Project

General

Profile

Bug #2779

CGI local-redir handling conflicts with LuCI redirect with Set-Cookie

Added by gstrauss 4 months ago. Updated 4 months ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
mod_cgi
Target version:
Start date:
2017-01-09
Due date:
% Done:

100%

Missing in 1.5.x:

Description

CGI local-redir handling conflicts with LuCI redirect with Set-Cookie

RFC3875 CGI 1.1 specification section 6.2.2 Local Redirect Response
http://www.ietf.org/rfc/rfc3875

lighttpd implements local-redir per RFC 3875, but this behavior conflicts with the expectation of some applications, which might return a local URL path in Location response header, but expect it to be sent back to client. Other response headers might include Set-Cookie, as is done by LuCI (https://github.com/openwrt/luci)

Associated revisions

Revision f57d8c54 (diff)
Added by gstrauss 4 months ago

[mod_cgi] skip local-redir handling if to self (fixes #2779, #2108)

Loosen local redirect handling in mod_cgi to skip handling as local
redirect if the Location matches con->uri.path, since if the request
is intended to redirect back to the same CGI using the same request
method, path info, and query string, the CGI would logically just
return the final intended response. Loosening this handling avoids a
problem with applications (potentially) accessible through multiple
gateways, where the application is not aware of this specific handling
of Location in the Common Gateway Interface (CGI/1.1), the application
sends abs-path in the Location response header instead of absoluteURI,
and the application expects the client to receive this Location response
header instead of the server to process as a CGI local redirect.

One example of such an application is LuCI,
which sends Set-Cookie with Location: /abs-path
https://github.com/openwrt/luci

(Note that this loose check for matching con->uri.path is not perfect
and might not match if the CGI returned a path with a different case
and the server is on a case-insensitive filesystem, or if the path
returned by the CGI is rewritten elsewhere to a different con->uri.path
before getting to mod_cgi.)

RFC3875 CGI 1.1 specification section 6.2.2 Local Redirect Response
http://www.ietf.org/rfc/rfc3875

x-ref:
"CGI local-redir handling conflicts with LuCI redirect w/ Set-Cookie"
https://redmine.lighttpd.net/issues/2779
"CGI local redirect not implemented correctly"
https://redmine.lighttpd.net/issues/2108

History

#1 Updated by gstrauss 4 months ago

  • Category set to mod_cgi

#2 Updated by gstrauss 4 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom