hi Wget team! When making an HTTP GET request with Authorization header, together with the follow redirect flag (-L), e.g.:
wget -v --header="Authorization: zzzzz==" http://1.1.1.1:8000 -L If the remote server (1.1.1.1) redirects to 2.2.2.2:8181 (different host + port), the Authorization header will be passed to the redirected new host on the new port. 1. Client sends HTTP GET with Authorization header to Server1:8080 2. Server1 redirects Client to Server2:8081 3. Server2:8081 receives the Authorization header My understanding is, if the scheme, host or port are different, then it makes a different origin, and is effectively cross origin. Which means the Header shouldn't be passed on in this case, and needs to be stripped? This is reproducible in the following versions: GNU Wget 1.21 built on MacOSX GNU Wget 1.18 on Ubuntu cURL apparently experienced the same issue in 2018, described here: https://curl.se/docs/CVE-2018-1000007.html Thanks!
