Hi Aleksander, Thank you for the patch to GNU Wget!
I think the new --keep-auth-header option is a misnomer. Since it only applies to the case where the user explicitly passes a "Authorization" header, going around Wget's knowledge of it. Thus, if this feature is to be implemented, I would rather that it is implemented with an option like "--remove-on-redir" or something else that accepts a list of headers to remove. The user can then pass whatever headers they want to remove on a redirection to a different domain. Also, we would need to document the new option in the man and info pages as well. On Tue, Sep 7, 2021, at 13:13, Aleksander Bułanowski via Primary discussion list for GNU Wget wrote: > Hello wget maintainers, > > Attached there is a patch file that strips sending Authentication headers > on redirects. > This should solve the https://savannah.gnu.org/bugs/?56909 / CVE-2021-31879. > > Regards, > Aleksander Bułanowski > > Attachments: > * wget-redirect-auth.patch
