/redirect-to POST, added support for url/status_code in form-data #482
Conversation
|
Since this Pull Request originated from a forked repository, Now cannot deploy it as there are potential security risks. If you are a collaborator on this repository, consider making this Pull Request from a branch on the same repository instead of a fork. |
|
Shouldn't /redirect-to only use the method in the http header GET or POST and look only in the correct place?
|
Please consider supplying an RFC or spec-reference for what might be incorrect here. I don't believe there is anything wrong with supplying query-string parameters to a Sure, form-data appears in the
Again, I don't think there's anything necessarily erroneous about a) query-strings in form actions or b) -- The debate here I think is about how flexible |
|
HTTP/1.1 spec: https://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html In example headers, it's poor form to include query string on a POST method because it will be ignored at best. https://www.w3schools.com/tags/ref_httpmethods.asp I'd say that using URL query string in a POST is unneeded code that's confusing to maintain and supports improper support of a POST with URL. i.e. switch on request method for where to look for parms. |
|
According to https://tools.ietf.org/html/rfc7230 :
And I can't see anything in https://tools.ietf.org/html/rfc7231 that forbids a query for So I think it comes down to how the application wants to interpret any query in the resource URI, right? Perhaps you are saying that it is improper or unconventional to interpret this way. But is it no-good according to specs - I'm not seeing it, please provide references. |
|
Brett, specs will not be cluttered with every possibility that should NOT be done. Agreed? Note the GET spec in first sentence states: There is no mention in GET of retrieving or not retrieving anywhere else, therefore anywhere but URI line is ignored. Thus the same for POST spec, we read from the body, as spec'd, and ignore anywhere else. |
|
@eturk1 better to refer to the newer RFCs which obsolete RFC2616, especially RFC7230 and RFC7231.
Sorry, I can't agree in this case. The specs provide a very clear BNF of what types of requests are allowed for each verb, and that is the "word" so-to-speak. If it's valid according to the BNF of the protocol, it's valid. There's no wording to suggest anything about this being disallowed or even not-recommended. Claiming it should not be done according to some supposed convention is an overreach. And I think you will find RFC3875 CGI mandates that they be allowed. Golang found that they weren't processing the query-string for POST in their API, and fixed a bug - see their bug 985. There's significant other commentary on the web about query-string being allowed for POST. Can you reference some reliable commentary that they are always invalid or ignorable? |
|
I suggest we get a third person familiar with http spec to comment. :) I just don't anywhere reading the query on a POST method in the request.
Let's look at an objective source. Are you saying the lede here is wrong and needs to be corrected? Would now binary data, passwords, etc. be passed on query to POST request or only text? |
|
I'd like to suggest that you stop focusing on trying to show that Also drawing attention to the fact that the reason the change failed is that it failed a unit test when it stopped listening to the query-string ... making your suggestion a non-backward-compatible change, one that developers might already rely on in their test-suites.
Sure, bring who you like.
It's in the BNF I quoted earlier. Not about reading it, which is application-specific, but about it being allowed and valid.
With all respect, it is descending into silly when a) quote the RFCs, b) don't like what they say, c) define Wikipedia as the objective source (presumably of truth).
It's not absent, it is there, please read the (newest!) RFCs again. I'm not sure what you mean by it's ignored by servers. Do you mean HTTP servers, CGI Gateways, or applications (all of them) which run there? You should know that in the CGI spec and implementations, I really do think that you have mixed-up the query string and the post body here, because of the way RFC3875:
|
|
don't think I can change an issue status to open |
javabrett
force-pushed
the
redirect-to-post-form-data
branch
2 times, most recently
from
e648967
to
1926d90
Compare
javabrett
force-pushed
the
redirect-to-post-form-data
branch
from
1926d90
to
8c75ef1
Compare
…stmanlabs#476. url (required) and status_code can still appear in the query-string for GET or POST, but for POST/PATCH/PUT if they appear in the body form-data then the values from there are used in-favour of any in the query-string. Added tests. Signed-off-by: Brett Randall <javabrett@gmail.com>
javabrett
force-pushed
the
redirect-to-post-form-data
branch
from
8c75ef1
to
8cb6b13
Compare
Here's a further fix for
/redirect-toPOSTsupport as discussed in #476. The previous change allowedPOSTto sendurlandstatus_codein form-data, but broke query-string support for same (a-laGET)url(required) andstatus_codecan now still appear in the query-string for GET or POST, but for POST/PATCH/PUT if they appear in the body form-data then the values from there are used in-favour of any in the query-string. This allows testing "traditional"POSTwith a form payload./cc #476 @eturk1