|
|
Posted by Andy Hassall on 11/12/06 17:53
On Sat, 11 Nov 2006 22:31:23 -0500, Jerry Stuckle <jstucklex@attglobal.net>
wrote:
>Michael Fesser wrote:
>> .oO(Jerry Stuckle)
>>
>>>And there isn't a browser currently made which doesn't understand the
>>>relative URI here.
>>
>> Browsers are not the only user agents. It's impossible to test them all,
>> so you can't be sure that all of them will handle a relative redirect
>> with a query string correctly. Some of them even show a warning (Lynx
>> for example).
>
>True, some are better than others. But can you name one http agent
>which doesn't understand relative URI's?
[for context: in Location response headers]
If you search Google, you will find several references where HTTP client
libraries in various languages fail when they encounter invalid Location
headers, and some other cases where there are issues with the code added to
work around the invalid Location headers - and so it goes on.
For example, cURL has the following comments:
if(2 != sscanf(newurl, "%15[^?&/:]://%c", prot, &letter)) {
/***
*DANG* this is an RFC 2068 violation. The URL is supposed
to be absolute and this doesn't seem to be that!
***
Instead, we have to TRY to append this new path to the old URL
to the right of the host part. Oh crap, this is doomed to cause
problems in the future...
*/
Followed by 93 lines of trying to sort the mess out.
PHP 4.3.0 apparently core dumped in some situations with relative Location
headers (bug#22283). There was also bug #21267, in CVS the comment on the
changed file was "opening URLs that result in redirection to a relative path
was failing".
The minefield can be avoided by following the spec, or you can hope that all
HTTP client library developers have heard of this issue and have added bug-free
code and that their expectation of what to do in this unspecified case is
consistent with other implementations.
Back in the real world, here's an example, let's call it redirect.php:
<?php
if (isset($_GET['value']))
{
print $_GET['value'];
}
else
{
header('Location: ?value=test');
}
?>
Let's say that's on http://example.com/redirect.php
Access it with Firefox 2.0, IE 7 and Opera 9.02 and you get redirected to:
http://example.com/redirect.php?value=test
Access it with cURL 7.14.0, Lynx 2.8.5 and it takes you to:
http://example.com/?value=test
Access it using PHP 5.2.0's HTTP fopen wrapper and it takes you to:
http://example.com//?value=test
(complete with weird double slash).
I wasn't trying very hard to find a case that would produce inconsistent
results, and I found one straight off. That's enough of an indication of the
can of worms that is opened by not following the standards to continue to
always insist that you always write absolute Location headers.
--
Andy Hassall :: andy@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool
Navigation:
[Reply to this message]
|