Issue #11014 - Cleanup of relative redirect handling Jetty-12 #11019
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
+ Handle request relative redirects + Moved to Response + Changed default to allow relative
+ Handle request relative redirects + Moved to Response + Changed default to allow relative
gregw
changed the title
+ Handle request relative redirects + Moved to Response + Changed default to allow relative
+ Handle request relative redirects + Moved to Response + Changed default to allow relative
joakime
changed the title
gregw
changed the title
+ Handle request relative redirects + Moved to Response + Changed default to allow relative
+ Handle request relative redirects + Moved to Response + Changed default to allow relative
joakime
changed the title
joakime
reviewed
Dec 5, 2023
| @@ -76,7 +76,7 @@ public class HttpConfiguration implements Dumpable | |||
| private CookieCompliance _requestCookieCompliance = CookieCompliance.RFC6265; | |||
| private CookieCompliance _responseCookieCompliance = CookieCompliance.RFC6265; | |||
| private boolean _notifyRemoteAsyncErrors = true; | |||
| private boolean _relativeRedirectAllowed; | |||
| private boolean _relativeRedirectAllowed = true; | |||
There was a problem hiding this comment.
(for other reviewers) This changes the default to always use relative redirects (path only).
Prior versions of Jetty would try to always use absolute URIs.
There was a problem hiding this comment.
I don't mind the default behavior change, but maybe it should be justified with a comment?
joakime
previously approved these changes
Dec 5, 2023
sbordet
requested changes
Dec 5, 2023
Comment on lines
+615
to
+618
| @Deprecated | ||
| static String toRedirectURI(Request request, String location) | ||
| { | ||
| if (!URIUtil.hasScheme(location) && !request.getConnectionMetaData().getHttpConfiguration().isRelativeRedirectAllowed()) | ||
| { | ||
| StringBuilder url = new StringBuilder(128); | ||
| HttpURI uri = request.getHttpURI(); | ||
| URIUtil.appendSchemeHostPort(url, uri.getScheme(), Request.getServerName(request), Request.getServerPort(request)); | ||
|
|
||
| if (location.startsWith("/")) | ||
| { | ||
| // absolute in context | ||
| location = URIUtil.normalizePathQuery(location); | ||
| } | ||
| else | ||
| { | ||
| // relative to request | ||
| String path = uri.getPath(); | ||
| String parent = (path.endsWith("/")) ? path : URIUtil.parentPath(path); | ||
| location = URIUtil.normalizePathQuery(URIUtil.addEncodedPaths(parent, location)); | ||
| if (location != null && !location.startsWith("/")) | ||
| url.append('/'); | ||
| } | ||
|
|
||
| if (location == null) | ||
| throw new IllegalStateException("redirect path cannot be above root"); | ||
| url.append(location); | ||
|
|
||
| location = url.toString(); | ||
| } | ||
| // TODO do we need to do request relative without scheme? | ||
|
|
||
| return location; | ||
| return Response.toRedirectURI(request, location); |
There was a problem hiding this comment.
I would have left the original code, and not moved it to Response.
The response is never used in the implementation, and enforces that in order to build a redirect URI, you need a Request (not a Response).
There was a problem hiding this comment.
@sbordet, Sending a redirect is a response function and it naturally lives next to the sendRedirect methods. Plus we often pass the request and the response into these static methods e.g. Response.sendRedirect(Request, Response, Callback, location)
jetty-core/jetty-server/src/test/java/org/eclipse/jetty/server/ResponseTest.java
Show resolved
Hide resolved
lorban
approved these changes
Dec 6, 2023
| @@ -76,7 +76,7 @@ public class HttpConfiguration implements Dumpable | |||
| private CookieCompliance _requestCookieCompliance = CookieCompliance.RFC6265; | |||
| private CookieCompliance _responseCookieCompliance = CookieCompliance.RFC6265; | |||
| private boolean _notifyRemoteAsyncErrors = true; | |||
| private boolean _relativeRedirectAllowed; | |||
| private boolean _relativeRedirectAllowed = true; | |||
There was a problem hiding this comment.
I don't mind the default behavior change, but maybe it should be justified with a comment?
joakime
approved these changes
Dec 6, 2023
sbordet
approved these changes
Dec 6, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #11014