mirror of
https://github.com/mirror/wget.git
synced 2024-12-28 05:40:08 +08:00
[svn] Fix for bug #20296: User:pass@ given in Referer header.
This commit is contained in:
parent
8ab8c0ca8e
commit
c17f57f1fa
@ -1,6 +1,7 @@
|
||||
2007-07-29 Micah Cowan <micah@cowan.name>
|
||||
|
||||
* NEWS: No more auth before challenge.
|
||||
* NEWS: No more auth before challenge. No more auth info in
|
||||
Referer.
|
||||
|
||||
2007-07-09 Micah Cowan <micah@cowan.name>
|
||||
|
||||
|
3
NEWS
3
NEWS
@ -7,6 +7,9 @@ Please send GNU Wget bug reports to <bug-wget@gnu.org>.
|
||||
|
||||
* Changes in Wget 1.11.
|
||||
|
||||
** Authentication information is no longer sent as part of the Referer
|
||||
header in recursive fetches.
|
||||
|
||||
** No authentication credentials are sent until a challenge is issued,
|
||||
for improved security. Authentication handling is still not
|
||||
RFC-compliant, as once a Basic challenge has been received, it will
|
||||
|
@ -1,3 +1,12 @@
|
||||
2007-07-29 Micah Cowan <micah@cowan.name>
|
||||
|
||||
* url.h, url.c (url_string): Replaced bool arg of the url_string
|
||||
function with enum url_auth_mode, with added option to
|
||||
completely remove user/pass auth information.
|
||||
* http.c, ftp.c, url.c, recur.c: Adapted call to url_string
|
||||
function to fit new usage.
|
||||
* recur.c (retrieve_tree): Remove auth info from Referer header.
|
||||
|
||||
2007-07-28 Micah Cowan <micah@cowan.name>
|
||||
|
||||
* options.h, init.c, retr.c, main.c: renamed opt maxredirect
|
||||
|
@ -1153,7 +1153,7 @@ ftp_loop_internal (struct url *u, struct fileinfo *f, ccon *con)
|
||||
/* Print fetch message, if opt.verbose. */
|
||||
if (opt.verbose)
|
||||
{
|
||||
char *hurl = url_string (u, true);
|
||||
char *hurl = url_string (u, URL_AUTH_HIDE_PASSWD);
|
||||
char tmp[256];
|
||||
strcpy (tmp, " ");
|
||||
if (count > 1)
|
||||
@ -1234,7 +1234,7 @@ ftp_loop_internal (struct url *u, struct fileinfo *f, ccon *con)
|
||||
/* Need to hide the password from the URL. The `if' is here
|
||||
so that we don't do the needless allocation every
|
||||
time. */
|
||||
char *hurl = url_string (u, true);
|
||||
char *hurl = url_string (u, URL_AUTH_HIDE_PASSWD);
|
||||
logprintf (LOG_NONVERBOSE, "%s URL: %s [%s] -> \"%s\" [%d]\n",
|
||||
tms, hurl, number_to_static_string (len), locf, count);
|
||||
xfree (hurl);
|
||||
|
@ -2359,7 +2359,7 @@ Spider mode enabled. Check if remote file exists.\n"));
|
||||
/* Print fetch message, if opt.verbose. */
|
||||
if (opt.verbose)
|
||||
{
|
||||
char *hurl = url_string (u, true);
|
||||
char *hurl = url_string (u, URL_AUTH_HIDE_PASSWD);
|
||||
|
||||
if (count > 1)
|
||||
{
|
||||
@ -2483,7 +2483,7 @@ Spider mode enabled. Check if remote file exists.\n"));
|
||||
if (!opt.verbose)
|
||||
{
|
||||
/* #### Ugly ugly ugly! */
|
||||
hurl = url_string (u, true);
|
||||
hurl = url_string (u, URL_AUTH_HIDE_PASSWD);
|
||||
logprintf (LOG_NONVERBOSE, "%s:\n", hurl);
|
||||
}
|
||||
/* Maybe we should always keep track of broken links, not just in
|
||||
@ -2492,7 +2492,7 @@ Spider mode enabled. Check if remote file exists.\n"));
|
||||
{
|
||||
/* #### Again: ugly ugly ugly! */
|
||||
if (!hurl)
|
||||
hurl = url_string (u, true);
|
||||
hurl = url_string (u, URL_AUTH_HIDE_PASSWD);
|
||||
nonexisting_url (hurl);
|
||||
logprintf (LOG_NOTQUIET, _("\
|
||||
Remote file does not exist -- broken link!!!\n"));
|
||||
|
14
src/recur.c
14
src/recur.c
@ -324,8 +324,14 @@ retrieve_tree (const char *start_url)
|
||||
{
|
||||
struct urlpos *child = children;
|
||||
struct url *url_parsed = url_parsed = url_parse (url, NULL);
|
||||
char *referer_url = url;
|
||||
bool strip_auth = url_parsed->user;
|
||||
assert (url_parsed != NULL);
|
||||
|
||||
/* Strip auth info if present */
|
||||
if (strip_auth)
|
||||
referer_url = url_string (url_parsed, URL_AUTH_HIDE);
|
||||
|
||||
for (; child; child = child->next)
|
||||
{
|
||||
if (child->ignore_when_downloading)
|
||||
@ -336,7 +342,7 @@ retrieve_tree (const char *start_url)
|
||||
blacklist))
|
||||
{
|
||||
url_enqueue (queue, xstrdup (child->url->url),
|
||||
xstrdup (url), depth + 1,
|
||||
xstrdup (referer_url), depth + 1,
|
