Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-86385

QNetworkAccessManager will pass Authorization header to a different origin

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Reported
    • Priority: P2: Important
    • Resolution: Unresolved
    • Affects Version/s: 5.13.2
    • Fix Version/s: None
    • Component/s: Network: HTTP
    • Labels:

      Description

      With FollowRedirectsAttribute enabled, the Authorization header is not being removed from the request headers when the request redirects to a different origin.

      If the new request doesn't match the existing request's hostname; the "Authorization" header must be removed before sending the second request. Currently, this will leak the contents of the header to the destination server.

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            manordheim MÃ¥rten Nordheim
            Reporter:
            james_emerton James Emerton
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:

                Gerrit Reviews

                There are no open Gerrit changes