Multiple location headers allowed

[jstasiak]

I did this

I fetched a URL where the server responded with multiple location headers.

I expected the following

I expected curl to reject a response with multiple location headers and (when used with -L) not to follow any redirects.

This is a soft bug report (I'm leaning towards considering it a bug but it's not exactly obvious and reasonable people may disagree).

13 years ago a patch was added to ignore location headers other than the first one[1].

I just bumped into this subject a few days ago and did some digging, the browsers I tried so far (Firefox, Safari, Brave) reject HTTP responses with multiple location headers.

It feels to me this unnecessarily creates an opportunity for mistakes to happen (one piece of software picks one location header, another picks a different one, there can even be some security consequences associated with that) so I thought I'd raise this topic.

[1] dbcaa00 ("HTTP: memory leak on multiple Location:")

curl/libcurl version

curl 8.16.0
also the current master branch

operating system

N/A

[bagder]

reject HTTP responses with multiple location headers

Is this also true if a second header is identical to the first?

[bagder]

Is #19134 what you have in mind?

[jstasiak]

reject HTTP responses with multiple location headers

Is this also true if a second header is identical to the first?

Yeah good question. Here's a Python program I used to test this:

#!/usr/bin/env python3
#
import socket
import sys

if __name__ == '__main__':
    locations = sys.argv[1:]
    assert len(locations) >= 2, locations

    location_headers = '\n'.join(f'Location: {location}' for location in locations)

    response_to_serve = f"""HTTP/1.1 301 Moved Permanently
Content-Length: 0
{location_headers}

""".replace('\n', '\r\n').encode()
    print(response_to_serve)
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sock.bind(('localhost', 8000))
    sock.listen(10)

    while True:
        conn, _addr = sock.accept()
        conn.sendall(response_to_serve)
        conn.close()

• Same location: python3 multilocation.py http://asdqwe/foo http://asdqwe/foo
• Different locations: python3 multilocation.py http://asdqwe/foo http://asdqwe/bar

Browser	Same location	Different locations
Firefox 144.0	Redirect to http://asdqwe/foo	Error
Brave 1.83.118	Redirect to http://asdqwe/foo	Error
Safari 18.3 (not the latest!)	Weird redirect to http://asdqwe/foo,%20http://asdqwe/foo (?)	Error
Chrome 141.0.7390.108	Redirect to http://asdqwe/foo	Error

I did some digging and this is what "RFC 9110 HTTP Semantics" says (https://www.rfc-editor.org/rfc/rfc9110.html#name-location):

The field value consists of a single URI-reference.

and then

If an invalid message is sent with multiple Location field lines, a recipient along the path might combine those field lines into one value. Recovery of a valid Location field value from that situation is difficult and not interoperable across implementations.

So there's that.

Is #19134 what you have in mind?

Yup, it looks good to me.

[bagder]

I've tweaked the PR to accept another Location if it contains the exact same value.

[jstasiak]

That sounds fair, if they're the same I don't see much reason to reject them either.

[jstasiak]

Thank you @bagder.