect-uri (url-expand-file-name redirect-uri url-http-target-url))) + ;; Do not automatically include an authorization header in the + ;; redirect. If needed it will be regenerated by the relevant + ;; auth scheme when the new request happens. + (setq url-http-extra-headers + (cl-remove "Authorization" + url-http-extra-headers :key 'car :test 'equal)) (let ((url-request-method url-http-method) (url-request-data url-http-data) (url-request-extra-headers url-http-extra-headers))