[
https://issues.apache.org/jira/browse/HTTPCLIENT-2383?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18007555#comment-18007555
]
ASF subversion and git services commented on HTTPCLIENT-2383:
-------------------------------------------------------------
Commit e907ae0ba71753b4e6941326245d7cfeb7c10cab in httpcomponents-client's
branch refs/heads/master from Arturo Bernal
[ https://gitbox.apache.org/repos/asf?p=httpcomponents-client.git;h=e907ae0ba ]
HTTPCLIENT-2383 Bypass sensitive-header check in LaxRedirectStrategy (#676)
* HTTPCLIENT-2383 Bypass sensitive-header check in LaxRedirectStrategy.
Override isRedirectAllowed(...) to always return true, ensuring
LaxRedirectStrategy follows redirects regardless of Authorization or other
sensitive headers.
* [HTTPCLIENT-2383] Make LaxRedirectStrategy to allow redirects if sensitive
headers are part of the request
---------
Co-authored-by: Daniel VEGA <[email protected]>
> LaxRedirectStrategy unintentionally blocks redirects due to inherited
> sensitive header check
> --------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-2383
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2383
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Reporter: Daniel Vega
> Priority: Major
> Fix For: 5.6-alpha1
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> {*}Summary{*}:
> {{LaxRedirectStrategy}} in HttpClient 5.5 does not override
> {{{}isRedirectAllowed(){}}}, causing unexpected redirect blocking due to
> inherited sensitive header checks.
> {*}Description{*}:
> Starting with HttpClient 5.5, a new check was introduced in
> {{{}RedirectStrategy.isRedirectAllowed(){}}}, and implemented in the class
> {{{}DefaultRedirectStrategy{}}}, to prevent redirects when requests contain
> sensitive headers such as {{{}Authorization{}}}. This is a security-conscious
> change and makes sense for the default strategy.
> However, {{{}LaxRedirectStrategy{}}}, which was introduced earlier (in 5.4)
> to allow more permissive redirection behavior, *inherits* from
> {{DefaultRedirectStrategy}} but does *not override*
> {{{}isRedirectAllowed(){}}}. As a result, even when {{LaxRedirectStrategy}}
> is explicitly used in a client, it still respects the stricter logic from
> {{DefaultRedirectStrategy}} when {{RedirectExec.handleResponse()}} delegates
> to {{{}isRedirectAllowed(){}}}.
> This leads to unintuitive behavior: despite choosing a “lax” strategy,
> redirections are blocked if sensitive headers are present — defeating the
> purpose of selecting {{LaxRedirectStrategy}} to have a more loose (lax)
> redirect behavior.
> {*}Proposed Fix{*}:
> Override {{isRedirectAllowed()}} in {{LaxRedirectStrategy}} to allow
> redirection regardless of sensitive headers, aligning with a more intuitive
> redirection strategy system.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
