[ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2383?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18007555#comment-18007555
 ] 

ASF subversion and git services commented on HTTPCLIENT-2383:
-------------------------------------------------------------

Commit e907ae0ba71753b4e6941326245d7cfeb7c10cab in httpcomponents-client's 
branch refs/heads/master from Arturo Bernal
[ https://gitbox.apache.org/repos/asf?p=httpcomponents-client.git;h=e907ae0ba ]

HTTPCLIENT-2383 Bypass sensitive-header check in LaxRedirectStrategy (#676)

* HTTPCLIENT-2383 Bypass sensitive-header check in LaxRedirectStrategy. 
Override isRedirectAllowed(...) to always return true, ensuring 
LaxRedirectStrategy follows redirects regardless of Authorization or other 
sensitive headers.

* [HTTPCLIENT-2383] Make LaxRedirectStrategy to allow redirects if sensitive 
headers are part of the request

---------

Co-authored-by: Daniel VEGA <daniel.v...@amadeus.com>

> LaxRedirectStrategy unintentionally blocks redirects due to inherited 
> sensitive header check
> --------------------------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-2383
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2383
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>            Reporter: Daniel Vega
>            Priority: Major
>             Fix For: 5.6-alpha1
>
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> {*}Summary{*}:
> {{LaxRedirectStrategy}} in HttpClient 5.5 does not override 
> {{{}isRedirectAllowed(){}}}, causing unexpected redirect blocking due to 
> inherited sensitive header checks.
> {*}Description{*}:
> Starting with HttpClient 5.5, a new check was introduced in 
> {{{}RedirectStrategy.isRedirectAllowed(){}}}, and implemented in the class 
> {{{}DefaultRedirectStrategy{}}}, to prevent redirects when requests contain 
> sensitive headers such as {{{}Authorization{}}}. This is a security-conscious 
> change and makes sense for the default strategy.
> However, {{{}LaxRedirectStrategy{}}}, which was introduced earlier (in 5.4) 
> to allow more permissive redirection behavior, *inherits* from 
> {{DefaultRedirectStrategy}} but does *not override* 
> {{{}isRedirectAllowed(){}}}. As a result, even when {{LaxRedirectStrategy}} 
> is explicitly used in a client, it still respects the stricter logic from 
> {{DefaultRedirectStrategy}} when {{RedirectExec.handleResponse()}} delegates 
> to {{{}isRedirectAllowed(){}}}.
> This leads to unintuitive behavior: despite choosing a “lax” strategy, 
> redirections are blocked if sensitive headers are present — defeating the 
> purpose of selecting {{LaxRedirectStrategy}} to have a more loose (lax) 
> redirect behavior.
> {*}Proposed Fix{*}:
> Override {{isRedirectAllowed()}} in {{LaxRedirectStrategy}} to allow 
> redirection regardless of sensitive headers, aligning with a more intuitive 
> redirection strategy system.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Reply via email to