hi team, Is this mailing list the right address for these issues?
On Fri, Jan 22, 2021 at 11:35 PM Dolev Farhi <[email protected]> wrote: > hi Wget team! > > When making an HTTP GET request with Authorization header, together with > the follow redirect flag (-L), e.g.: > > wget -v --header="Authorization: zzzzz==" http://1.1.1.1:8000 -L > > If the remote server (1.1.1.1) redirects to 2.2.2.2:8181 (different host > + port), the Authorization header will be passed to the redirected new host > on the new port. > > 1. Client sends HTTP GET with Authorization header to Server1:8080 > 2. Server1 redirects Client to Server2:8081 > 3. Server2:8081 receives the Authorization header > > My understanding is, if the scheme, host or port are different, then it > makes a different origin, and is effectively cross origin. Which means the > Header shouldn't be passed on in this case, and needs to be stripped? > > This is reproducible in the following versions: > > GNU Wget 1.21 built on MacOSX > GNU Wget 1.18 on Ubuntu > > cURL apparently experienced the same issue in 2018, described here: > https://curl.se/docs/CVE-2018-1000007.html > > Thanks! > > > -- Dolev Farhi Principal Security Engineer | Wealthsimple www.wealthsimple.com
