[HTTPCLIENT-2271] Do not optimize relative redirect location - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 5.2.1
Fix Version/s: 5.2.2, 5.3-alpha1
Component/s: None
Labels:
None
Environment:
httpclient5, version 5.1.2
httpcore5, version 5.1.2
javax.servlet-api, version 3.1.0

Description

If an http response has an URI in the Location header, which contains special symbols - semi-colon ( ; ) and equal sign (=), the URI parser of the underlaying URI builder encodes these symbols to %3B and %3D. Then the redirect will be performed using the encoded URI.

Real Use Case where the issue is detected with httpcomonents updated from version 4 to 5: SAML Artifact binding in an IDP initiated SSO communication.

A simple simulation program is attached to demonstrate the problem.

Test Case: There is a servlet and a client application.
1. The client application sends an HTTP GET request to the servlet with URI "http://localhost:8080/test/welcome"

2. The servlet receives the request and sends a redirect response with a relative location - /test/httpclient4/welcomeHttpClient

2.1. Before sending the response the redirect URL is encoded (by calling the method HttpServletResponse.encodeRedirectURL(String location)).

2.2.The latter method adds jsessionid at the end of the new location in accordance to the Java Servlet Specification, section 7.1.3 - URL Rewriting.
As a result, the redirect location becomes similar to /test/httpclient/welcomeHttpClient;jsessionid=FD86C2C971F595C8459028D585BCF26F
3. When the response is received the httpclient parses the new location and encodes it to:
http://localhost:8080/test/httpclient/welcomeHttpClient%3Bjsessionid%3DFD86C2C971F595C8459028D585BCF26F

This is an issue, because the latter URL is redirected at the end with %3Bjsessionid%3DFD86C2C971F595C8459028D585BCF26F (i.e. no such endpoint exists). Also jsessionid is not recognized as a path parameter.
The expected redirect URL is without encoded semi-colon and equal sign : http://localhost:8080/test/httpclient/welcomeHttpClient;jsessionid=FD86C2C971F595C8459028D585BCF26F

Remarks:

If the servlet redirects a full URI instead of a relative URI (for example,
http://localhost:8080/test/httpclient/welcomeHttpClient;jsessionid=FD86C2C971F595C8459028D585BCF26F, then the httpclient response is properly parsed and the redirect URL has no encoded semi-colon and equal sign characters.
If http client 4.5.5 and httpcore 4.4.9 are used, then the described issue is not present.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

Simulation.zip
26/Apr/23 12:29
184 kB
Krasimir Malchev

Issue Links

links to

Reference

Activity

People

Assignee:: Unassigned

Reporter:: Krasimir Malchev

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 26/Apr/23 12:02

Updated:: 24/Jun/23 21:40

Resolved:: 27/Apr/23 14:25