From 64b469f6ae8173116ec948ac43cd44efe4b5a221 Mon Sep 17 00:00:00 2001 From: Lars Ingebrigtsen Date: Fri, 26 Jul 2019 10:55:39 +0200 Subject: [PATCH] Don't infloop in url.el when sending invalid basic auth * lisp/url/url-http.el (url-http-handle-authentication): Bail out if the wrong credentials were passed to the server instead of inflooping (bug#27022). --- lisp/url/url-http.el | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lisp/url/url-http.el b/lisp/url/url-http.el index 527760118d4..f7f2f3d179d 100644 --- a/lisp/url/url-http.el +++ b/lisp/url/url-http.el @@ -453,6 +453,14 @@ Return the number of characters removed." auth (strength 0)) + ;; If we're here, then we got a 40x Unauthorized response from the + ;; server. If we already have "Authorization" in the extra + ;; headers, then this means that we've already tried sending + ;; credentials to the server, and they were wrong, so just give + ;; up. + (when (assoc "Authorization" url-http-extra-headers) + (error "Wrong authorization used for %s" url)) + ;; find strongest supported auth (dolist (this-auth auths) (setq this-auth (url-eat-trailing-space -- 2.39.2