package/libsoup/0019-session-Strip-authentication-credentials.patch - buildroot - Git at Google

 From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001
 From: Patrick Griffis <pgriffis@igalia.com>
 Date: Wed, 5 Feb 2025 16:18:10 -0600
 Subject: [PATCH] session: Strip authentication credentails on
  cross-origin redirect

 This should match the behavior of Firefox and Safari but not of Chromium.

 CVE: CVE-2025-46421
 Upstream-Status: Backport
 [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b]

 Test code not added since it included some headers not in version 2.74.3

 Upstream: https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch

 Signed-off-by: Changqing Li <changqing.li@windriver.com>
 Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
 ---
  libsoup/soup-session.c |  8 ++++-
  2 files changed, 85 insertions(+), 1 deletion(-)

 diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
 index 83421ef..8d6ac61 100644
 --- a/libsoup/soup-session.c
 +++ b/libsoup/soup-session.c
 @@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg)
  						   SOUP_ENCODING_NONE);
  	}

 +	/* Strip all credentials on cross-origin redirect. */
 +	if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
 +		soup_message_headers_remove (msg->request_headers, "Authorization");
 +		soup_message_set_auth (msg, NULL);
 +	}
 +
  	soup_message_set_uri (msg, new_uri);
  	soup_uri_free (new_uri);

  	soup_session_requeue_message (session, msg);
  	return TRUE;
 -}
 +}

  static void
  redirect_handler (SoupMessage *msg, gpointer user_data)

 --
 2.34.1
	From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001
	From: Patrick Griffis <pgriffis@igalia.com>
	Date: Wed, 5 Feb 2025 16:18:10 -0600
	Subject: [PATCH] session: Strip authentication credentails on
	cross-origin redirect

	This should match the behavior of Firefox and Safari but not of Chromium.

	CVE: CVE-2025-46421
	Upstream-Status: Backport
	[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b]

	Test code not added since it included some headers not in version 2.74.3

	Upstream: https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch

	Signed-off-by: Changqing Li <changqing.li@windriver.com>
	Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
	---
	libsoup/soup-session.c \| 8 ++++-
	2 files changed, 85 insertions(+), 1 deletion(-)

	diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
	index 83421ef..8d6ac61 100644
	--- a/libsoup/soup-session.c
	+++ b/libsoup/soup-session.c
	@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession session, SoupMessage msg)
	SOUP_ENCODING_NONE);
	}

	+ /* Strip all credentials on cross-origin redirect. */
	+ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
	+ soup_message_headers_remove (msg->request_headers, "Authorization");
	+ soup_message_set_auth (msg, NULL);
	+ }
	+
	soup_message_set_uri (msg, new_uri);
	soup_uri_free (new_uri);

	soup_session_requeue_message (session, msg);
	return TRUE;
	-}
	+}

	static void
	redirect_handler (SoupMessage *msg, gpointer user_data)

	--
	2.34.1