Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue #5029 Relative Redirection #5038

Merged
merged 3 commits into from
Jul 15, 2020

Conversation

gregw
Copy link
Contributor

@gregw gregw commented Jul 9, 2020

Provide option to allow relative redirection.

Provide option to allow relative redirection
@gregw gregw requested a review from sbordet July 9, 2020 12:36
Copy link
Contributor

@sbordet sbordet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I think we should have this option, I think we also need to allow configuration of a fixed authority - may be done in another PR, but feels it belongs to #5029.

@@ -74,6 +74,7 @@
<Set name="requestCookieCompliance"><Call class="org.eclipse.jetty.http.CookieCompliance" name="valueOf"><Arg><Property name="jetty.httpConfig.requestCookieCompliance" deprecated="jetty.httpConfig.cookieCompliance" default="RFC6265"/></Arg></Call></Set>
<Set name="responseCookieCompliance"><Call class="org.eclipse.jetty.http.CookieCompliance" name="valueOf"><Arg><Property name="jetty.httpConfig.responseCookieCompliance" default="RFC6265"/></Arg></Call></Set>
<Set name="multiPartFormDataCompliance"><Call class="org.eclipse.jetty.server.MultiPartFormDataCompliance" name="valueOf"><Arg><Property name="jetty.httpConfig.multiPartFormDataCompliance" default="RFC7578"/></Arg></Call></Set>
<Set name="relativeRedirectionAllowed"><Property name="jetty.httpConfig.relativeRedirectionAllowed" default="false"/></Set>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like the name.
It's not whether relative redirects are allowed or not.
It's about whether we generate relative redirects or not.
generateRelativeRedirects?
useRelativeRedirects?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the existing releases, If the application uses ...

response.sendRedirect("/alt/path"); // becomes an absolute-uri
response.sendRedirect("www.machine.com/alt/path"); // becomes an absolute-uri by adding scheme
response.sendRedirect("https://www.machine.com/alt/path"); // stays an absolute-uri

With this change, the default is false, which preserves the behavior.

If they set it to true, then the following happens ...

response.sendRedirect("/alt/path"); // no change to whats added, it is sent as `Location: /alt/path`
response.sendRedirect("www.machine.com/alt/path"); // no change to whats added, it is sent as `Location: www.machine.com/alt/path`
response.sendRedirect("https://www.machine.com/alt/path"); // no change to whats added, it is sent as `Location: https://www.machine.com/alt/path`

Perhaps the name should indicate that Jetty, by default, ensures that the Location header is an absolute-uri, but if we change this configuration, it takes the Location as-is.

ensureAbsoluteUriLocation with a default of true?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The behaviour is definitely an 'Allow', as it just decides if a passed relative location can be allowed to remain relative.
It could be inverted to an ensure (or enforce?) but then isEnsureAbsoluteUriLocation is both a mouthful and doesn't scan.

After chatting to @sbordet online, I have renamed to relativeRedirectAllowed... but I could be pushed to allowRelativeRedirect if we can stomach isAllowRelativeRedirect ?

@sbordet
Copy link
Contributor

sbordet commented Jul 10, 2020

@gregw also, are we sure that http to https redirection works fine when this new option is configured to emit relative redirects?

@gregw
Copy link
Contributor Author

gregw commented Jul 15, 2020

@gregw gregw requested a review from sbordet July 15, 2020 09:00
@gregw gregw merged commit 5c1dda3 into jetty-9.4.x Jul 15, 2020
@gregw gregw deleted the jetty-9.4.x-5029-relativeRedirection branch July 15, 2020 21:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Open redirect when sending custom Host header to URL with no trailing forward-slash
3 participants