Opened 9 years ago

Closed 4 years ago

#882 closed defect (fixed)

Unencoded Location: header when redirecting

Reported by: stackoverflow.com/users/32168/jim-nelson Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.4.x
Keywords: Cc:
uname -a:
nginx -V: nginx/1.4.6 (Ubuntu)

Description

As posted on the mailing list (http://mailman.nginx.org/pipermail/nginx/2016-January/049650.html):

We’re seeing the following behavior in nginx 1.4.6:

  • nginx returns “301 Moved Permanently” with the Location: URL unencoded and a trailing slash added:
Location: http://example.org/When Harry Met Sally/
  • Some software (i.e. PHP) will automatically follow the redirect, but because it expects an encoded Location: header, it sends exactly what was returned from the server. (Note that curl, wget, and others will fixup unencoded Location: headers, but that’s not what HTTP spec requires.)

In other words, this is the transaction chain:

C: GET http://example.org/When%20Harry%20Met%20Sally HTTP/1.1

S: HTTP/1.1 301 Moved Permanently
S: Location: http://example.org/When Harry Met Sally/

C: GET http://example.org/When Harry Met Sally/ HTTP/1.1

S: 400 Bad Request

I believe the 301 originates from within the nginx code itself (ngx_http_static_module.c:147-193? in trunk) and not from our rewrite rules. As I read the HTTP spec, Location: must be encoded.

Change History (4)

comment:1 by Maxim Dounin, 9 years ago

Status: newaccepted

comment:2 by Ruslan Ermilov, 4 years ago

See also #2016.

comment:3 by Ruslan Ermilov <ru@…>, 4 years ago

In 7848:1bde031b59ff/nginx:

Location header escaping in redirects (ticket #882).

The header is escaped in redirects based on request URI or
location name (auto redirect).

comment:4 by Ruslan Ermilov, 4 years ago

Resolution: fixed
Status: acceptedclosed
Note: See TracTickets for help on using tickets.