1 ;;; url-http-ntlm-parse-headers-24.4.el --- Override url-http-parse-headers
3 ;; Copyright (C) 1999, 2001, 2004-2014 Free Software Foundation, Inc.
5 ;; Author: Bill Perry <wmperry@gnu.org>
6 ;; Keywords: comm, data, processes
8 ;; This file is part of GNU Emacs.
10 ;; GNU Emacs is free software: you can redistribute it and/or modify
11 ;; it under the terms of the GNU General Public License as published by
12 ;; the Free Software Foundation, either version 3 of the License, or
13 ;; (at your option) any later version.
15 ;; GNU Emacs is distributed in the hope that it will be useful,
16 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;; GNU General Public License for more details.
20 ;; You should have received a copy of the GNU General Public License
21 ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
25 ;; Override url-http-parse-headers to clear Authorization headers
26 ;; from url-http-extra-headers prior to executing a redirect. The
27 ;; only change is to apply this backward-compatible patch:
29 ;; diff --git a/lisp/url/url-http.el b/lisp/url/url-http.el
30 ;; index b0a3b68..80d9cca 100644
31 ;; --- a/lisp/url/url-http.el
32 ;; +++ b/lisp/url/url-http.el
33 ;; @@ -617,6 +617,15 @@ should be shown to the user."
34 ;; ;; compute the redirection relative to the URL of the proxy.
36 ;; (url-expand-file-name redirect-uri url-http-target-url)))
37 ;; + ;; Do not automatically include an authorization header in the
38 ;; + ;; redirect. If needed it will be regenerated by the relevant
39 ;; + ;; auth scheme when the new request happens.
40 ;; + (setq url-http-extra-headers
42 ;; + (dolist (header url-http-extra-headers)
43 ;; + (if (not (equal (car header) "Authorization"))
44 ;; + (push header result)))
45 ;; + (nreverse result)))
46 ;; (let ((url-request-method url-http-method)
47 ;; (url-request-data url-http-data)
48 ;; (url-request-extra-headers url-http-extra-headers))
52 (eval-when-compile (require 'cl))
60 (autoload 'url-cache-create-filename "url-cache")
63 (defvar url-http-process)
64 (defvar url-http-end-of-headers)
65 (defvar url-http-response-version)
66 (defvar url-http-response-status)
67 (defvar url-http-target-url)
68 (defvar url-http-method)
69 (defvar url-http-data)
70 (defvar url-http-extra-headers)
71 (defvar url-callback-arguments)
72 (defvar url-callback-function)
74 (defun url-http-parse-headers ()
75 "Parse and handle HTTP specific headers.
76 Return t if and only if the current buffer is still active and
77 should be shown to the user."
78 ;; The comments after each status code handled are taken from RFC
80 (url-http-mark-connection-as-free (url-host url-current-object)
81 (url-port url-current-object)
84 (if (or (not (boundp 'url-http-end-of-headers))
85 (not url-http-end-of-headers))
86 (error "Trying to parse headers in odd buffer: %s" (buffer-name)))
87 (goto-char (point-min))
88 (url-http-debug "url-http-parse-headers called in (%s)" (buffer-name))
89 (url-http-parse-response)
91 ;;(narrow-to-region (point-min) url-http-end-of-headers)
92 (let ((connection (mail-fetch-field "Connection")))
93 ;; In HTTP 1.0, keep the connection only if there is a
94 ;; "Connection: keep-alive" header.
