Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #5029 Relative Redirection #5038

Merged
merged 3 commits into from
Jul 15, 2020
Merged

Issue #5029 Relative Redirection #5038

merged 3 commits into from
Jul 15, 2020

Conversation

gregw
Copy link
Contributor

@gregw gregw commented Jul 9, 2020

Provide option to allow relative redirection.

@gregw
Issue #5029 Relative Redirection
c8b8d74 
Provide option to allow relative redirection
@gregw gregw requested a review from sbordet July 9, 2020 12:36
@gregw gregw linked an issue Jul 9, 2020 that may be closed by this pull request
Open redirect when sending custom Host header to URL with no trailing forward-slash #5029
Closed
sbordet
sbordet requested changes Jul 10, 2020
View reviewed changes
Copy link
Contributor

@sbordet sbordet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I think we should have this option, I think we also need to allow configuration of a fixed authority - may be done in another PR, but feels it belongs to #5029.

jetty-server/src/main/config/etc/jetty.xml Outdated
@@ -74,6 +74,7 @@
<Set name="requestCookieCompliance"><Call class="org.eclipse.jetty.http.CookieCompliance" name="valueOf"><Arg><Property name="jetty.httpConfig.requestCookieCompliance" deprecated="jetty.httpConfig.cookieCompliance" default="RFC6265"/></Arg></Call></Set>
<Set name="responseCookieCompliance"><Call class="org.eclipse.jetty.http.CookieCompliance" name="valueOf"><Arg><Property name="jetty.httpConfig.responseCookieCompliance" default="RFC6265"/></Arg></Call></Set>
<Set name="multiPartFormDataCompliance"><Call class="org.eclipse.jetty.server.MultiPartFormDataCompliance" name="valueOf"><Arg><Property name="jetty.httpConfig.multiPartFormDataCompliance" default="RFC7578"/></Arg></Call></Set>
<Set name="relativeRedirectionAllowed"><Property name="jetty.httpConfig.relativeRedirectionAllowed" default="false"/></Set>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like the name.
It's not whether relative redirects are allowed or not.
It's about whether we generate relative redirects or not.
generateRelativeRedirects?
useRelativeRedirects?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the existing releases, If the application uses ...

response.sendRedirect("/alt/path"); // becomes an absolute-uri
response.sendRedirect("www.machine.com/alt/path"); // becomes an absolute-uri by adding scheme
response.sendRedirect("https://www.machine.com/alt/path"); // stays an absolute-uri

With this change, the default is false, which preserves the behavior.

If they set it to true, then the following happens ...

response.sendRedirect("/alt/path"); // no change to whats added, it is sent as `Location: /alt/path`
response.sendRedirect("www.machine.com/alt/path"); // no change to whats added, it is sent as `Location: www.machine.com/alt/path`
response.sendRedirect("https://www.machine.com/alt/path"); // no change to whats added, it is sent as `Location: https://www.machine.com/alt/path`

Perhaps the name should indicate that Jetty, by default, ensures that the Location header is an absolute-uri, but if we change this configuration, it takes the Location as-is.

ensureAbsoluteUriLocation with a default of true?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The behaviour is definitely an 'Allow', as it just decides if a passed relative location can be allowed to remain relative.
It could be inverted to an ensure (or enforce?) but then isEnsureAbsoluteUriLocation is both a mouthful and doesn't scan.

After chatting to @sbordet online, I have renamed to relativeRedirectAllowed... but I could be pushed to allowRelativeRedirect if we can stomach isAllowRelativeRedirect ?

jetty-server/src/main/java/org/eclipse/jetty/server/Response.java Show resolved Hide resolved
@sbordet
Copy link
Contributor

sbordet commented Jul 10, 2020

@gregw also, are we sure that http to https redirection works fine when this new option is configured to emit relative redirects?

@gregw
Copy link
Contributor Author

gregw commented Jul 15, 2020

HTTP -> HTTPS redirection works because it passes an absolute URL: https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java#L649-L651

@gregw gregw requested a review from sbordet July 15, 2020 09:00
@gregw gregw merged commit 5c1dda3 into jetty-9.4.x Jul 15, 2020
@gregw gregw deleted the jetty-9.4.x-5029-relativeRedirection branch July 15, 2020 21:14
@joakime joakime mentioned this pull request Jul 22, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joakime joakime joakime left review comments

@sbordet sbordet sbordet approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Open redirect when sending custom Host header to URL with no trailing forward-slash
3 participants
@gregw @sbordet @joakime