diff options
author | Henri D <nheir.kim@gmail.com> | 2022-10-08 08:42:36 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-10-08 09:42:36 +0300 |
commit | 8c2ff7217e2a205eb107a6f48b04ff1b2b3090a1 (patch) | |
tree | 2b02503d3b3ad527bb4e2b746a3438b43c1bcca3 | |
parent | 26b524e1d7b9a00045882d3c0f25486485b1d6a8 (diff) | |
download | luasocket-8c2ff7217e2a205eb107a6f48b04ff1b2b3090a1.tar.gz luasocket-8c2ff7217e2a205eb107a6f48b04ff1b2b3090a1.tar.bz2 luasocket-8c2ff7217e2a205eb107a6f48b04ff1b2b3090a1.zip |
fix(http): Allow relative redirect on https (#395)
Location header can now be relative: https://httpwg.org/specs/rfc9110.html#field.location
-rw-r--r-- | src/http.lua | 5 | ||||
-rw-r--r-- | test/httptest.lua | 31 |
2 files changed, 34 insertions, 2 deletions
diff --git a/src/http.lua b/src/http.lua index 1330355..fbd5ff6 100644 --- a/src/http.lua +++ b/src/http.lua | |||
@@ -300,6 +300,8 @@ local function shouldredirect(reqt, code, headers) | |||
300 | if not location then return false end | 300 | if not location then return false end |
301 | location = string.gsub(location, "%s", "") | 301 | location = string.gsub(location, "%s", "") |
302 | if location == "" then return false end | 302 | if location == "" then return false end |
303 | -- the RFC says the redirect URL may be relative | ||
304 | location = url.absolute(reqt.url, location) | ||
303 | local scheme = url.parse(location).scheme | 305 | local scheme = url.parse(location).scheme |
304 | if scheme and (not SCHEMES[scheme]) then return false end | 306 | if scheme and (not SCHEMES[scheme]) then return false end |
305 | -- avoid https downgrades | 307 | -- avoid https downgrades |
@@ -323,8 +325,7 @@ end | |||
323 | local trequest, tredirect | 325 | local trequest, tredirect |
324 | 326 | ||
325 | --[[local]] function tredirect(reqt, location) | 327 | --[[local]] function tredirect(reqt, location) |
326 | -- the RFC says the redirect URL has to be absolute, but some | 328 | -- the RFC says the redirect URL may be relative |
327 | -- servers do not respect that | ||
328 | local newurl = url.absolute(reqt.url, location) | 329 | local newurl = url.absolute(reqt.url, location) |
329 | -- if switching schemes, reset port and create function | 330 | -- if switching schemes, reset port and create function |
330 | if url.parse(newurl).scheme ~= reqt.scheme then | 331 | if url.parse(newurl).scheme ~= reqt.scheme then |
diff --git a/test/httptest.lua b/test/httptest.lua index 63ff921..3457b07 100644 --- a/test/httptest.lua +++ b/test/httptest.lua | |||
@@ -265,6 +265,37 @@ ignore = { | |||
265 | } | 265 | } |
266 | check_request(request, expect, ignore) | 266 | check_request(request, expect, ignore) |
267 | 267 | ||
268 | -- Use https://httpbin.org/#/Dynamic_data/get_base64__value_ for testing | ||
269 | ----------------------------------------------------- | ||
270 | io.write("testing absolute https redirection: ") | ||
271 | request = { | ||
272 | url = "https://httpbin.org/redirect-to?url=https://httpbin.org/base64/THVhIFNvY2tldA==" | ||
273 | } | ||
274 | expect = { | ||
275 | code = 200, | ||
276 | body = "Lua Socket" | ||
277 | } | ||
278 | ignore = { | ||
279 | status = 1, | ||
280 | headers = 1 | ||
281 | } | ||
282 | check_request(request, expect, ignore) | ||
283 | |||
284 | ----------------------------------------------------- | ||
285 | io.write("testing relative https redirection: ") | ||
286 | request = { | ||
287 | url = "https://httpbin.org/redirect-to?url=/base64/THVhIFNvY2tldA==" | ||
288 | } | ||
289 | expect = { | ||
290 | code = 200, | ||
291 | body = "Lua Socket" | ||
292 | } | ||
293 | ignore = { | ||
294 | status = 1, | ||
295 | headers = 1 | ||
296 | } | ||
297 | check_request(request, expect, ignore) | ||
298 | |||
268 | ------------------------------------------------------------------------ | 299 | ------------------------------------------------------------------------ |
269 | --[[ | 300 | --[[ |
270 | io.write("testing proxy with redirection: ") | 301 | io.write("testing proxy with redirection: ") |