Daniel Vega created HTTPCLIENT-2383:
---------------------------------------
Summary: LaxRedirectStrategy unintentionally blocks redirects due
to inherited sensitive header check
Key: HTTPCLIENT-2383
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2383
Project: HttpComponents HttpClient
Issue Type: Bug
Reporter: Daniel Vega
{*}Summary{*}:
{{LaxRedirectStrategy}} in HttpClient 5.5 does not override
{{{}isRedirectAllowed(){}}}, causing unexpected redirect blocking due to
inherited sensitive header checks.
{*}Description{*}:
Starting with HttpClient 5.5, a new check was introduced in
{{{}RedirectStrategy.isRedirectAllowed(){}}}, and implemented in the class
{{{}DefaultRedirectStrategy{}}}, to prevent redirects when requests contain
sensitive headers such as {{{}Authorization{}}}. This is a security-conscious
change and makes sense for the default strategy.
However, {{{}LaxRedirectStrategy{}}}, which was introduced earlier (in 5.4) to
allow more permissive redirection behavior, *inherits* from
{{DefaultRedirectStrategy}} but does *not override*
{{{}isRedirectAllowed(){}}}. As a result, even when {{LaxRedirectStrategy}} is
explicitly used in a client, it still respects the stricter logic from
{{DefaultRedirectStrategy}} when {{RedirectExec.handleResponse()}} delegates to
{{{}isRedirectAllowed(){}}}.
This leads to unintuitive behavior: despite choosing a “lax” strategy,
redirections are blocked if sensitive headers are present — defeating the
purpose of selecting {{LaxRedirectStrategy}} to have a more loose (lax)
redirect behavior.
{*}Proposed Fix{*}:
Override {{isRedirectAllowed()}} in {{LaxRedirectStrategy}} to allow
redirection regardless of sensitive headers, aligning with a more intuitive
redirection strategy system.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
