Bug #2108
closedCGI local redirect not implemented correctly
Description
According to the CGI 1.1 specification http://www.ietf.org/rfc/rfc3875 section 6.2.2 Local Redirect Response, a CGI script can issue a Location: response containing an (absolute) path to a local resource, and in this case the server MUST generate the response that it would have produced in response to a request containing the URL scheme server-name ":" server-port local-pathquery"
This is currently non implemented correctly in lighttpd 1.4.24. If a CGI script issues a local redirect, this is handled by lighttpd as if it was a client redirect (6.2.3 in the CGI/1.1 spec): a 302 is returned to the client, pointing to the new location. Expected behavior would be for the server to do the redirect internally in this case instead.
Updated by gstrauss almost 8 years ago
- Status changed from New to Patch Pending
- Target version set to 1.4.40
Updated by gstrauss almost 8 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset 8861c2bb54f31c8fbbf6733d4de7bf54d940dec6.
Updated by Olaf-van-der-Spek over 7 years ago
Does it make sense to alter / fix / break this behavior after decades?
I've been using redirects without scheme/host part for over a decade and wasn't aware of this 'rule'. What do other web servers do?
A redirect is frequently done after a POST, silently doing the redirect server-side has quite an affect.
Maybe this should be opt-in?
Updated by gstrauss over 7 years ago
Thanks for your comment. Please note that this change was released 6 months ago.
A patch was released in lighttpd 1.4.45 for better compatibility with redirects sent along with Set-Cookie.
No other issues have been reported in the past 6 months. If this change causes hardships for someone, yes, we will consider creating a config directive to disable the behavior.
Updated by Olaf-van-der-Spek over 7 years ago
gstrauss wrote:
Thanks for your comment. Please note that this change was released 6 months ago.
Yes, and?
Please note that not everyone has updated to a version including this change (yet).
For example, some systems won't be updated until after the next Debian version is released.
A patch was released in lighttpd 1.4.45 for better compatibility with redirects sent along with Set-Cookie.
I know, but it sounded like that didn't cover all cases.
No other issues have been reported in the past 6 months. If this change causes hardships for someone, yes, we will consider creating a config directive to disable the behavior.
Updated by gstrauss over 7 years ago
Your post provides no new information and is not helpful nor forward-looking.
Yes and?
Updated by stbuehler about 7 years ago
- Related to Bug #2793: 1.4.40 regression: broken redirect (using Location) between url.rewrite-once URLs added
Updated by laoshaw about 6 years ago
Tested with 1.4.48 on openwrt with luci, still not working.
Updated by gstrauss about 6 years ago
Yes, the feature works in lighttpd 1.4.48. However, it might not work for the specific app you reference on the specific distribution you are running, and on the specific version of the distro you are running, due to other things like PATH settings, so perhaps, as I mentioned in https://github.com/openwrt/luci/issues/922 you should stop spamming "it's broken" all over without reading the history in those other forums, where I provided working solutions, NEITHER of which were problems with lighttpd.
Also available in: Atom