95 ;; In HTTP 1.1 (and greater), keep the connection unless there is a
96 ;; "Connection: close" header
98 ((string= url-http-response-version "1.0")
99 (unless (and connection
100 (string= (downcase connection) "keep-alive"))
101 (delete-process url-http-process)))
103 (when (and connection
104 (string= (downcase connection) "close"))
105 (delete-process url-http-process)))))
106 (let* ((buffer (current-buffer))
107 (class (/ url-http-response-status 100))
109 ;; other status symbols: jewelry and luxury cars
110 (status-symbol (cadr (assq url-http-response-status url-http-codes))))
111 (url-http-debug "Parsed HTTP headers: class=%d status=%d"
112 class url-http-response-status)
113 (when (url-use-cookies url-http-target-url)
114 (url-http-handle-cookies))
117 ;; Classes of response codes
119 ;; 5xx = Server Error
120 ;; 4xx = Client Error
123 ;; 1xx = Informational
124 (1 ; Information messages
125 ;; 100 = Continue with request
126 ;; 101 = Switching protocols
127 ;; 102 = Processing (Added by DAV)
128 (url-mark-buffer-as-dead buffer)
129 (error "HTTP responses in class 1xx not supported (%d)"
130 url-http-response-status))
135 ;; 203 Non-authoritative information
138 ;; 206 Partial content
139 ;; 207 Multi-status (Added by DAV)
141 ((or `no-content `reset-content)
142 ;; No new data, just stay at the same document
143 (url-mark-buffer-as-dead buffer))
145 ;; Generic success for all others. Store in the cache, and
146 ;; mark it as successful.
148 (if (and url-automatic-caching (equal url-http-method "GET"))
149 (url-store-in-cache buffer))))
152 ;; 300 Multiple choices
153 ;; 301 Moved permanently
158 ;; 307 Temporary redirect
159 (let ((redirect-uri (or (mail-fetch-field "Location")
160 (mail-fetch-field "URI"))))
162 (`multiple-choices ; 300
163 ;; Quoth the spec (section 10.3.1)
164 ;; -------------------------------
165 ;; The requested resource corresponds to any one of a set of
166 ;; representations, each with its own specific location and
167 ;; agent-driven negotiation information is being provided so
168 ;; that the user can select a preferred representation and
169 ;; redirect its request to that location.
171 ;; If the server has a preferred choice of representation, it
172 ;; SHOULD include the specific URI for that representation in
173 ;; the Location field; user agents MAY use the Location field
174 ;; value for automatic redirection.
175 ;; -------------------------------
176 ;; We do not support agent-driven negotiation, so we just
177 ;; redirect to the preferred URI if one is provided.
179 ((or `moved-permanently `found `temporary-redirect) ; 301 302 307
180 ;; If the 301|302 status code is received in response to a
181 ;; request other than GET or HEAD, the user agent MUST NOT
182 ;; automatically redirect the request unless it can be
183 ;; confirmed by the user, since this might change the
184 ;; conditions under which the request was issued.
185 (unless (member url-http-method '("HEAD" "GET"))
186 (setq redirect-uri nil)))
188 ;; The response to the request can be found under a different
189 ;; URI and SHOULD be retrieved using a GET method on that
191 (setq url-http-method "GET"
194 ;; The 304 response MUST NOT contain a message-body.
195 (url-http-debug "Extracting document from cache... (%s)"
196 (url-cache-create-filename (url-view-url t)))
197 (url-cache-extract (url-cache-create-filename (url-view-url t)))
198 (setq redirect-uri nil
201 ;; The requested resource MUST be accessed through the
202 ;; proxy given by the Location field. The Location field
203 ;; gives the URI of the proxy. The recipient is expected
204 ;; to repeat this single request via the proxy. 305
205 ;; responses MUST only be generated by origin servers.
206 (error "Redirection thru a proxy server not supported: %s"
209 ;; Treat everything like '300'
212 ;; Clean off any whitespace and/or <...> cruft.
213 (if (string-match "\\([^ \t]+\\)[ \t]" redirect-uri)
214 (setq redirect-uri (match-string 1 redirect-uri)))
215 (if (string-match "^<\\(.*\\)>$" redirect-uri)
216 (setq redirect-uri (match-string 1 redirect-uri)))
218 ;; Some stupid sites (like sourceforge) send a
219 ;; non-fully-qualified URL (ie: /), which royally confuses
221 (if (not (string-match url-nonrelative-link redirect-uri))
222 ;; Be careful to use the real target URL, otherwise we may
223 ;; compute the redirection relative to the URL of the proxy.
225 (url-expand-file-name redirect-uri url-http-target-url)))
226 ;; Do not automatically include an authorization header in the
227 ;; redirect. If needed it will be regenerated by the relevant
228 ;; auth scheme when the new request happens.
229 (setq url-http-extra-headers
231 (dolist (header url-http-extra-headers)
232 (if (not (equal (car header) "Authorization"))
233 (push header result)))
235 (let ((url-request-method url-http-method)
236 (url-request-data url-http-data)
237 (url-request-extra-headers url-http-extra-headers))
238 ;; Check existing number of redirects
239 (if (or (< url-max-redirections 0)
240 (and (> url-max-redirections 0)
241 (let ((events (car url-callback-arguments))
244 (if (eq (car events) :redirect)
245 (setq old-redirects (1+ old-redirects)))
246 (and (setq events (cdr events))
247 (setq events (cdr events))))
248 (< old-redirects url-max-redirections))))
249 ;; url-max-redirections hasn't been reached, so go
250 ;; ahead and redirect.
252 ;; Remember that the request was redirected.
253 (setf (car url-callback-arguments)
254 (nconc (list :redirect redirect-uri)
255 (car url-callback-arguments)))
256 ;; Put in the current buffer a forwarding pointer to the new
257 ;; destination buffer.
258 ;; FIXME: This is a hack to fix url-retrieve-synchronously
259 ;; without changing the API. Instead url-retrieve should
260 ;; either simply not return the "destination" buffer, or it
261 ;; should take an optional `dest-buf' argument.
262 (set (make-local-variable 'url-redirect-buffer)
263 (url-retrieve-internal
264 redirect-uri url-callback-function
265 url-callback-arguments
266 (url-silent url-current-object)
267 (not (url-use-cookies url-current-object))))
268 (url-mark-buffer-as-dead buffer))
269 ;; We hit url-max-redirections, so issue an error and
271 (url-http-debug "Maximum redirections reached")
272 (setf (car url-callback-arguments)
273 (nconc (list :error (list 'error 'http-redirect-limit
275 (car url-callback-arguments)))
276 (setq success t))))))
280 ;; 402 Payment required
283 ;; 405 Method not allowed
284 ;; 406 Not acceptable
285 ;; 407 Proxy authentication required
286 ;; 408 Request time-out
289 ;; 411 Length required
290 ;; 412 Precondition failed
291 ;; 413 Request entity too large
292 ;; 414 Request-URI too large
293 ;; 415 Unsupported media type
294 ;; 416 Requested range not satisfiable
295 ;; 417 Expectation failed
296 ;; 422 Unprocessable Entity (Added by DAV)
298 ;; 424 Failed Dependency
302 ;; The request requires user authentication. The response
303 ;; MUST include a WWW-Authenticate header field containing a
304 ;; challenge applicable to the requested resource. The
305 ;; client MAY repeat the request with a suitable
306 ;; Authorization header field.
307 (url-http-handle-authentication nil))
308 (`payment-required ; 402
309 ;; This code is reserved for future use
310 (url-mark-buffer-as-dead buffer)
311 (error "Somebody wants you to give them money"))
313 ;; The server understood the request, but is refusing to
314 ;; fulfill it. Authorization will not help and the request
315 ;; SHOULD NOT be repeated.
320 (`method-not-allowed ; 405
321 ;; The method specified in the Request-Line is not allowed
322 ;; for the resource identified by the Request-URI. The
323 ;; response MUST include an Allow header containing a list of
324 ;; valid methods for the requested resource.
326 (`not-acceptable ; 406
327 ;; The resource identified by the request is only capable of
328 ;; generating response entities which have content
329 ;; characteristics not acceptable according to the accept
330 ;; headers sent in the request.
332 (`proxy-authentication-required ; 407
333 ;; This code is similar to 401 (Unauthorized), but indicates
334 ;; that the client must first authenticate itself with the
335 ;; proxy. The proxy MUST return a Proxy-Authenticate header
336 ;; field containing a challenge applicable to the proxy for
337 ;; the requested resource.
338 (url-http-handle-authentication t))
339 (`request-timeout ; 408
340 ;; The client did not produce a request within the time that
341 ;; the server was prepared to wait. The client MAY repeat
342 ;; the request without modifications at any later time.
345 ;; The request could not be completed due to a conflict with
346 ;; the current state of the resource. This code is only
347 ;; allowed in situations where it is expected that the user
348 ;; might be able to resolve the conflict and resubmit the
349 ;; request. The response body SHOULD include enough
350 ;; information for the user to recognize the source of the
354 ;; The requested resource is no longer available at the
355 ;; server and no forwarding address is known.
