From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Daniele Nicolodi Newsgroups: gmane.emacs.bugs Subject: bug#42382: 26.3; url-http handling of Location redirection headers containing whitespace Date: Wed, 15 Jul 2020 14:40:36 -0600 Message-ID: <875e714c-28f3-7a4e-7a9e-0f4ce640e336@grinta.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------7E0F62A8FB30AB248006A090" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="30627"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 To: 42382@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Thu Jul 16 01:12:13 2020 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jvqZQ-0007pm-CJ for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 16 Jul 2020 01:12:12 +0200 Original-Received: from localhost ([::1]:52266 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jvqZO-0001RY-SW for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 15 Jul 2020 19:12:10 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:34180) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvqZG-0001RM-R5 for bug-gnu-emacs@gnu.org; Wed, 15 Jul 2020 19:12:03 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:42429) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jvqZG-0001Wo-I1 for bug-gnu-emacs@gnu.org; Wed, 15 Jul 2020 19:12:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jvqZG-00076E-AQ for bug-gnu-emacs@gnu.org; Wed, 15 Jul 2020 19:12:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Daniele Nicolodi Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 15 Jul 2020 23:12:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 42382 X-GNU-PR-Package: emacs X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.159485468027239 (code B ref -1); Wed, 15 Jul 2020 23:12:02 +0000 Original-Received: (at submit) by debbugs.gnu.org; 15 Jul 2020 23:11:20 +0000 Original-Received: from localhost ([127.0.0.1]:53975 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jvqYY-00075E-Hd for submit@debbugs.gnu.org; Wed, 15 Jul 2020 19:11:20 -0400 Original-Received: from lists.gnu.org ([209.51.188.17]:50214) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jvoCs-0003Xe-C8 for submit@debbugs.gnu.org; Wed, 15 Jul 2020 16:40:47 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:47282) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvoCs-0005YM-3Q for bug-gnu-emacs@gnu.org; Wed, 15 Jul 2020 16:40:46 -0400 Original-Received: from grinta.net ([109.74.203.128]:50212) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jvoCp-0004RL-I7 for bug-gnu-emacs@gnu.org; Wed, 15 Jul 2020 16:40:45 -0400 Original-Received: from 688dnmac.campus.nist.gov (unknown [132.163.218.74]) (Authenticated sender: daniele) by grinta.net (Postfix) with ESMTPSA id D1508E0ED8 for ; Wed, 15 Jul 2020 20:40:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=grinta.net; s=2020; t=1594845639; bh=N5qHpWfC0uiCYHNEFM+EGGLYlVvItcLdc44SeSpySPg=; h=To:Subject:From:Date:From; b=afYV1JAC50fx7/Fd/lGt75I5Fq9yEMMa5135nLm+Xvg/JVFvJ7Ib7LNhCWGJz1L3t 2sKleRX95RlGXHgfGefKZDZ2UMdySzM7TUy/Gw1kqDk9OhJV9Y4v2aYNlMFKB87a5n lJydLwwcgf898TZwpGCJn4YdfsbTeLPzb507PM7isHyG1EGVkAGQ51y5wRbvoSHNcC OLnLm8I8L7HfBq72FP8zkpma75CIiPQbzeI1npDB/s9iutQ2LttasfLFk+ntlEV0u0 O1zk6gZroPfoSIuXui1Yfod/REinhOIJ/Ywk2CuCemgDPwsNZCY7qlQZT4jWZqMA5X cpb95ywM1widA== Content-Language: en-US Received-SPF: pass client-ip=109.74.203.128; envelope-from=daniele@grinta.net; helo=grinta.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/15 16:40:39 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Wed, 15 Jul 2020 19:11:17 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:183030 Archived-At: This is a multi-part message in MIME format. --------------7E0F62A8FB30AB248006A090 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit url-http.el interprets HTTP responses in url-http-parse-headers. This function contains the following code: (when redirect-uri ;; Clean off any whitespace and/or <...> cruft. (if (string-match "\\([^ \t]+\\)[ \t]" redirect-uri) (setq redirect-uri (match-string 1 redirect-uri))) (if (string-match "^<\\(.*\\)>$" redirect-uri) (setq redirect-uri (match-string 1 redirect-uri))) which truncates the value of the Location header at the first whitespace character and removes surrounding angle brackets quoting. In RFC 7231 the Location header is defined to carry a URI-reference. According to RFC 3986 it should be percent-encoded and thus should not contain spaces. However, there are HTTP server implementation (notably nginx) that do not do that. While this is a bug in those HTTP server implementations, I think Emacs should follow what most other HTTP client implementatios (all the ones I tested) and use the content of the Location header unmodified. Stripping of angle bracket quotes is unnecessary as they are not valid according to the RFCs. Also, accordingly to the RFCs, the location header may contain a relative location. Thus the comment that suggest that such a response is a bug in the server should be reworded. The attached patches implement the proposed changes. Thank you. --------------7E0F62A8FB30AB248006A090 Content-Type: text/plain; charset=UTF-8; x-mac-type="0"; x-mac-creator="0"; name="0001-url-http-Fix-handling-of-redirect-locations.patch" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="0001-url-http-Fix-handling-of-redirect-locations.patch" RnJvbSAwNTJhOTkzNDM4MGZkZDc1MTdiNWJmMzhhY2EzN2FhZjk1MWE2NDRlIE1vbiBTZXAg MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBEYW5pZWxlIE5pY29sb2RpIDxkYW5pZWxlQGdyaW50 YS5uZXQ+CkRhdGU6IEZyaSwgMTAgSnVsIDIwMjAgMTI6MTY6MDEgLTA2MDAKU3ViamVjdDog W1BBVENIIDEvMl0gdXJsLWh0dHA6IEZpeCBoYW5kbGluZyBvZiByZWRpcmVjdCBsb2NhdGlv bnMKCkRvIG5vdCBicmVhayB0aGUgcmVkaXJlY3QgTG9jYXRpb24gaGVhZGVyIHdoZW4gaXQg Y29udGFpbiBzcGFjZXMuIEluClJGQyA3MjMxIHRoZSBMb2NhdGlvbiBoZWFkZXIgaXMgZGVm aW5lZCB0byBjYXJyeSBhIFVSSS1yZWZlcmVuY2UuCkFjY29yZGluZyB0byBSRkMgMzk4NiBp dCBzaG91bGQgYmUgcGVyY2VudC1lbmNvZGVkIGFuZCB0aHVzIHNob3VsZCBub3QKY29udGFp biBzcGFjZXMuIEhvd2V2ZXIsIHRoZXJlIGFyZSBIVFRQIHNlcnZlciBpbXBsZW1lbnRhdGlv biAobm90YWJseQpuZ2lueCkgdGhhdCBkbyBub3QgZG8gdGhhdC4gVGhpcyBtYWtlcyBFbWFj cyB1cmwtaHR0cC5lbCBiZWhhdmUgbGlrZQptb3N0IG90aGVyIEhUVFAgY2xpZW50IGltcGxl