[jira] Commented: (HTTPCLIENT-930) Unencoded redirect URI causes exception when following redirects

Fri, 02 Apr 2010 12:32:50 -0700 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12852929#action_12852929
 ] 

Oleg Kalnichevski commented on HTTPCLIENT-930:
----------------------------------------------

We had similar reports in the past and they all were rejected as invalid, see 
HTTPCLIENT-778 for example.

I am also not sure the way browsers handle this kind of problems can be defined 
as graceful. I _suspect_ that browsers simply use the good ol' principle of 
garbage in - garbage out and do not even attempt to escape redirect urls.  

What theoretically can be done about is the following: the abs_path and query 
parts of the redirect URI are scanned for illegal characters and if any is 
found the entire URI is considered un-escaped. This of course does not help if 
you have situations like that:

 /garbage%20in%20garbage%20?param={screw you all}.

Bottom line: malformed request URIs are inherently ambiguous and there is 
nothing that can be done about it.

Oleg
 

> Unencoded redirect URI causes exception when following redirects
> ----------------------------------------------------------------
>
>                 Key: HTTPCLIENT-930
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-930
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.0.1
>            Reporter: Ryan Stewart
>
> When HttpClient is set to follow redirects, the DefaultRedirectHandler gets 
> the redirect location from the appropriate request header and attempts to 
> create a new java.net.URI from it. If the location contains an invalid URI 
> character, creating the URI fails. For example, if the redirect location were 
> "/foo?bar=<baz/>", it would fail because the '<' and '>' are not legal in a 
> URI.
> I'm not sure if this should actually be considered a bug in HttpClient, since 
> the website in question should probably be responsible for encoding the URI 
> appropriately; however, browsers handle the situation gracefully, and it 
> would be nice if this excellent library would do so as well.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to