As outlined in RFC 7231, the Location header can feature relative paths, including strings without a leading slash, like location: abc. Hackney tacks that onto the path instead of replacing the last part as described in the RFC.
Reproducible By
I noticed this while trying to use the Wikipedia API using HTTPoison, which returns relative location headers. Here's example code:
This issue is similar to nodejs/undici#1521.
Bug Description
As outlined in RFC 7231, the Location header can feature relative paths, including strings without a leading slash, like
location: abc. Hackney tacks that onto the path instead of replacing the last part as described in the RFC.Reproducible By
I noticed this while trying to use the Wikipedia API using HTTPoison, which returns relative location headers. Here's example code:
Wikipedia returns a
Location: Coffeeheader, which:Intended behavior
Should redirect to
https://en.wikipedia.org/api/rest_v1/page/summary/CoffeeActual behavior
Redirects to
https://en.wikipedia.org/api/rest_v1/page/summary/coffee/CoffeeOr, more generally
should redirect to /a/c, as defined by RFC 3986, Section 5.4 but redirects to /a/b/c in hackney.
Environment
Hackney 1.17.1 Erlang/OTP 25 [erts-13.1.1] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] [jit] [dtrace] Elixir 1.14.2 (compiled with Erlang/OTP 25) Darwin Kernel Version 22.2.0: Fri Nov 11 02:06:26 PST 2022; root:xnu-8792.61.2~4/RELEASE_ARM64_T8112 arm64 / MacOS Ventura 13.1