Do not include authorization header in an HTTP redirect

* lisp/url/url-http.el (url-http-parse-headers): Do not
automatically include Authorization header in redirect.
(Bug#21350)

1 files changed, 7 insertions, 1 deletions

diff --git a/lisp/url/url-http.el b/lisp/url/url-http.el
index 6a7d8e2c947..7367a1eb3e9 100644
--- a/lisp/url/url-http.el
+++ b/lisp/url/url-http.el
@@ -25,8 +25,8 @@
 
 ;;; Code:
 
+(require 'cl-lib)
 (eval-when-compile
-  (require 'cl-lib)
   (require 'subr-x))
 
 (defvar url-callback-arguments)
@@ -646,6 +646,12 @@ should be shown to the user."
                ;; compute the redirection relative to the URL of the proxy.
                (setq redirect-uri
                      (url-expand-file-name redirect-uri url-http-target-url)))
+           ;; Do not automatically include an authorization header in the
+           ;; redirect.  If needed it will be regenerated by the relevant
+           ;; auth scheme when the new request happens.
+           (setq url-http-extra-headers
+                 (cl-remove "Authorization"
+                            url-http-extra-headers :key 'car :test 'equal))
            (let ((url-request-method url-http-method)
                  (url-request-data url-http-data)
                  (url-request-extra-headers url-http-extra-headers))