Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: thirdparty site authorization header leak #386

Closed
wants to merge 1 commit into from
Closed

Fix: thirdparty site authorization header leak #386

wants to merge 1 commit into from

Conversation

ranjit-git
Copy link

@ranjit-git ranjit-git commented Jan 12, 2022
edited
Loading

bug reported to https://huntr.dev/bounties/03ac704d-6ccf-4d4b-bed3-f123f4e31dcd/
When accessing a url with Authorization and if received a Location redirect header with different host then needle will follow this redirect and also send the Authorization to this thirdparty redirect url .
You must prevent this Authorization header leak .

@ranjit-git
Fix: thirdparty site authorization header leak
77576c0 
bug reported to https://huntr.dev/bounties/03ac704d-6ccf-4d4b-bed3-f123f4e31dcd/ 
When accessing a url with Authorization and if received a Location redirect header with different host then needle will follow this redirect and also send the Authorization to this thirdparty redict url .
You must prevent this Authorization header leak .
@ranjit-git ranjit-git mentioned this pull request Jan 12, 2022
Closed
@ranjit-git
Copy link
Author

security fix for #385

@tomas
Copy link
Owner

tomas commented Apr 7, 2022

Fixed in #387

@tomas tomas closed this Apr 7, 2022
@ranjit-git
Copy link
Author

@tomas Happy to secure opensource project .
Can you plz Mark the report as valid https://huntr.dev/bounties/03ac704d-6ccf-4d4b-bed3-f123f4e31dcd/ so that huntr team can assign a bounty for this report and this will help us to disclose more security bug to opensource project Responsively.
Let me know if you have any issue to view the report.
Thanks again

@tomas
Copy link
Owner

tomas commented Apr 7, 2022

Thank you for the report, but please don't force me to sign up for your service (looks great though). Feel free to mark as resolved on your end!

@ranjit-git
Copy link
Author

@tomas no problem.
As I am the reporter I can't resolve the report myself But I will ask admin to look into this and will reference
this patch commit hash .

Thanks again and sorry for inconvenience

@tomas
Copy link
Owner

tomas commented Apr 7, 2022

Great, thanks

@SxLiuYu
Copy link

SxLiuYu commented Apr 8, 2022

Fixed in #387

Hello, I tested needle 3.0.0 and 3.1.0, and this problem still exists !

@tomas
Copy link
Owner

tomas commented Apr 8, 2022

That's weird. If so, please open a new issue with an example snippet so I can reproduce it.

Repository owner locked as resolved and limited conversation to collaborators Apr 8, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ranjit-git @tomas @SxLiuYu