File libsoup-CVE-2026-1539.patch of Package libsoup
From 98c1285d9d78662c38bf14b4a128af01ccfdb446 Mon Sep 17 00:00:00 2001
From: Carlos Garcia Campos <cgarcia@igalia.com>
Date: Tue, 20 Jan 2026 13:17:42 +0100
Subject: [PATCH] Also remove Proxy-Authorization header on cross origin
redirect
Closes #489
---
libsoup/soup-session.c | 1 +
tests/httpd.conf.in | 1 +
tests/proxy-test.c | 34 ++++++++++++++++++++++++++++++++++
3 files changed, 36 insertions(+)
diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
index 4e6b478b..e40437ff 100644
--- a/libsoup/soup-session.c
+++ b/libsoup/soup-session.c
@@ -1234,6 +1234,7 @@ soup_session_redirect_message (SoupSession *session,
/* Strip all credentials on cross-origin redirect. */
if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION);
+ soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_PROXY_AUTHORIZATION);
soup_message_set_auth (msg, NULL);
}
diff --git a/tests/httpd.conf.in b/tests/httpd.conf.in
index 809dc5ca..cc0a116e 100644
--- a/tests/httpd.conf.in
+++ b/tests/httpd.conf.in
@@ -34,6 +34,7 @@ LoadModule ssl_module @APACHE_SSL_MODULE_DIR@/mod_ssl.so
DirectoryIndex index.txt
TypesConfig /dev/null
Redirect permanent /redirected /index.txt
+Redirect permanent /Basic/realm1/redirected https://127.0.0.1:47525/index.txt
# Prefer http1 for now because most of the tests expect http1 behavior.
Protocols http/1.1 h2
diff --git a/tests/proxy-test.c b/tests/proxy-test.c
index d730c8a7..68c97aca 100644
--- a/tests/proxy-test.c
+++ b/tests/proxy-test.c
@@ -269,6 +269,39 @@ do_proxy_redirect_test (void)
soup_test_session_abort_unref (session);
}
+static void proxy_auth_redirect_message_restarted (SoupMessage *msg)
+{
+ if (soup_message_get_status (msg) != SOUP_STATUS_MOVED_PERMANENTLY)
+ return;
+
+ g_assert_null (soup_message_headers_get_one (soup_message_get_request_headers (msg), "Proxy-Authorization"));
+}
+
+static void
+do_proxy_auth_redirect_test (void)
+{
+ SoupSession *session;
+ SoupMessage *msg;
+ char *url;
+
+ SOUP_TEST_SKIP_IF_NO_APACHE;
+ SOUP_TEST_SKIP_IF_NO_TLS;
+
+ session = soup_test_session_new ("proxy-resolver", proxy_resolvers[AUTH_PROXY], NULL);
+
+ url = g_strconcat (HTTP_SERVER, "/Basic/realm1/redirected", NULL);
+ msg = soup_message_new (SOUP_METHOD_GET, url);
+ g_signal_connect (msg, "authenticate", G_CALLBACK (authenticate), NULL);
+ g_signal_connect (msg, "restarted", G_CALLBACK (proxy_auth_redirect_message_restarted), NULL);
+
+ soup_test_session_send_message (session, msg);
+ soup_test_assert_message_status (msg, SOUP_STATUS_OK);
+
+ g_free (url);
+ g_object_unref (msg);
+ soup_test_session_abort_unref (session);
+}
+
static void
do_proxy_auth_request (const char *url, SoupSession *session, gboolean do_read)
{
@@ -402,6 +435,7 @@ main (int argc, char **argv)
g_test_add_data_func ("/proxy/fragment", base_uri, do_proxy_fragment_test);
g_test_add_func ("/proxy/redirect", do_proxy_redirect_test);
+ g_test_add_func ("/proxy/auth-redirect", do_proxy_auth_redirect_test);
g_test_add_func ("/proxy/auth-cache", do_proxy_auth_cache_test);
g_test_add_data_func ("/proxy/connect-error", base_https_uri, do_proxy_connect_error_test);
--
2.52.0
