ruby / webrick

HTTP server toolkit
BSD 2-Clause "Simplified" License
286 stars 97 forks source link

Support Relative URIs in Location Header #77

Open micchickenburger opened 3 years ago

micchickenburger commented 3 years ago

In /lib/webrick/httpresponse.rb:295 the location response header is modified to include the request URI, creating an absolute URI. However, relative URIs are allowed in the location field. (See https://datatracker.ietf.org/doc/html/rfc7231#section-7.1.2).

This causes issues with reverse proxies and other proxy software. For instance, Hashicorp Boundary proxies a TCP connection through localhost using an ephemeral port to a destination web server. Because webrick does not allow relative URIs in this field, the client navigates to the resource on the wrong host or port (because the request port from the proxy != the client port to the proxy).

I think this segment of code should be removed entirely.

jeremyevans commented 3 years ago

I agree this is an issue. Historically, relative URLs weren't supported in Location, but they have been supported for a long time, and it's unlikely that any modern client cannot handle them.

micchickenburger commented 3 years ago

I'm happy to prepare a PR if that would be helpful.