Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password provided in Location header not used in redirect request #11410

Closed
lucasnetau opened this issue Jul 8, 2023 · 0 comments · Fixed by #11412
Closed

Password provided in Location header not used in redirect request #11410

lucasnetau opened this issue Jul 8, 2023 · 0 comments · Fixed by #11412
Assignees
@bagder
Labels
authentication HTTP

Comments

@lucasnetau
Copy link

I did this

curl -Lv "http://unknown:invalid@httpbin.org/redirect-to?url=http://user:pass@httpbin.org/basic-auth/user/pass"

I expected the following

{
  "authenticated": true, 
  "user": "user"
}

Curl to use the password provided in the Location: header instead of the original value. When opening the URL in Chrome the redirect occurs with the new credentials.

Curl picks up the username and sent that with the redirected request, password was kept with the original value of invalid instead of pass.

I got this

HTTP/1.1 401 UNAUTHORIZED

*   Trying 54.210.149.139:80...
* Connected to httpbin.org (54.210.149.139) port 80 (#0)
* Server auth using Basic with user 'unknown'
> GET /redirect-to?url=http://user:pass@httpbin.org/basic-auth/user/pass HTTP/1.1
> Host: httpbin.org
> Authorization: Basic dW5rbm93bjppbnZhbGlk
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 302 FOUND
< Date: Sat, 08 Jul 2023 05:51:30 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 0
< Connection: keep-alive
< Server: gunicorn/19.9.0
< Location: http://user:pass@httpbin.org/basic-auth/user/pass"
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true
< 
* Connection #0 to host httpbin.org left intact
* Issue another request to this URL: 'http://user:pass@httpbin.org/basic-auth/user/pass"'
* Found bundle for host: 0x6000032ec060 [serially]
* Can not multiplex, even if we wanted to
* Re-using existing connection #0 with host httpbin.org
* Server auth using Basic with user 'user'
> GET /basic-auth/user/pass" HTTP/1.1
> Host: httpbin.org
> Authorization: Basic dXNlcjppbnZhbGlk
> User-Agent: curl/7.88.1
> Accept: */*
> 

< HTTP/1.1 401 UNAUTHORIZED
< Date: Sat, 08 Jul 2023 05:51:36 GMT
< Content-Length: 0
< Connection: keep-alive
< Server: gunicorn/19.9.0
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Fake Realm"
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true
< 
* Connection #0 to host httpbin.org left intact

curl/libcurl version

curl 7.88.1 (x86_64-apple-darwin22.0) libcurl/7.88.1 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.11 nghttp2/1.51.0
Release-Date: 2023-02-20
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL threadsafe UnixSockets

and

curl 8.1.2 (x86_64-apple-darwin22.4.0) libcurl/8.1.2 (SecureTransport) OpenSSL/1.1.1u zlib/1.2.11 brotli/1.0.9 zstd/1.5.5 libidn2/2.3.4 libssh2/1.11.0 nghttp2/1.54.0 librtmp/2.3
Release-Date: 2023-05-30
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

operating system

Darwin iMac.local 22.5.0 Darwin Kernel Version 22.5.0: Mon Apr 24 20:51:50 PDT 2023; root:xnu-8796.121.2~5/RELEASE_X86_64 x86_64
@bagder bagder self-assigned this Jul 8, 2023
bagder added a commit that referenced this issue Jul 8, 2023
@bagder
transfer: clear credentials when redirecting to absolute URL
1c3bf66 
To make sure the user and password for the secondf request is taken from the
redirected-to URL.

The -u option only sets credentials for the specified URL, not the
redirected-to if the redirect is absolute.

Add test case 899 to verify.

Adjusted test 234.

Reported-by: James Lucas
Fixes #11410
@bagder bagder mentioned this issue Jul 8, 2023
Merged
@bagder bagder closed this as completed in dd4d1a2 Jul 9, 2023
bch pushed a commit to bch/curl that referenced this issue Jul 19, 2023
@bagder @bch
transfer: clear credentials when redirecting to absolute URL
9a5385e 
Make sure the user and password for the second request is taken from the
redirected-to URL.

Add test case 899 to verify.

Reported-by: James Lucas
Fixes curl#11410
Closes curl#11412
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bagder bagder

Labels
authentication HTTP
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

transfer: clear credentials when redirecting to absolute URL curl/curl
2 participants
@bagder @lucasnetau