You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When doing a redirection, hurl use the Location header, which can either be a relative URL or an absolute URL.
However the function to compute the redirect URL is wrong, it assumes only strings starting with / are relative URLs.
Steps to reproduce
A GET / request to an OpenObserve instance returns a response with status code 307 and Location: ./web/. Hurl catches this as an "absolute URL" and then fails to resolve the domain name . (obviously).
But we could imagine other cases:
a GET /foo could return a Location: ../bar
a GET / (via http) could return a Location: https://... (why not ftp://, or gopher://, those are valid URLs as well)
The Location URL could also be //hostname/path (scheme relative URL).
What is the expected correct behavior?
If we take the initial absolute URL of the request, and join it with the value of the Location header, we should get the absolute redirect URL
Thanks a lot for the detailed report @linkdd the current code to deal with URL redirections was overly naive!
We've improved it with a proper Url struct (a wrapper on url crate), your snippets has help a lot!
Would you be kind to test the new version once the PR has been merged (if you can of course)?
Thanks,
(a small note: I've keep some logic on rejecting other scheme than http/https. I'll discuss with the others maintainers to see if we keep it)
What is the current bug behavior?
When doing a redirection, hurl use the
Location
header, which can either be a relative URL or an absolute URL.However the function to compute the redirect URL is wrong, it assumes only strings starting with
/
are relative URLs.Steps to reproduce
A
GET /
request to an OpenObserve instance returns a response with status code 307 andLocation: ./web/
. Hurl catches this as an "absolute URL" and then fails to resolve the domain name.
(obviously).But we could imagine other cases:
GET /foo
could return aLocation: ../bar
GET /
(via http) could return aLocation: https://...
(why notftp://
, orgopher://
, those are valid URLs as well)The
Location
URL could also be//hostname/path
(scheme relative URL).What is the expected correct behavior?
If we take the initial absolute URL of the request, and join it with the value of the
Location
header, we should get the absolute redirect URLExecution context
hurl --version
): 4.3.0Possible fixes
Related function:
hurl/packages/hurl/src/http/client.rs
Lines 773 to 780 in 9ec4d06
Example of using the crate
url
to join theLocation
header:https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=89982618796837fd896caa33eb45d1bb
The text was updated successfully, but these errors were encountered: