Bug Fixes
-
reject cross-authority redirects before reusing auth
Tighten smart-HTTP redirect handling so credentials are not carried across redirects that change authority.- treat redirects as valid only when scheme, host, and effective port stay the same
- reject redirects to a different host or port when deriving the redirected base URL
- apply the same authority check in the reqwest redirect policy
- keep the advisory reproducer backend-neutral so the redirected POST assertion holds for both curl and reqwest
This fixes the credential-leak vector covered by
GHSA-9857-6mw7-fq2m, where Basic auth from the original remote could be forwarded to a redirected endpoint.
Commit Statistics
- 10 commits contributed to the release over the course of 32 calendar days.
- 32 days passed between releases.
- 1 commit was understood as conventional.
- 0 issues like '(#ID)' were seen in commit messages
Commit Details
view details
- Uncategorized
- Update changelogs prior to release (f9fbcba)
- Merge pull request #2530 from GitoxideLabs/advisories (63b8419)
- Address auto-review (7429b15)
- Add corpus-builder scripts when corpus files are available; auto-run artifacts in test suite (e64e3b8)
- Add fuzz tests for 10 more crates, and related fixes (0396152)
- Reject cross-authority redirects before reusing auth (e5d4374)
- Add reproductions for all known advisories (392336f)
- Merge pull request #2518 from GitoxideLabs/improvements (444a92b)
- Make
package.includepatterns more specific so they don't match ignored files (c2c917f) - Merge pull request #2480 from GitoxideLabs/report (98bae84)