Skip to content
This repository has been archived by the owner on Jan 23, 2023. It is now read-only.
/ corefx Public archive

Fix fragment handling in HttpClient #27360

Merged
merged 2 commits into from
Feb 22, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,7 @@ public async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, Can
await WriteAsciiStringAsync(request.RequestUri.IdnHost).ConfigureAwait(false);
}

await WriteStringAsync(request.RequestUri.PathAndQuery).ConfigureAwait(false);
await WriteStringAsync(request.RequestUri.GetComponents(UriComponents.PathAndQuery | UriComponents.Fragment, UriFormat.UriEscaped)).ConfigureAwait(false);

// Fall back to 1.1 for all versions other than 1.0
Debug.Assert(request.Version.Major >= 0 && request.Version.Minor >= 0); // guaranteed by Version class
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -81,17 +81,30 @@ private Uri GetUriForRedirect(Uri requestUri, HttpResponseMessage response)
return null;
}

// Ensure the redirect location is an absolute URI.
if (!location.IsAbsoluteUri)
{
location = new Uri(requestUri, location);
}

// Per https://tools.ietf.org/html/rfc7231#section-7.1.2, a redirect location without a
// fragment should inherit the fragment from the original URI.
string requestFragment = requestUri.Fragment;
if (!string.IsNullOrEmpty(requestFragment))
{
string redirectFragment = location.Fragment;
if (string.IsNullOrEmpty(redirectFragment))
{
location = new UriBuilder(location) { Fragment = requestFragment }.Uri;
}
}

// Disallow automatic redirection from secure to non-secure schemes
if (HttpUtilities.IsSupportedSecureScheme(requestUri.Scheme) && !HttpUtilities.IsSupportedSecureScheme(location.Scheme))
{
if (NetEventSource.IsEnabled)
{
NetEventSource.Info(this, $"Insecure https to http redirect from {requestUri} to {location} blocked.");
NetEventSource.Info(this, $"Insecure https to http redirect from '{requestUri}' to '{location}' blocked.");
}

return null;
Expand Down
55 changes: 46 additions & 9 deletions src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.cs
Original file line number Diff line number Diff line change
Expand Up @@ -912,40 +912,77 @@ await TestHelper.WhenAllCompletedOrAnyFailed(
}

[OuterLoop] // TODO: Issue #11345
[ConditionalTheory(nameof(IsNotWindows7))] // Skip test on Win7 since WinHTTP has bugs w/ fragments.
[Theory]
[InlineData("#origFragment", "", "#origFragment", false)]
[InlineData("#origFragment", "", "#origFragment", true)]
[InlineData("", "#redirFragment", "#redirFragment", false)]
[InlineData("", "#redirFragment", "#redirFragment", true)]
[InlineData("#origFragment", "#redirFragment", "#redirFragment", false)]
[InlineData("#origFragment", "#redirFragment", "#redirFragment", true)]
[ActiveIssue(27217)]
public async Task GetAsync_AllowAutoRedirectTrue_RetainsOriginalFragmentIfAppropriate(
string origFragment, string redirFragment, string expectedFragment, bool useRelativeRedirect)
{
if (IsCurlHandler)
{
// Starting with libcurl 7.20, "fragment part of URLs are no longer sent to the server".
// So CurlHandler doesn't send fragments.
return;
}

if (IsNetfxHandler)
{
// Similarly, netfx doesn't send fragments at all.
return;
}

if (IsWinHttpHandler)
{
// According to https://tools.ietf.org/html/rfc7231#section-7.1.2,
// "If the Location value provided in a 3xx (Redirection) response does
// not have a fragment component, a user agent MUST process the
// redirection as if the value inherits the fragment component of the
// URI reference used to generate the request target(i.e., the
// redirection inherits the original reference's fragment, if any)."
// WINHTTP is not doing this, and thus neither is WinHttpHandler.
// It also sometimes doesn't include the fragments for redirects
// even in other cases.
return;
}

HttpClientHandler handler = CreateHttpClientHandler();
handler.AllowAutoRedirect = true;
using (var client = new HttpClient(handler))
{
await LoopbackServer.CreateServerAsync(async (origServer, origUrl) =>
{
origUrl = new Uri(origUrl.ToString() + origFragment);
Uri redirectUrl = useRelativeRedirect ?
new Uri(origUrl.PathAndQuery + redirFragment, UriKind.Relative) :
new Uri(origUrl.ToString() + redirFragment);
Uri expectedUrl = new Uri(origUrl.ToString() + expectedFragment);
origUrl = new UriBuilder(origUrl) { Fragment = origFragment }.Uri;
Uri redirectUrl = new UriBuilder(origUrl) { Fragment = redirFragment }.Uri;
if (useRelativeRedirect)
{
redirectUrl = new Uri(redirectUrl.GetComponents(UriComponents.PathAndQuery | UriComponents.Fragment, UriFormat.SafeUnescaped), UriKind.Relative);
}
Uri expectedUrl = new UriBuilder(origUrl) { Fragment = expectedFragment }.Uri;

// Make and receive the first request that'll be redirected.
Task<HttpResponseMessage> getResponse = client.GetAsync(origUrl);
Task firstRequest = origServer.AcceptConnectionSendResponseAndCloseAsync(HttpStatusCode.Found, $"Location: {redirectUrl}\r\n");
Assert.Equal(firstRequest, await Task.WhenAny(firstRequest, getResponse));

Task secondRequest = origServer.AcceptConnectionSendResponseAndCloseAsync();
// Receive the second request.
Task<List<string>> secondRequest = origServer.AcceptConnectionSendResponseAndCloseAsync();
await TestHelper.WhenAllCompletedOrAnyFailed(secondRequest, getResponse);

// Make sure the server received the second request for the right Uri.
Assert.NotEmpty(secondRequest.Result);
string[] statusLineParts = secondRequest.Result[0].Split(' ');
Assert.Equal(3, statusLineParts.Length);
Assert.Equal(expectedUrl.GetComponents(UriComponents.PathAndQuery | UriComponents.Fragment, UriFormat.SafeUnescaped), statusLineParts[1]);

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: shouldn't matter for this test, but shouldn't this technically use UriFormat.Escaped?

Copy link

@geoffkizer geoffkizer Feb 22, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM


// Make sure the request message was updated with the correct redirected location.
using (HttpResponseMessage response = await getResponse)
{
Assert.Equal(200, (int)response.StatusCode);
Assert.Equal(expectedUrl, response.RequestMessage.RequestUri);
Assert.Equal(expectedUrl.ToString(), response.RequestMessage.RequestUri.ToString());
}
});
}
Expand Down