357 (`length-required ; 411
358 ;; The server refuses to accept the request without a defined
359 ;; Content-Length. The client MAY repeat the request if it
360 ;; adds a valid Content-Length header field containing the
361 ;; length of the message-body in the request message.
363 ;; NOTE - this will never happen because
364 ;; `url-http-create-request' automatically calculates the
367 (`precondition-failed ; 412
368 ;; The precondition given in one or more of the
369 ;; request-header fields evaluated to false when it was
370 ;; tested on the server.
372 ((or `request-entity-too-large `request-uri-too-large) ; 413 414
373 ;; The server is refusing to process a request because the
374 ;; request entity|URI is larger than the server is willing or
377 (`unsupported-media-type ; 415
378 ;; The server is refusing to service the request because the
379 ;; entity of the request is in a format not supported by the
380 ;; requested resource for the requested method.
382 (`requested-range-not-satisfiable ; 416
383 ;; A server SHOULD return a response with this status code if
384 ;; a request included a Range request-header field, and none
385 ;; of the range-specifier values in this field overlap the
386 ;; current extent of the selected resource, and the request
387 ;; did not include an If-Range request-header field.
389 (`expectation-failed ; 417
390 ;; The expectation given in an Expect request-header field
391 ;; could not be met by this server, or, if the server is a
392 ;; proxy, the server has unambiguous evidence that the
393 ;; request could not be met by the next-hop server.
396 ;; The request could not be understood by the server due to
397 ;; malformed syntax. The client SHOULD NOT repeat the
398 ;; request without modifications.
400 ;; Tell the callback that an error occurred, and what the
403 (setf (car url-callback-arguments)
404 (nconc (list :error (list 'error 'http url-http-response-status))
405 (car url-callback-arguments)))))
407 ;; 500 Internal server error
408 ;; 501 Not implemented
410 ;; 503 Service unavailable
411 ;; 504 Gateway time-out
412 ;; 505 HTTP version not supported
413 ;; 507 Insufficient storage
415 (pcase url-http-response-status
416 (`not-implemented ; 501
417 ;; The server does not support the functionality required to
418 ;; fulfill the request.
421 ;; The server, while acting as a gateway or proxy, received
422 ;; an invalid response from the upstream server it accessed
423 ;; in attempting to fulfill the request.
425 (`service-unavailable ; 503
426 ;; The server is currently unable to handle the request due
427 ;; to a temporary overloading or maintenance of the server.
428 ;; The implication is that this is a temporary condition
429 ;; which will be alleviated after some delay. If known, the
430 ;; length of the delay MAY be indicated in a Retry-After
431 ;; header. If no Retry-After is given, the client SHOULD
432 ;; handle the response as it would for a 500 response.
434 (`gateway-timeout ; 504
435 ;; The server, while acting as a gateway or proxy, did not
436 ;; receive a timely response from the upstream server
437 ;; specified by the URI (e.g. HTTP, FTP, LDAP) or some other
438 ;; auxiliary server (e.g. DNS) it needed to access in
439 ;; attempting to complete the request.
441 (`http-version-not-supported ; 505
442 ;; The server does not support, or refuses to support, the
443 ;; HTTP protocol version that was used in the request
446 (`insufficient-storage ; 507 (DAV)
447 ;; The method could not be performed on the resource
448 ;; because the server is unable to store the representation
449 ;; needed to successfully complete the request. This
450 ;; condition is considered to be temporary. If the request
451 ;; which received this status code was the result of a user
452 ;; action, the request MUST NOT be repeated until it is
453 ;; requested by a separate user action.
455 ;; Tell the callback that an error occurred, and what the
458 (setf (car url-callback-arguments)
459 (nconc (list :error (list 'error 'http url-http-response-status))
460 (car url-callback-arguments)))))
462 (error "Unknown class of HTTP response code: %d (%d)"
463 class url-http-response-status)))
465 (url-mark-buffer-as-dead buffer)
466 (url-handle-content-transfer-encoding))
467 (url-http-debug "Finished parsing HTTP headers: %S" success)
469 (goto-char (point-min))
472 (provide 'url-http-ntlm-parse-headers-24.4)
474 ;;; url-http-ntlm-parse-headers-24.4.el ends here