bWVudGF0aW9zLiBBbHNvIHJlbW92ZSB0aGUgc3RyaXBwaW5nIG9mCmFuZ2xlIGJyYWNrZXQg cXVvdGVzIGFzIHRoZXkgYXJlIG5vdCB2YWxpZCBhY2NvcmRpbmcgdG8gdGhlIFJGQ3MuCi0t LQogbGlzcC91cmwvdXJsLWh0dHAuZWwgfCA2IC0tLS0tLQogMSBmaWxlIGNoYW5nZWQsIDYg ZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvbGlzcC91cmwvdXJsLWh0dHAuZWwgYi9saXNw L3VybC91cmwtaHR0cC5lbAppbmRleCA2NjljMjQ1NzFmLi5hNzQ2YmU4NDc1IDEwMDY0NAot LS0gYS9saXNwL3VybC91cmwtaHR0cC5lbAorKysgYi9saXNwL3VybC91cmwtaHR0cC5lbApA QCAtNzAyLDEyICs3MDIsNiBAQCBzaG91bGQgYmUgc2hvd24gdG8gdGhlIHVzZXIuIgogCSAg ICA7OyBUcmVhdCBldmVyeXRoaW5nIGxpa2UgJzMwMCcKIAkgICAgbmlsKSkKIAkgKHdoZW4g cmVkaXJlY3QtdXJpCi0JICAgOzsgQ2xlYW4gb2ZmIGFueSB3aGl0ZXNwYWNlIGFuZC9vciA8 Li4uPiBjcnVmdC4KLQkgICAoaWYgKHN0cmluZy1tYXRjaCAiXFwoW14gXHRdK1xcKVsgXHRd IiByZWRpcmVjdC11cmkpCi0JICAgICAgIChzZXRxIHJlZGlyZWN0LXVyaSAobWF0Y2gtc3Ry aW5nIDEgcmVkaXJlY3QtdXJpKSkpCi0JICAgKGlmIChzdHJpbmctbWF0Y2ggIl48XFwoLipc XCk+JCIgcmVkaXJlY3QtdXJpKQotCSAgICAgICAoc2V0cSByZWRpcmVjdC11cmkgKG1hdGNo LXN0cmluZyAxIHJlZGlyZWN0LXVyaSkpKQotCiAJICAgOzsgU29tZSBzdHVwaWQgc2l0ZXMg KGxpa2Ugc291cmNlZm9yZ2UpIHNlbmQgYQogCSAgIDs7IG5vbi1mdWxseS1xdWFsaWZpZWQg VVJMIChpZTogLyksIHdoaWNoIHJveWFsbHkgY29uZnVzZXMKIAkgICA7OyB0aGUgVVJMIGxp YnJhcnkuCi0tIAoyLjI0LjMgKEFwcGxlIEdpdC0xMjgpCgo= --------------7E0F62A8FB30AB248006A090 Content-Type: text/plain; charset=UTF-8; x-mac-type="0"; x-mac-creator="0"; name="0002-url-http-Do-not-suggest-a-broken-HTTP-server-impleme.patch" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename*0="0002-url-http-Do-not-suggest-a-broken-HTTP-server-impleme.pa"; filename*1="tch" RnJvbSA4ZGEzMzI2ZjY0YWFlYjQ3ZjQzMDZhNGJhY2MzMDY3ZDRiYzM4MTQxIE1vbiBTZXAg MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBEYW5pZWxlIE5pY29sb2RpIDxkYW5pZWxlQGdyaW50 YS5uZXQ+CkRhdGU6IEZyaSwgMTAgSnVsIDIwMjAgMTg6NTA6MzkgLTA2MDAKU3ViamVjdDog W1BBVENIIDIvMl0gdXJsLWh0dHA6IERvIG5vdCBzdWdnZXN0IGEgYnJva2VuIEhUVFAgc2Vy dmVyCiBpbXBsZW1lbnRhdGlvbgoKUmVsYXRpdmUgVVJJcyBhcmUgYWxsb3dlZCBpbiB0aGUg TG9jYXRpb24gaGVhZGVyIGJ5IHRoZSByZWx2YW50IFJGQ3MuCi0tLQogbGlzcC91cmwvdXJs LWh0dHAuZWwgfCA0ICstLS0KIDEgZmlsZSBjaGFuZ2VkLCAxIGluc2VydGlvbigrKSwgMyBk ZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9saXNwL3VybC91cmwtaHR0cC5lbCBiL2xpc3Av dXJsL3VybC1odHRwLmVsCmluZGV4IGE3NDZiZTg0NzUuLmUwYzkyNWUxM2YgMTAwNjQ0Ci0t LSBhL2xpc3AvdXJsL3VybC1odHRwLmVsCisrKyBiL2xpc3AvdXJsL3VybC1odHRwLmVsCkBA IC03MDIsOSArNzAyLDcgQEAgc2hvdWxkIGJlIHNob3duIHRvIHRoZSB1c2VyLiIKIAkgICAg OzsgVHJlYXQgZXZlcnl0aGluZyBsaWtlICczMDAnCiAJICAgIG5pbCkpCiAJICh3aGVuIHJl ZGlyZWN0LXVyaQotCSAgIDs7IFNvbWUgc3R1cGlkIHNpdGVzIChsaWtlIHNvdXJjZWZvcmdl KSBzZW5kIGEKLQkgICA7OyBub24tZnVsbHktcXVhbGlmaWVkIFVSTCAoaWU6IC8pLCB3aGlj aCByb3lhbGx5IGNvbmZ1c2VzCi0JICAgOzsgdGhlIFVSTCBsaWJyYXJ5LgorCSAgIDs7IEhh bmRsZSByZWxhdGl2ZSByZWRpcmVjdCBVUklzLgogCSAgIChpZiAobm90IChzdHJpbmctbWF0 Y2ggdXJsLW5vbnJlbGF0aXZlLWxpbmsgcmVkaXJlY3QtdXJpKSkKICAgICAgICAgICAgICAg IDs7IEJlIGNhcmVmdWwgdG8gdXNlIHRoZSByZWFsIHRhcmdldCBVUkwsIG90aGVyd2lzZSB3 ZSBtYXkKICAgICAgICAgICAgICAgIDs7IGNvbXB1dGUgdGhlIHJlZGlyZWN0aW9uIHJlbGF0 aXZlIHRvIHRoZSBVUkwgb2YgdGhlIHByb3h5LgotLSAKMi4yNC4zIChBcHBsZSBHaXQtMTI4 KQoK --------------7E0F62A8FB30AB248006A090--