fix(http): Allow relative redirect on https (#395)

Location header can now be relative: https://httpwg.org/specs/rfc9110.html#field.location
author: Henri D <nheir.kim@gmail.com> 2022-10-08 08:42:36 +0200
committer: GitHub <noreply@github.com> 2022-10-08 09:42:36 +0300
commit: 8c2ff7217e2a205eb107a6f48b04ff1b2b3090a1 (patch)
tree: 2b02503d3b3ad527bb4e2b746a3438b43c1bcca3
parent: 26b524e1d7b9a00045882d3c0f25486485b1d6a8 (diff)
download: luasocket-8c2ff7217e2a205eb107a6f48b04ff1b2b3090a1.tar.gz
luasocket-8c2ff7217e2a205eb107a6f48b04ff1b2b3090a1.tar.bz2
luasocket-8c2ff7217e2a205eb107a6f48b04ff1b2b3090a1.zip
2 files changed, 34 insertions, 2 deletions
diff --git a/src/http.lua b/src/http.lua
index 1330355..fbd5ff6 100644
--- a/src/http.lua
+++ b/src/http.lua
@@ -300,6 +300,8 @@ local function shouldredirect(reqt, code, headers)
    if not location then return false end
    location = string.gsub(location, "%s", "")
    if location == "" then return false end
+    -- the RFC says the redirect URL may be relative
+    location = url.absolute(reqt.url, location)
    local scheme = url.parse(location).scheme
    if scheme and (not SCHEMES[scheme]) then return false end
    -- avoid https downgrades
@@ -323,8 +325,7 @@ end
 local trequest, tredirect
 --[[local]] function tredirect(reqt, location)
-    -- the RFC says the redirect URL has to be absolute, but some
+    -- the RFC says the redirect URL may be relative
-    -- servers do not respect that
    local newurl = url.absolute(reqt.url, location)
    -- if switching schemes, reset port and create function
    if url.parse(newurl).scheme ~= reqt.scheme then
diff --git a/test/httptest.lua b/test/httptest.lua
index 63ff921..3457b07 100644
--- a/test/httptest.lua
+++ b/test/httptest.lua
@@ -265,6 +265,37 @@ ignore = {
 }
 check_request(request, expect, ignore)
+-- Use https://httpbin.org/#/Dynamic_data/get_base64__value_ for testing
+-----------------------------------------------------
+io.write("testing absolute https redirection: ")
+request = {
+    url = "https://httpbin.org/redirect-to?url=https://httpbin.org/base64/THVhIFNvY2tldA=="
+}
+expect = {
+    code = 200,
+    body = "Lua Socket"
+}
+ignore = {
+    status = 1,
+    headers = 1
+}
+check_request(request, expect, ignore)
+-----------------------------------------------------
+io.write("testing relative https redirection: ")
+request = {
+    url = "https://httpbin.org/redirect-to?url=/base64/THVhIFNvY2tldA=="
+}
+expect = {
+    code = 200,
+    body = "Lua Socket"
+}
+ignore = {
+    status = 1,
+    headers = 1
+}
+check_request(request, expect, ignore)
 ------------------------------------------------------------------------
 --[[
 io.write("testing proxy with redirection: ")
author	Henri D <nheir.kim@gmail.com>	2022-10-08 08:42:36 +0200
committer	GitHub <noreply@github.com>	2022-10-08 09:42:36 +0300
commit	8c2ff7217e2a205eb107a6f48b04ff1b2b3090a1 (patch)
tree	2b02503d3b3ad527bb4e2b746a3438b43c1bcca3
parent	26b524e1d7b9a00045882d3c0f25486485b1d6a8 (diff)
download	luasocket-8c2ff7217e2a205eb107a6f48b04ff1b2b3090a1.tar.gz luasocket-8c2ff7217e2a205eb107a6f48b04ff1b2b3090a1.tar.bz2 luasocket-8c2ff7217e2a205eb107a6f48b04ff1b2b3090a1.zip

diff --git a/src/http.lua b/src/http.lua index 1330355..fbd5ff6 100644 --- a/src/http.lua +++ b/src/http.lua
@@ -300,6 +300,8 @@ local function shouldredirect(reqt, code, headers)
300	if not location then return false end	300	if not location then return false end
301	location = string.gsub(location, "%s", "")	301	location = string.gsub(location, "%s", "")
302	if location == "" then return false end	302	if location == "" then return false end
		303	-- the RFC says the redirect URL may be relative
		304	location = url.absolute(reqt.url, location)
303	local scheme = url.parse(location).scheme	305	local scheme = url.parse(location).scheme
304	if scheme and (not SCHEMES[scheme]) then return false end	306	if scheme and (not SCHEMES[scheme]) then return false end
305	-- avoid https downgrades	307	-- avoid https downgrades
@@ -323,8 +325,7 @@ end
323	local trequest, tredirect	325	local trequest, tredirect
324		326
325	--[[local]] function tredirect(reqt, location)	327	--[[local]] function tredirect(reqt, location)
326	-- the RFC says the redirect URL has to be absolute, but some	328	-- the RFC says the redirect URL may be relative
327	-- servers do not respect that
328	local newurl = url.absolute(reqt.url, location)	329	local newurl = url.absolute(reqt.url, location)
329	-- if switching schemes, reset port and create function	330	-- if switching schemes, reset port and create function
330	if url.parse(newurl).scheme ~= reqt.scheme then	331	if url.parse(newurl).scheme ~= reqt.scheme then


diff --git a/test/httptest.lua b/test/httptest.lua index 63ff921..3457b07 100644 --- a/test/httptest.lua +++ b/test/httptest.lua
@@ -265,6 +265,37 @@ ignore = {
265	}	265	}
266	check_request(request, expect, ignore)	266	check_request(request, expect, ignore)
267		267
		268	-- Use https://httpbin.org/#/Dynamic_data/get_base64__value_ for testing
		269	-----------------------------------------------------
		270	io.write("testing absolute https redirection: ")
		271	request = {
		272	url = "https://httpbin.org/redirect-to?url=https://httpbin.org/base64/THVhIFNvY2tldA=="
		273	}
		274	expect = {
		275	code = 200,
		276	body = "Lua Socket"
		277	}
		278	ignore = {
		279	status = 1,
		280	headers = 1
		281	}
		282	check_request(request, expect, ignore)
		283
		284	-----------------------------------------------------
		285	io.write("testing relative https redirection: ")
		286	request = {
		287	url = "https://httpbin.org/redirect-to?url=/base64/THVhIFNvY2tldA=="
		288	}
		289	expect = {
		290	code = 200,
		291	body = "Lua Socket"
		292	}
		293	ignore = {
		294	status = 1,
		295	headers = 1
		296	}
		297	check_request(request, expect, ignore)
		298
268	------------------------------------------------------------------------	299	------------------------------------------------------------------------
269	--[[	300	--[[
270	io.write("testing proxy with redirection: ")	301	io.write("testing proxy with redirection: ")