From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001 From: Patrick Griffis Date: Wed, 5 Feb 2025 16:18:10 -0600 Subject: [PATCH] session: Strip authentication credentails on cross-origin redirect This should match the behavior of Firefox and Safari but not of Chromium. CVE: CVE-2025-46421 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b] Test code not added since it included some headers not in version 2.74.3 Signed-off-by: Changqing Li --- libsoup/soup-session.c | 8 ++++- 2 files changed, 85 insertions(+), 1 deletion(-) diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c index 83421ef..8d6ac61 100644 --- a/libsoup/soup-session.c +++ b/libsoup/soup-session.c @@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg) SOUP_ENCODING_NONE); } + /* Strip all credentials on cross-origin redirect. */ + if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { + soup_message_headers_remove (msg->request_headers, "Authorization"); + soup_message_set_auth (msg, NULL); + } + soup_message_set_uri (msg, new_uri); soup_uri_free (new_uri); soup_session_requeue_message (session, msg); return TRUE; -} +} static void redirect_handler (SoupMessage *msg, gpointer user_data) -- 2.34.1