[jira] [Closed] (HTTPCLIENT-2383) LaxRedirectStrategy unintentionally blocks redirects due to inherited sensitive header check

Wed, 16 Jul 2025 04:42:14 -0700 


     [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2383?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Arturo Bernal closed HTTPCLIENT-2383.
-------------------------------------

> LaxRedirectStrategy unintentionally blocks redirects due to inherited 
> sensitive header check
> --------------------------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-2383
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2383
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>            Reporter: Daniel Vega
>            Priority: Major
>             Fix For: 5.6-alpha1
>
>          Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> {*}Summary{*}:
> {{LaxRedirectStrategy}} in HttpClient 5.5 does not override 
> {{{}isRedirectAllowed(){}}}, causing unexpected redirect blocking due to 
> inherited sensitive header checks.
> {*}Description{*}:
> Starting with HttpClient 5.5, a new check was introduced in 
> {{{}RedirectStrategy.isRedirectAllowed(){}}}, and implemented in the class 
> {{{}DefaultRedirectStrategy{}}}, to prevent redirects when requests contain 
> sensitive headers such as {{{}Authorization{}}}. This is a security-conscious 
> change and makes sense for the default strategy.
> However, {{{}LaxRedirectStrategy{}}}, which was introduced earlier (in 5.4) 
> to allow more permissive redirection behavior, *inherits* from 
> {{DefaultRedirectStrategy}} but does *not override* 
> {{{}isRedirectAllowed(){}}}. As a result, even when {{LaxRedirectStrategy}} 
> is explicitly used in a client, it still respects the stricter logic from 
> {{DefaultRedirectStrategy}} when {{RedirectExec.handleResponse()}} delegates 
> to {{{}isRedirectAllowed(){}}}.
> This leads to unintuitive behavior: despite choosing a “lax” strategy, 
> redirections are blocked if sensitive headers are present — defeating the 
> purpose of selecting {{LaxRedirectStrategy}} to have a more loose (lax) 
> redirect behavior.
> {*}Proposed Fix{*}:
> Override {{isRedirectAllowed()}} in {{LaxRedirectStrategy}} to allow 
> redirection regardless of sensitive headers, aligning with a more intuitive 
> redirection strategy system.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Reply via email to