From: Lars Ingebrigtsen <larsi@gnus.org>
Date: Fri, 26 Jul 2019 08:55:39 +0000 (+0200)
Subject: Don't infloop in url.el when sending invalid basic auth
X-Git-Tag: emacs-27.0.90~1817^2~111
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=64b469f6ae8173116ec948ac43cd44efe4b5a221;p=emacs.git

Don't infloop in url.el when sending invalid basic auth

* lisp/url/url-http.el (url-http-handle-authentication): Bail out
if the wrong credentials were passed to the server instead of
inflooping (bug#27022).
---

diff --git a/lisp/url/url-http.el b/lisp/url/url-http.el
index 527760118d4..f7f2f3d179d 100644
--- a/lisp/url/url-http.el
+++ b/lisp/url/url-http.el
@@ -453,6 +453,14 @@ Return the number of characters removed."
 	auth
 	(strength 0))
 
+    ;; If we're here, then we got a 40x Unauthorized response from the
+    ;; server.  If we already have "Authorization" in the extra
+    ;; headers, then this means that we've already tried sending
+    ;; credentials to the server, and they were wrong, so just give
+    ;; up.
+    (when (assoc "Authorization" url-http-extra-headers)
+      (error "Wrong authorization used for %s" url))
+
     ;; find strongest supported auth
     (dolist (this-auth auths)
       (setq this-auth (url-eat-trailing-space