sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch

From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 16:18:10 -0600
Subject: [PATCH] session: Strip authentication credentails on
 cross-origin redirect

This should match the behavior of Firefox and Safari but not of Chromium.

CVE: CVE-2025-46421
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b]

Test code not added since it included some headers not in version 2.74.3

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 libsoup/soup-session.c |  8 +++++++-
 1 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
index 83421ef..8d6ac61 100644
--- a/libsoup/soup-session.c
+++ b/libsoup/soup-session.c
@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg)
 						   SOUP_ENCODING_NONE);
 	}
 
+	/* Strip all credentials on cross-origin redirect. */
+	if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
+		soup_message_headers_remove (msg->request_headers, "Authorization");
+		soup_message_set_auth (msg, NULL);
+	}
+
 	soup_message_set_uri (msg, new_uri);
 	soup_uri_free (new_uri);
 
 	soup_session_requeue_message (session, msg);
 	return TRUE;
-}
+}
 
 static void
 redirect_handler (SoupMessage *msg, gpointer user_data)
 
-- 
2.34.1
Complete Yocto mirror with license table for TQMa6UL (2038-compliance) - 264 license table entries with exact download URLs (224/264 resolved) - Complete sources/ directory with all BitBake recipes - Build configuration: tqma6ul-multi-mba6ulx, spaetzle (musl) - Full traceability for Softwarefreigabeantrag - GCC 13.4.0, Linux 6.6.102, U-Boot 2023.04, musl 1.2.4 - License distribution: GPL-2.0 (24), MIT (23), GPL-2.0+ (18), BSD-3 (16) 2026-03-01 20:58:18 +00:00			`From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001`
			`From: Patrick Griffis <pgriffis@igalia.com>`
			`Date: Wed, 5 Feb 2025 16:18:10 -0600`
			`Subject: [PATCH] session: Strip authentication credentails on`
			`cross-origin redirect`

			`This should match the behavior of Firefox and Safari but not of Chromium.`

			`CVE: CVE-2025-46421`
			`Upstream-Status: Backport`
			`[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b]`

			`Test code not added since it included some headers not in version 2.74.3`

			`Signed-off-by: Changqing Li <changqing.li@windriver.com>`
			`---`
			`libsoup/soup-session.c \| 8 +++++++-`
			`1 files changed, 7 insertions(+), 1 deletion(-)`

			`diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c`
			`index 83421ef..8d6ac61 100644`
			`--- a/libsoup/soup-session.c`
			`+++ b/libsoup/soup-session.c`
			`@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession session, SoupMessage msg)`
			`SOUP_ENCODING_NONE);`
			`}`

			`+ /* Strip all credentials on cross-origin redirect. */`
			`+ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {`
			`+ soup_message_headers_remove (msg->request_headers, "Authorization");`
			`+ soup_message_set_auth (msg, NULL);`
			`+ }`
			`+`
			`soup_message_set_uri (msg, new_uri);`
			`soup_uri_free (new_uri);`

			`soup_session_requeue_message (session, msg);`
			`return TRUE;`
			`-}`
			`+}`

			`static void`
			`redirect_handler (SoupMessage *msg, gpointer user_data)`

			`--`
			`2.34.1`