You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by "Oleg Kalnichevski (JIRA)" <ji...@apache.org> on 2010/04/02 21:32:27 UTC

[jira] Commented: (HTTPCLIENT-930) Unencoded redirect URI causes exception when following redirects

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12852929#action_12852929 ] 

Oleg Kalnichevski commented on HTTPCLIENT-930:
----------------------------------------------

We had similar reports in the past and they all were rejected as invalid, see HTTPCLIENT-778 for example.

I am also not sure the way browsers handle this kind of problems can be defined as graceful. I _suspect_ that browsers simply use the good ol' principle of garbage in - garbage out and do not even attempt to escape redirect urls.  

What theoretically can be done about is the following: the abs_path and query parts of the redirect URI are scanned for illegal characters and if any is found the entire URI is considered un-escaped. This of course does not help if you have situations like that:

 /garbage%20in%20garbage%20?param={screw you all}.

Bottom line: malformed request URIs are inherently ambiguous and there is nothing that can be done about it.

Oleg
 

> Unencoded redirect URI causes exception when following redirects
> ----------------------------------------------------------------
>
>                 Key: HTTPCLIENT-930
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-930
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.0.1
>            Reporter: Ryan Stewart
>
> When HttpClient is set to follow redirects, the DefaultRedirectHandler gets the redirect location from the appropriate request header and attempts to create a new java.net.URI from it. If the location contains an invalid URI character, creating the URI fails. For example, if the redirect location were "/foo?bar=<baz/>", it would fail because the '<' and '>' are not legal in a URI.
> I'm not sure if this should actually be considered a bug in HttpClient, since the website in question should probably be responsible for encoding the URI appropriately; however, browsers handle the situation gracefully, and it would be nice if this excellent library would do so as well.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org