src/lib/udc.c af6b6227abc3f7c982e6dfae0f144a1495d314a8

af6b6227abc3f7c982e6dfae0f144a1495d314a8
galt
  Sun Sep 13 11:30:47 2015 -0700
fixed so that redir does not store params like password and byterange. Instead, I made a function in net.c to do it and now call it to apply those extra params later at runtime. This is both more secure and correct.

diff --git src/lib/udc.c src/lib/udc.c
index caae2b2..8147316 100644
--- src/lib/udc.c
+++ src/lib/udc.c
@@ -158,31 +158,33 @@
 	ci->offset = offset;
 	}
     else
 	{
 	verbose(4, "Offset mismatch (ci %lld != new %lld), reopening.\n", ci->offset, offset);
 	mustCloseFd(&(ci->socket));
 	if (ci->ctrlSocket > 0)
 	    mustCloseFd(&(ci->ctrlSocket));
 	ZeroVar(ci);
 	}
     }
 int sd;
 if (ci == NULL || ci->socket <= 0)
     {
     if (ci->redirUrl)
-	url = ci->redirUrl;
+	{
+	url = transferParamsToRedirectedUrl(url, ci->redirUrl);
+	}
     char rangeUrl[2048];
     if (ci == NULL)
 	{
 	safef(rangeUrl, sizeof(rangeUrl), "%s;byterange=%lld-%lld",
 	      url, offset, (offset + size - 1));
 	sd = netUrlOpen(rangeUrl);
 	}
     else
 	{
 	safef(rangeUrl, sizeof(rangeUrl), "%s;byterange=%lld-", url, offset);
 	sd = ci->socket = netUrlOpenSockets(rangeUrl, &(ci->ctrlSocket));
 	ci->offset = offset;
 	}
     if (sd < 0)
 	return -1;
@@ -398,55 +400,33 @@
 int status;
 while (TRUE)
     {
     hash = newHash(0);
     status = netUrlHead(url, hash);
     if (status == 200)
 	break;
     if (status != 301 && status != 302)  
 	return FALSE;
     ++redirectCount;
     if (redirectCount > 5)
 	{
 	warn("code %d redirects: exceeded limit of 5 redirects, %s", status, url);
 	return  FALSE;
 	}
-    char *newUrl = cloneString(hashFindValUpperCase(hash, "Location:"));
-    struct netParsedUrl npu, newNpu;
-    /* Parse the old URL to make parts available for graft onto the redirected url. */
-    /* This makes redirection work with byterange urls and user:password@ */
-    netParseUrl(url, &npu);
-    netParseUrl(newUrl, &newNpu);
-    boolean updated = FALSE;
-    if (npu.byteRangeStart != -1)
-	{
-	newNpu.byteRangeStart = npu.byteRangeStart;
-	newNpu.byteRangeEnd = npu.byteRangeEnd;
-	updated = TRUE;
-	}
-    if ((npu.user[0] != 0) && (newNpu.user[0] == 0))
-	{
-	safecpy(newNpu.user,     sizeof newNpu.user,     npu.user);
-	safecpy(newNpu.password, sizeof newNpu.password, npu.password);
-	updated = TRUE;
-	}
-    if (updated)
-	{
-	newUrl = urlFromNetParsedUrl(&newNpu);
-	}
-    url = newUrl;
-    retInfo->ci.redirUrl = url;
+    char *newUrl = hashFindValUpperCase(hash, "Location:");
+    retInfo->ci.redirUrl = cloneString(newUrl);
+    url = transferParamsToRedirectedUrl(url, newUrl);		
     hashFree(&hash);
     }
 
 char *sizeString = hashFindValUpperCase(hash, "Content-Length:");
 if (sizeString == NULL)
     {
     /* try to get remote file size by an alternate method */
     long long retSize = netUrlSizeByRangeResponse(url);
     if (retSize < 0)
 	{
     	hashFree(&hash);
 	errAbort("No Content-Length: returned in header for %s, can't proceed, sorry", url);
 	}
     retInfo->size = retSize;
     }