2007-07-29 Micah Cowan <micah@cowan.name>
- * NEWS: No more auth before challenge.
+ * NEWS: No more auth before challenge. No more auth info in
+ Referer.
2007-07-09 Micah Cowan <micah@cowan.name>
\f
* Changes in Wget 1.11.
+** Authentication information is no longer sent as part of the Referer
+header in recursive fetches.
+
** No authentication credentials are sent until a challenge is issued,
for improved security. Authentication handling is still not
RFC-compliant, as once a Basic challenge has been received, it will
+2007-07-29 Micah Cowan <micah@cowan.name>
+
+ * url.h, url.c (url_string): Replaced bool arg of the url_string
+ function with enum url_auth_mode, with added option to
+ completely remove user/pass auth information.
+ * http.c, ftp.c, url.c, recur.c: Adapted call to url_string
+ function to fit new usage.
+ * recur.c (retrieve_tree): Remove auth info from Referer header.
+
2007-07-28 Micah Cowan <micah@cowan.name>
* options.h, init.c, retr.c, main.c: renamed opt maxredirect
/* Print fetch message, if opt.verbose. */
if (opt.verbose)
{
- char *hurl = url_string (u, true);
+ char *hurl = url_string (u, URL_AUTH_HIDE_PASSWD);
char tmp[256];
strcpy (tmp, " ");
if (count > 1)
/* Need to hide the password from the URL. The `if' is here
so that we don't do the needless allocation every
time. */
- char *hurl = url_string (u, true);
+ char *hurl = url_string (u, URL_AUTH_HIDE_PASSWD);
logprintf (LOG_NONVERBOSE, "%s URL: %s [%s] -> \"%s\" [%d]\n",
tms, hurl, number_to_static_string (len), locf, count);
xfree (hurl);
/* Print fetch message, if opt.verbose. */
if (opt.verbose)
{
- char *hurl = url_string (u, true);
+ char *hurl = url_string (u, URL_AUTH_HIDE_PASSWD);
if (count > 1)
{
if (!opt.verbose)
{
/* #### Ugly ugly ugly! */
- hurl = url_string (u, true);
+ hurl = url_string (u, URL_AUTH_HIDE_PASSWD);
logprintf (LOG_NONVERBOSE, "%s:\n", hurl);
}
/* Maybe we should always keep track of broken links, not just in
{
/* #### Again: ugly ugly ugly! */
if (!hurl)
- hurl = url_string (u, true);
+ hurl = url_string (u, URL_AUTH_HIDE_PASSWD);
nonexisting_url (hurl);
logprintf (LOG_NOTQUIET, _("\
Remote file does not exist -- broken link!!!\n"));
{
struct urlpos *child = children;
struct url *url_parsed = url_parsed = url_parse (url, NULL);
+ char *referer_url = url;
+ bool strip_auth = url_parsed->user;
assert (url_parsed != NULL);
+ /* Strip auth info if present */
+ if (strip_auth)
+ referer_url = url_string (url_parsed, URL_AUTH_HIDE);
+
for (; child; child = child->next)
{
if (child->ignore_when_downloading)
blacklist))
{
url_enqueue (queue, xstrdup (child->url->url),
- xstrdup (url), depth + 1,
+ xstrdup (referer_url), depth + 1,
child->link_expect_html);
/* We blacklist the URL we have enqueued, because we
don't want to enqueue (and hence download) the
}
}
+ if (strip_auth)
+ xfree (referer_url);
url_free (url_parsed);
free_urlpos (children);
}
{
if (opt.spider)
{
- char *referrer = url_string (parent, true);
+ char *referrer = url_string (parent, URL_AUTH_HIDE_PASSWD);
DEBUGP (("download_child_p: parent->url is: `%s'\n", parent->url));
visited_url (url, referrer);
xfree (referrer);
return success;
}
+
+/* vim:set sts=2 sw=2 cino+={s: */
/* If we suspect that a transformation has rendered what
url_string might return different from URL_ENCODED, rebuild
u->url using url_string. */
- u->url = url_string (u, false);
+ u->url = url_string (u, URL_AUTH_SHOW);
if (url_encoded != url)
xfree ((char *) url_encoded);
/* Regenerate u->url as well. */
xfree (u->url);
- u->url = url_string (u, false);
+ u->url = url_string (u, URL_AUTH_SHOW);
}
/* Mutators. Code in ftp.c insists on changing u->dir and u->file.
the URL will be quoted. */
char *
-url_string (const struct url *url, bool hide_password)
+url_string (const struct url *url, enum url_auth_mode auth_mode)
{
int size;
char *result, *p;
/* Make sure the user name and password are quoted. */
if (url->user)
{
- quoted_user = url_escape_allow_passthrough (url->user);
- if (url->passwd)
+ if (auth_mode != URL_AUTH_HIDE)
{
- if (hide_password)
- quoted_passwd = HIDDEN_PASSWORD;
- else
- quoted_passwd = url_escape_allow_passthrough (url->passwd);
+ quoted_user = url_escape_allow_passthrough (url->user);
+ if (url->passwd)
+ {
+ if (auth_mode = URL_AUTH_HIDE_PASSWD)
+ quoted_passwd = HIDDEN_PASSWORD;
+ else
+ quoted_passwd = url_escape_allow_passthrough (url->passwd);
+ }
}
}
if (quoted_user && quoted_user != url->user)
xfree (quoted_user);
- if (quoted_passwd && !hide_password && quoted_passwd != url->passwd)
+ if (quoted_passwd && auth_mode == URL_AUTH_SHOW
+ && quoted_passwd != url->passwd)
xfree (quoted_passwd);
if (quoted_host != url->host)
xfree (quoted_host);
#define DEFAULT_FTP_PORT 21
#define DEFAULT_HTTPS_PORT 443
+/* Specifies how, or whether, user auth information should be included
+ * in URLs regenerated from URL parse structures. */
+enum url_auth_mode {
+ URL_AUTH_SHOW,
+ URL_AUTH_HIDE_PASSWD,
+ URL_AUTH_HIDE
+};
+
/* Note: the ordering here is related to the order of elements in
`supported_schemes' in url.c. */
int scheme_default_port (enum url_scheme);
void scheme_disable (enum url_scheme);
-char *url_string (const struct url *, bool);
+char *url_string (const struct url *, enum url_auth_mode);
char *url_file_name (const struct url *);
char *uri_merge (const char *, const char *);