[armedbear] #432: open http:// pathname doesn't follow redirects
armedbear
armedbear-devel at common-lisp.net
Thu Mar 23 09:59:30 UTC 2017
#432: open http:// pathname doesn't follow redirects
------------------------------+--------------------------
Reporter: aruttenberg | Owner: mevenson
Type: defect | Status: accepted
Priority: blocker | Milestone: 1.5.0
Component: streams | Version: 1.5.0-dev
Resolution: | Keywords: has-test uri
Parent Tickets: |
------------------------------+--------------------------
Comment (by mevenson):
The {{{URL-PATHNAME}}} constructor is working again, which reveals a more
basic problem in that {{{java.net.URLConnection}}} does not "follow"
redirects across scheme change, i.e.
{{{http://purl.obolibrary.org/obo/iao.owl}}} via scheme {{{http}}}
redirects to {{{https://raw.githubusercontent.com/information-artifact-
ontology/IAO/master/releases/2015-02-23/iao.owl}}} using scheme
{{{https}}}.
Writing code to follow scheme changes across redirects is fairly trivial
(see <http://stackoverflow.com/questions/1884230/urlconnection-doesnt-
follow-redirect#1884427>) but there are security implications here in
automatically following a redirect from a secure session to an insecure
one in that request headers (which may contain sensitive information used
for authentication/authorization) that one intends to keep secret may be
revealed.
My preference here would be to allow ABCL to follow redirects from
{{{http}}} to {{{https}}} but not vice-versa, but this may be confusing to
the user.
What would be an appropriate way to inform the end-user of what redirects
are being followed?
Should we set up configuration options on what sort of redirects we allow,
i.e
|| REDIRECT_ALL || Follow all redirections ||
|| REDIRECT_SECURELY || Never follow a redirection from a secure
connection to an insecure one||
I need to consider what the right behavior should be here?
--
Ticket URL: <http://abcl.org/trac/ticket/432#comment:7>
armedbear <http://abcl.org>
armedbear
More information about the armedbear-ticket
mailing list