[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#21350: 25.0.50; Do not automatically include authorization header in
|
From: |
Thomas Fitzsimmons |
|
Subject: |
bug#21350: 25.0.50; Do not automatically include authorization header in HTTP redirects |
|
Date: |
Wed, 23 Sep 2015 02:09:32 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) |
Stefan Monnier <monnier@iro.umontreal.ca> writes:
>> Here's the updated patch that I tested. Does it look OK stylistically?
>
> Yes, but you need to change the beginning of the file so cl-lib is not
> only require when compiling but also at run-time (since cl-remove is
> not a macro but a function).
OK, I pushed the patch. Thanks for reviewing.
I had hoped to publish a Docker image that would allow testing the
various authorization schemes across redirects, but configuring a server
to authenticate with NTLM using Free Software proved too difficult. I
did test against a proprietary NTLM implementation, and against the two
built-in auth schemes as well. The results were:
| Authenticated Redirect |
|-------------+---------------+------------|
| Auth Scheme | Without Patch | With Patch |
|-------------+---------------+------------|
| Basic | Works | Works |
| Digest | Fails | Fails |
| NTLM | Fails | Works |
I'm not sure what's wrong with the digest scheme (Firefox works), but
this patch doesn't make digest redirects worse.
Thomas