rpms/libsoup
6
0
Fork 0
Code Issues Pull Requests Releases Activity
c8s
libsoup/CVE-2025-46421.patch
Michael Catanzaro 39ca5aa4ee
Backport patches for various CVEs 
Resolves: RHEL-85887
  Resolves: RHEL-85900
  Resolves: RHEL-85901
  Resolves: RHEL-87039
  Resolves: RHEL-87094
  Resolves: RHEL-87114
  Resolves: RHEL-88348
  Resolves: RHEL-88351
2025-05-01 09:57:00 -05:00

33 lines
1.1 KiB
Diff
Raw Permalink Blame History

From 4329a7e88c72079ae3eedbb1558b929851507464 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 16:18:10 -0600
Subject: [PATCH] session: Strip authentication credentails on cross-origin
redirect
This should match the behavior of Firefox and Safari but not of Chromium.
---
libsoup/soup-session.c | 6 ++++
tests/auth-test.c | 77 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 83 insertions(+)
diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
index dd3cdc46..82ca8bf9 100644
--- a/libsoup/soup-session.c
+++ b/libsoup/soup-session.c
@@ -1187,6 +1187,12 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg)
SOUP_ENCODING_NONE);
}
+ /* Strip all credentials on cross-origin redirect. */
+ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
+ soup_message_headers_remove (msg->request_headers, "Authorization");
+ soup_message_set_auth (msg, NULL);
+ }
+
soup_message_set_uri (msg, new_uri);
soup_uri_free (new_uri);
--
2.49.0
Reference in New Issue View Git Blame Copy Permalink