Skip to content

Do not allow forwarding of authorization headers on redirect.#89

Merged
janko merged 4 commits into
janko:masterfrom
makrsmark:auth-on-redirect
Feb 19, 2026
Merged

Do not allow forwarding of authorization headers on redirect.#89
janko merged 4 commits into
janko:masterfrom
makrsmark:auth-on-redirect

Conversation

@makrsmark

Copy link
Copy Markdown
Contributor

There is now a flag auth_on_redirect that can be set if you need to pass authorization headers. This is similar to
https://curl.se/docs/CVE-2018-1000007.html
and
https://nvd.nist.gov/vuln/detail/CVE-2021-31879

There is now a flag `auth_on_redirect` that can be set if you need to pass authorization headers.
This is similar to
https://curl.se/docs/CVE-2018-1000007.html
and
https://nvd.nist.gov/vuln/detail/CVE-2021-31879
@pcriv

pcriv commented Nov 10, 2023

Copy link
Copy Markdown

Having this same issue with redirects and the HTTPrb client, maybe you can update the PR to include that client?

@makrsmark

Copy link
Copy Markdown
Contributor Author

which backend? from what i can tell the net_http backend is the only one that implements redirects as part of this library. I would assume that's a bug/issue for the client library

@janko

janko commented Nov 11, 2023

Copy link
Copy Markdown
Owner

Thanks for the pull request. It seems that this will apply only on Down::NetHttp#download but not Down::NetHttp#open. Could we add support for the latter as well? I don't remember now why these redirects implementations don't seem to share any common code.

@makrsmark

Copy link
Copy Markdown
Contributor Author

Sure, I'll take a crack at it

@pcriv

pcriv commented Nov 13, 2023

Copy link
Copy Markdown

@janko does the fix for HTTPrb and HTTPX need to be done here or on their respective repos?

Comment thread lib/down/net_http.rb Outdated
Comment on lines +241 to +242
uri.user = nil unless auth_on_redirect
uri.password = nil unless auth_on_redirect

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do i need this? or asked another way, should credentials stay when it's a relative redirect?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

going to remove if it's not a relative redirect

Comment thread lib/down/net_http.rb

# do not leak credentials on redirect
options.delete("Authorization") unless auth_on_redirect
options.delete(:http_basic_authentication) unless auth_on_redirect

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same question in a different place - should there be some logic to keep the creds if it's a relative redirect?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there's not a good way to preserve on a relative redirect - i can check to see if the host is the same, but that doesn't help from a test perspective. for now, i'm keping the logic as-is.

… works for #open as #download does not have the same informtion
@makrsmark

Copy link
Copy Markdown
Contributor Author

@janko would you mind taking another look at this pr?

@HoneyryderChuck

Copy link
Copy Markdown
Contributor

Fwiw httpx does this already (do try with a recent version).

@janko

janko commented Feb 19, 2026

Copy link
Copy Markdown
Owner

Looks good, thanks! Sorry it took forever to get merged 😅

@janko

janko commented Feb 19, 2026

Copy link
Copy Markdown
Owner

@makrsmark Hmm, there seem to be syntax errors even on newer Rubies. I don't mind supporting only Ruby 3.0+ starting from next release, so no need to worry about compatibility with older rubies.

@janko

janko commented Feb 19, 2026

Copy link
Copy Markdown
Owner

I see it's actually passing on Ruby 3.1+. All good then 🙂

@janko janko merged commit 094d7ff into janko:master Feb 19, 2026
0 of 10 checks passed
@makrsmark

makrsmark commented Feb 19, 2026

Copy link
Copy Markdown
Contributor Author

@janko -syntax can be reverted to support older rubies, that was on me. I see some test failures that seem unrelated to my changes

  1) Failure:
Down::Httpx::#open#test_0011_closes the response body when content has been read [test/httpx_test.rb:260]:
not all expectations were satisfied
unsatisfied expectations:
- expected exactly once, invoked never: #<AnyInstance:HTTPX::Response::Body>.close(any_parameters)


  2) Error:
Down::Httpx::#open#test_0002_follows redirects:
Down::TooManyRedirects: too many redirects
    lib/down/httpx.rb:143:in `response_error!'
    lib/down/httpx.rb:116:in `request'
    lib/down/httpx.rb:88:in `open'
    lib/down/backend.rb:17:in `open'
    test/httpx_test.rb:190:in `block (3 levels) in <top (required)>'

  3) Failure:
Down::Httpx::#open#test_0014_raises on HTTP error responses [test/httpx_test.rb:280]:
Expected #<#<Class:0x0000000cb9419680>:2340> to be an instance of HTTPX::StreamResponse, not #<Class:0x0000000cb9419680>.

  4) Failure:
Down::Httpx::#open#test_0017_re-raises timeout errors [test/httpx_test.rb:304]:
Down::TimeoutError expected but nothing was raised.

  5) Failure:
Down::Httpx::#open#test_0012_closes the body on IO close [test/httpx_test.rb:266]:
not all expectations were satisfied
unsatisfied expectations:
- expected exactly once, invoked never: #<AnyInstance:HTTPX::Response::Body>.close(any_parameters)


  6) Failure:
Down::Httpx::#open#test_0006_saves response data [test/httpx_test.rb:235]:
Expected #<#<Class:0x0000000cb95ef9f0>:2360> to be an instance of HTTPX::StreamResponse, not #<Class:0x0000000cb95ef9f0>.

260 runs, 538 assertions, 5 failures, 1 errors, 0 skips

trying to fix here - #102

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants