Change #271894
| Category | wget |
| Changed by | vlefebvre <valentin.lefebvre@suse.com> |
| Changed at | Sat 20 Jun 2026 10:29:10 |
| Repository | https://gitlab.com/gnuwget/wget.git |
| Project | wget |
| Branch | master |
| Revision | 581b53633159200125bcdee697762c62449b1067 |
Comments
Drop user-provided Authorization and Cookie headers on untrusted redirections * src/http.c: (unredirectable_headerline) check if a header line is included in a list of value that cannot be sent after a redirect. * src/http.c: (get_http) Do not set user header, when location_changed, from unredirectable_headerline. * src/http.h: (http_loop) Add argument location_changed. * testenv/Makefile.am: Add new tests. * testenv/Test-redirect-auth-cookie.py: New test file. * testenv/Test-redirect-same-host-keep-auth-cookie.py: New test file. * testenv/conf/update_redirect.py: New file. Fix CVE-2021-31879. If wget for an http URL is redirected to a different site (hostnameparts of URLs differ), then any "Authorization" and "Cookie" header entries are discarded. The dropping of user-provided headers is switched off by --trust-server-names. Signed-off-by: vlefebvre <valentin.lefebvre@suse.com> Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de> Co-authored-by: Tim Rühsen <tim.ruehsen@gmx.de> Copyright-paperwork-exempt: Yes
Changed files
- src/http.c
- src/http.h
- src/retr.c
- testenv/Makefile.am
- testenv/Test-redirect-auth-cookie.py
- testenv/Test-redirect-same-host-keep-auth-cookie.py
- testenv/conf/update_redirect.py