From 8c2ff7217e2a205eb107a6f48b04ff1b2b3090a1 Mon Sep 17 00:00:00 2001 From: Henri D Date: Sat, 8 Oct 2022 08:42:36 +0200 Subject: [PATCH] fix(http): Allow relative redirect on https (#395) Location header can now be relative: https://httpwg.org/specs/rfc9110.html#field.location --- src/http.lua | 5 +++-- test/httptest.lua | 31 +++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/src/http.lua b/src/http.lua index 1330355..fbd5ff6 100644 --- a/src/http.lua +++ b/src/http.lua @@ -300,6 +300,8 @@ local function shouldredirect(reqt, code, headers) if not location then return false end location = string.gsub(location, "%s", "") if location == "" then return false end + -- the RFC says the redirect URL may be relative + location = url.absolute(reqt.url, location) local scheme = url.parse(location).scheme if scheme and (not SCHEMES[scheme]) then return false end -- avoid https downgrades @@ -323,8 +325,7 @@ end local trequest, tredirect --[[local]] function tredirect(reqt, location) - -- the RFC says the redirect URL has to be absolute, but some - -- servers do not respect that + -- the RFC says the redirect URL may be relative local newurl = url.absolute(reqt.url, location) -- if switching schemes, reset port and create function if url.parse(newurl).scheme ~= reqt.scheme then diff --git a/test/httptest.lua b/test/httptest.lua index 63ff921..3457b07 100644 --- a/test/httptest.lua +++ b/test/httptest.lua @@ -265,6 +265,37 @@ ignore = { } check_request(request, expect, ignore) +-- Use https://httpbin.org/#/Dynamic_data/get_base64__value_ for testing +----------------------------------------------------- +io.write("testing absolute https redirection: ") +request = { + url = "https://httpbin.org/redirect-to?url=https://httpbin.org/base64/THVhIFNvY2tldA==" +} +expect = { + code = 200, + body = "Lua Socket" +} +ignore = { + status = 1, + headers = 1 +} +check_request(request, expect, ignore) + +----------------------------------------------------- +io.write("testing relative https redirection: ") +request = { + url = "https://httpbin.org/redirect-to?url=/base64/THVhIFNvY2tldA==" +} +expect = { + code = 200, + body = "Lua Socket" +} +ignore = { + status = 1, + headers = 1 +} +check_request(request, expect, ignore) + ------------------------------------------------------------------------ --[[ io.write("testing proxy with redirection: ")