Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Relative location headers are "fixed" as if they are relative to root instead of the current url #693

Closed
boblehest opened this issue Feb 16, 2015 · 7 comments · Fixed by #1315
Closed

Relative location headers are "fixed" as if they are relative to root instead of the current url #693

boblehest opened this issue Feb 16, 2015 · 7 comments · Fixed by #1315
Labels
standards
Milestone
0.15

Comments

@boblehest
Copy link
Contributor

https://github.com/mitsuhiko/werkzeug/blob/542b2e95d4e39ed8f0ec186b88eb20ff70544168/werkzeug/wrappers.py#L1129

When the location header points to a relative address, werkzeug grabs the root of the url, which for example.com/a/b/c/d/e turns into example.com, and then adds the relative location on top, which doesn't turn out well.

Why not use the full url when correcting it? In my case if I get redirected from example.com/path/to/file to ../abc, I'd want to end up at example.com/path/abc instead of example.com/abc.
@untitaker
Copy link
Contributor

The location header can't be relative, as per RFC 2616:

The Location response-header field is used to redirect the recipient to a location other than the Request-URI for completion of the request or identification of a new resource. For 201 (Created) responses, the Location is that of the new resource which was created by the request. For 3xx responses, the location SHOULD indicate the server's preferred URI for automatic redirection to the resource. The field value consists of a single absolute URI.

@untitaker
Copy link
Contributor

I'd accept patches that change the behavior (since it'd still be RFC-compliant, just more tolerant) as long as there are no performance penalties.

@boblehest
Copy link
Contributor Author

Edit: PR #718

Edit: Aww, github deleted my entire comment when I clicked "edit", what a cool feature. Quick rehash: As you can see in the PR, it appears (to me) to be a really simple fix, unless there's something I'm missing.

@untitaker
Copy link
Contributor

Your original comment I recieved via mail:

Yeah, I know it can't be relative. I've set up a proxy server for an internal http server, and unfortunately it doesn't honor the spec.

The problem is that I think the corrected location should be relative to the "working directory", which it currently isn't.

The fix appears to be really simple, unless I'm missing something (for the record, this is nowhere near my area of expertise).

PR coming up.

@mjpieters
Copy link

RFC 7231 changed the Location requirements, see section 7.1.2:

The field value consists of a single URI-reference. When it has the
form of a relative reference ([RFC3986], Section 4.2), the final
value is computed by resolving it against the effective request URI
([RFC3986], Section 5).

As such, the location header does not have to be absolute anymore. Werkzeug may choose to remain conservative in this (and require you to set BaseResponse.autocorrect_location_header to False explicitly).

@davidism davidism mentioned this issue May 28, 2018
Closed
@davidism davidism added this to the 0.15 milestone May 28, 2018
@davidism davidism mentioned this issue May 28, 2018
Merged
@davidism
Copy link
Member

davidism commented May 28, 2018
edited
Loading

For reference, even after the PR, the header will still end up with an absolute path, it's just that relative paths will be relative to the current path instead of the root path. If you actually want a relative URL in the header, disable autocorrect_location_header.

@arikfr arikfr mentioned this issue Oct 23, 2019
Merged
1 task
@meghabh
Copy link

meghabh commented Dec 3, 2019

How can I still use the root url, instead of current path . Is it by setting up autocorrect_location_header to flase ?

adityahase added a commit to adityahase/frappe that referenced this issue Jul 29, 2020
@adityahase
fix(response): Allow relative urls in HTTP Location header
ca56620 
References:
https://werkzeug.palletsprojects.com/en/1.0.x/wrappers/#werkzeug.wrappers.BaseResponse.autocorrect_location_header
https://github.com/pallets/werkzeug/blob/0.16.x/src/werkzeug/wrappers/base_response.py#L603-L607
pallets/werkzeug#109
pallets/werkzeug#693
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
standards
Projects
None yet
Milestone
0.15
Development

Successfully merging a pull request may close this issue.

Relative Location is relative to current path instead of root pallets/werkzeug
5 participants
@mjpieters @boblehest @untitaker @davidism @meghabh