-
Bug
-
Resolution: Done
-
Major
-
7.4.16.GA
-
None
-
False
-
None
-
False
-
-
-
-
-
-
?
-
-
For a relative redirect, any query string included in the location is now also canonicalized as a result of UNDERTOW-1308. This breaks any URL links potentially in the query values as any // is reduced to just /. But the RFC does suggest we should expect such a potential query value so perhaps we should not canonicalize any query string on the redirect?
However, as query components are often used to carry identifying information in the form of "key=value" pairs and one frequently used value is a reference to another URI, it is sometimes better for usability to avoid percent- encoding those characters.
To reproduce, deploy the redirect.war and attempt a request like this and note the returned location header without the // value:
curl -v localhost:8080/redirect/redirect.jsp?link=http://localhost/test
- clones
-
UNDERTOW-2383 Canonicalized query string in redirect location can break included links
- Resolved
- is cloned by
-
JBEAP-27015 [GSS](8.0.z) UNDERTOW-2383 - Canonicalized query string in redirect location can break included links
- Closed
- is incorporated by
-
JBEAP-27079 (7.4.z) Upgrade undertow from 2.2.32.SP1-redhat-00001 to 2.2.33.SP1-redhat-00001
- Closed
- is triggered by
-
UNDERTOW-1308 Incorrect handling of non http(s) scheme urls in sendRedirect
- Resolved