request method of internal redirects

[Adam Sussman <my...@vidya.com>]

In the internal_redirect() function, an assumption is made that the new request
can -only- be a GET request.  The comment just above the bit that hard codes
the new request into a GET states that there is no possible way for the
redirect to be getting POST style arguments.

I have managed to find a way :).  In using the mod_actions.c module to post
process certain html files, you can make a POST request to a document that
gets internaly redirected via this module.  When it is redirected, all of the
environment variables and standard input associated with the POST data are 
preserved.  However, since the new redirected request is hard set to a GET,
scripts which deal with the input can't test the REQUEST_METHOD variable
to determine that it is actualy a POST request.

Why must all internal redirects be GETs?  Is there any reason not to simply
copy the request method information from the original request?

-adam

Re: request method of internal redirects

[Brian Behlendorf <br...@organic.com>]

Okay, here's where history, HTTP response headers, and common sense 
collide.  :)

There are 3 main HTTP response codes dealing with redirection.  There is 

301 - Moved Permanently
302 - Moved Temporarily
303 - See Other

The third is not part of the HTTP/1.0 "best current practise" spec, but 
has been around a long time.

When a script outputs a "Location:" header, it's presumed to be a 302.  
However, the internal redirect should be able to handle a Status 303 
header, which would mean that the new URI should be fetched with a method 
GET.  From the HTTP/1.1 proposal[1]:

> The response to the request can be found under a different URI and
> should be retrieved using a GET method on that resource. This
> method exists primarily to allow the output of a POST-activated
> script to redirect the user agent to a selected resource. The new
> resource is not a replacement reference for the original
> Request-URI.

	Brian



On Wed, 3 Jan 1996, Alexei Kosut wrote:
> On Wed, 3 Jan 1996, Adam Sussman wrote:
> 
> > In the internal_redirect() function, an assumption is made that the new request
> > can -only- be a GET request.  The comment just above the bit that hard codes
> > the new request into a GET states that there is no possible way for the
> > redirect to be getting POST style arguments.
> 
> Hmm. I suppose this is due to the way internal redirects are used in CGI 
> scripts. If a CGI script gives out "Location: /whatever", it sends an 
> internal redirect, after soaking up all the POST input. I guess the 
> theory being that if you were going to another file or CGI script, you'd 
> already have processed the POST data, so you then would want to emulate a 
> GET. This is the only explanation I can think of.
> 
> > I have managed to find a way :).  In using the mod_actions.c module to post
> > process certain html files, you can make a POST request to a document that
> > gets internaly redirected via this module.  When it is redirected, all of the
> > environment variables and standard input associated with the POST data are 
> > preserved.  However, since the new redirected request is hard set to a GET,
> > scripts which deal with the input can't test the REQUEST_METHOD variable
> > to determine that it is actualy a POST request.
> 
> Oh. Ouch. This is a good point. Also, mod_dir uses internal redirects 
> with index files (which someone might want to POST to), mod_negotiation 
> uses them for type map (.var)-negotated files. http_request.c uses them 
> for error documents as well. Conceivible one might want to POST to at 
> least the first two, certainly.
> 
> I vote that internal_redirect should keep the method the same, and 
> mod_cgi.c should set the method explicitly to GET, to keep the CGI 
> behavior. Unless anyone objects, I'll write a patch and submit it for 
> 1.1b1. I can't think of any other reason to change the request to GET, 
> save for CGI scripts.
> 
> --/ Alexei Kosut <ak...@nueva.pvt.k12.ca.us> /--------/ Lefler on IRC
> ----------------------------/ <http://www.nueva.pvt.k12.ca.us/~akosut/>
> The viewpoints expressed above are entirely false, and in no way
> represent Alexei Kosut nor any other person or entity. /--------------
> 
> 
> 
> 

[1] - <URL:http://www.ics.uci.edu/pub/ietf/http/draft-ietf-http-v11-spec-00.txt>

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  brian@hyperreal.com  http://www.[hyperreal,organic].com/

Re: request method of internal redirects

[Alexei Kosut <ak...@nueva.pvt.k12.ca.us>]

On Wed, 3 Jan 1996, Adam Sussman wrote:

> In the internal_redirect() function, an assumption is made that the new request
> can -only- be a GET request.  The comment just above the bit that hard codes
> the new request into a GET states that there is no possible way for the
> redirect to be getting POST style arguments.

Hmm. I suppose this is due to the way internal redirects are used in CGI 
scripts. If a CGI script gives out "Location: /whatever", it sends an 
internal redirect, after soaking up all the POST input. I guess the 
theory being that if you were going to another file or CGI script, you'd 
already have processed the POST data, so you then would want to emulate a 
GET. This is the only explanation I can think of.

> I have managed to find a way :).  In using the mod_actions.c module to post
> process certain html files, you can make a POST request to a document that
> gets internaly redirected via this module.  When it is redirected, all of the
> environment variables and standard input associated with the POST data are 
> preserved.  However, since the new redirected request is hard set to a GET,
> scripts which deal with the input can't test the REQUEST_METHOD variable
> to determine that it is actualy a POST request.

Oh. Ouch. This is a good point. Also, mod_dir uses internal redirects 
with index files (which someone might want to POST to), mod_negotiation 
uses them for type map (.var)-negotated files. http_request.c uses them 
for error documents as well. Conceivible one might want to POST to at 
least the first two, certainly.

I vote that internal_redirect should keep the method the same, and 
mod_cgi.c should set the method explicitly to GET, to keep the CGI 
behavior. Unless anyone objects, I'll write a patch and submit it for 
1.1b1. I can't think of any other reason to change the request to GET, 
save for CGI scripts.

--/ Alexei Kosut <ak...@nueva.pvt.k12.ca.us> /--------/ Lefler on IRC
----------------------------/ <http://www.nueva.pvt.k12.ca.us/~akosut/>
The viewpoints expressed above are entirely false, and in no way
represent Alexei Kosut nor any other person or entity. /--------------