blob: 3318093400649ee889571403efd8278ce56ca224 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 16:18:10 -0600
Subject: [PATCH] session: Strip authentication credentails on
cross-origin redirect
This should match the behavior of Firefox and Safari but not of Chromium.
CVE: CVE-2025-46421
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b]
Test code not added since it included some headers not in version 2.74.3
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-session.c | 8 ++++-
2 files changed, 85 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
index 83421ef..8d6ac61 100644
--- a/libsoup/soup-session.c
+++ b/libsoup/soup-session.c
@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg)
SOUP_ENCODING_NONE);
}
+ /* Strip all credentials on cross-origin redirect. */
+ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
+ soup_message_headers_remove (msg->request_headers, "Authorization");
+ soup_message_set_auth (msg, NULL);
+ }
+
soup_message_set_uri (msg, new_uri);
soup_uri_free (new_uri);
soup_session_requeue_message (session, msg);
return TRUE;
-}
+}
static void
redirect_handler (SoupMessage *msg, gpointer user_data)
--
2.34.1
|
