[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Wget passes Authorization header cross-domain upon redirect
|
From: |
Dolev Farhi |
|
Subject: |
Re: Wget passes Authorization header cross-domain upon redirect |
|
Date: |
Thu, 4 Feb 2021 11:39:19 -0500 |
hi team,
Is this mailing list the right address for these issues?
On Fri, Jan 22, 2021 at 11:35 PM Dolev Farhi <dfarhi@wealthsimple.com>
wrote:
> hi Wget team!
>
> When making an HTTP GET request with Authorization header, together with
> the follow redirect flag (-L), e.g.:
>
> wget -v --header="Authorization: zzzzz==" http://1.1.1.1:8000 -L
>
> If the remote server (1.1.1.1) redirects to 2.2.2.2:8181 (different host
> + port), the Authorization header will be passed to the redirected new host
> on the new port.
>
> 1. Client sends HTTP GET with Authorization header to Server1:8080
> 2. Server1 redirects Client to Server2:8081
> 3. Server2:8081 receives the Authorization header
>
> My understanding is, if the scheme, host or port are different, then it
> makes a different origin, and is effectively cross origin. Which means the
> Header shouldn't be passed on in this case, and needs to be stripped?
>
> This is reproducible in the following versions:
>
> GNU Wget 1.21 built on MacOSX
> GNU Wget 1.18 on Ubuntu
>
> cURL apparently experienced the same issue in 2018, described here:
> https://curl.se/docs/CVE-2018-1000007.html
>
> Thanks!
>
>
>
--
Dolev Farhi
Principal Security Engineer | Wealthsimple
www.wealthsimple.com
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: Wget passes Authorization header cross-domain upon redirect,
Dolev Farhi <=