||||
child->link_expect_html);
|
||||
/* We blacklist the URL we have enqueued, because we
|
||||
don't want to enqueue (and hence download) the
|
||||
@ -345,6 +351,8 @@ retrieve_tree (const char *start_url)
|
||||
}
|
||||
}
|
||||
|
||||
if (strip_auth)
|
||||
xfree (referer_url);
|
||||
url_free (url_parsed);
|
||||
free_urlpos (children);
|
||||
}
|
||||
@ -428,7 +436,7 @@ download_child_p (const struct urlpos *upos, struct url *parent, int depth,
|
||||
{
|
||||
if (opt.spider)
|
||||
{
|
||||
char *referrer = url_string (parent, true);
|
||||
char *referrer = url_string (parent, URL_AUTH_HIDE_PASSWD);
|
||||
DEBUGP (("download_child_p: parent->url is: `%s'\n", parent->url));
|
||||
visited_url (url, referrer);
|
||||
xfree (referrer);
|
||||
@ -628,3 +636,5 @@ descend_redirect_p (const char *redirected, const char *original, int depth,
|
||||
|
||||
return success;
|
||||
}
|
||||
|
||||
/* vim:set sts=2 sw=2 cino+={s: */
|
||||
|
24
src/url.c
24
src/url.c
@ -855,7 +855,7 @@ url_parse (const char *url, int *error)
|
||||
/* If we suspect that a transformation has rendered what
|
||||
url_string might return different from URL_ENCODED, rebuild
|
||||
u->url using url_string. */
|
||||
u->url = url_string (u, false);
|
||||
u->url = url_string (u, URL_AUTH_SHOW);
|
||||
|
||||
if (url_encoded != url)
|
||||
xfree ((char *) url_encoded);
|
||||
@ -1071,7 +1071,7 @@ sync_path (struct url *u)
|
||||
|
||||
/* Regenerate u->url as well. */
|
||||
xfree (u->url);
|
||||
u->url = url_string (u, false);
|
||||
u->url = url_string (u, URL_AUTH_SHOW);
|
||||
}
|
||||
|
||||
/* Mutators. Code in ftp.c insists on changing u->dir and u->file.
|
||||
@ -1814,7 +1814,7 @@ uri_merge (const char *base, const char *link)
|
||||
the URL will be quoted. */
|
||||
|
||||
char *
|
||||
url_string (const struct url *url, bool hide_password)
|
||||
url_string (const struct url *url, enum url_auth_mode auth_mode)
|
||||
{
|
||||
int size;
|
||||
char *result, *p;
|
||||
@ -1831,13 +1831,16 @@ url_string (const struct url *url, bool hide_password)
|
||||
/* Make sure the user name and password are quoted. */
|
||||
if (url->user)
|
||||
{
|
||||
quoted_user = url_escape_allow_passthrough (url->user);
|
||||
if (url->passwd)
|
||||
if (auth_mode != URL_AUTH_HIDE)
|
||||
{
|
||||
if (hide_password)
|
||||
quoted_passwd = HIDDEN_PASSWORD;
|
||||
else
|
||||
quoted_passwd = url_escape_allow_passthrough (url->passwd);
|
||||
quoted_user = url_escape_allow_passthrough (url->user);
|
||||
if (url->passwd)
|
||||
{
|
||||
if (auth_mode = URL_AUTH_HIDE_PASSWD)
|
||||
quoted_passwd = HIDDEN_PASSWORD;
|
||||
else
|
||||
quoted_passwd = url_escape_allow_passthrough (url->passwd);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1899,7 +1902,8 @@ url_string (const struct url *url, bool hide_password)
|
||||
|
||||
if (quoted_user && quoted_user != url->user)
|
||||
xfree (quoted_user);
|
||||
if (quoted_passwd && !hide_password && quoted_passwd != url->passwd)
|
||||
if (quoted_passwd && auth_mode == URL_AUTH_SHOW
|
||||
&& quoted_passwd != url->passwd)
|
||||
xfree (quoted_passwd);
|
||||
if (quoted_host != url->host)
|
||||
xfree (quoted_host);
|
||||
|
10
src/url.h
10
src/url.h
@ -34,6 +34,14 @@ so, delete this exception statement from your version. */
|
||||
#define DEFAULT_FTP_PORT 21
|
||||
#define DEFAULT_HTTPS_PORT 443
|
||||
|
||||
/* Specifies how, or whether, user auth information should be included
|
||||
* in URLs regenerated from URL parse structures. */
|
||||
enum url_auth_mode {
|
||||
URL_AUTH_SHOW,
|
||||
URL_AUTH_HIDE_PASSWD,
|
||||
URL_AUTH_HIDE
|
||||
};
|
||||
|
||||
/* Note: the ordering here is related to the order of elements in
|
||||
`supported_schemes' in url.c. */
|
||||
|
||||
@ -86,7 +94,7 @@ bool url_has_scheme (const char *);
|
||||
int scheme_default_port (enum url_scheme);
|
||||
void scheme_disable (enum url_scheme);
|
||||
|
||||
char *url_string (const struct url *, bool);
|
||||
char *url_string (const struct url *, enum url_auth_mode);
|
||||
char *url_file_name (const struct url *);
|
||||
|
||||
char *uri_merge (const char *, const char *);
|
||||
|
Loading…
Reference in New Issue
Block a user