New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit redirect proxy handling to redirected responses #112526
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
/triage accepted |
LGTM, not doing the usual thanks @liggitt |
@@ -263,7 +263,7 @@ func (h *UpgradeAwareHandler) ServeHTTP(w http.ResponseWriter, req *http.Request | |||
oldModifyResponse := proxy.ModifyResponse | |||
proxy.ModifyResponse = func(response *http.Response) error { | |||
code := response.StatusCode | |||
if code >= 300 && code <= 399 { | |||
if code >= 300 && code <= 399 && len(response.Header.Get("Location")) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does a client do if it gets a location header that is actually set to empty string?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
304 according to the test case :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://pkg.go.dev/net/http#Header.Get
Get gets the first value associated with the given key. If there are no values associated with the key, Get returns "".
Same as as if it was unset.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would be comfortable assuming all reasonable clients don't pick arbitrary other hostile URLs to redirect to :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm |
We should update the integration test in a separate PR :) |
…526-upstream-release-1.22 Automated cherry pick of #112526: Limit redirect proxy handling to redirected responses
…526-upstream-release-1.24 Automated cherry pick of #112526: Limit redirect proxy handling to redirected responses
…526-upstream-release-1.25 Automated cherry pick of #112526: Limit redirect proxy handling to redirected responses
…526-upstream-release-1.23 Automated cherry pick of #112526: Limit redirect proxy handling to redirected responses
What type of PR is this?
/kind bug
/kind regression
What this PR does / why we need it:
Resolved the regression in #112193 by limiting redirect handling to actually redirected requests.
/cc @enj @deads2k
cc @jindijamie
Which issue(s) this PR fixes:
Fixes #112524
Special notes for your reviewer:
Does this PR introduce a user-facing change?
/sig api-machinery
/priority critical-urgent
/kind bug
/kind regression