From 20e8907e33ffee0873dd4aeb1d34bae6af0229c3 Mon Sep 17 00:00:00 2001 From: Ben Darnell Date: Tue, 10 Jul 2018 22:32:57 -0400 Subject: [PATCH] Revert "Revert "_HTTPConnection: check location on _should_follow_redirect() and retain safe request when following redirects (#2409)"" This reverts commit dda77f2ca3365bd031a0c56dd19c8ed781a0695a. --- tornado/simple_httpclient.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tornado/simple_httpclient.py b/tornado/simple_httpclient.py index 60b7956fe3..03cac3d2a9 100644 --- a/tornado/simple_httpclient.py +++ b/tornado/simple_httpclient.py @@ -210,6 +210,7 @@ def _on_timeout(self, key, info=None): class _HTTPConnection(httputil.HTTPMessageDelegate): _SUPPORTED_METHODS = set(["GET", "HEAD", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]) + _SAFE_METHODS = set(["GET", "HEAD", "OPTIONS"]) def __init__(self, client, request, release_callback, final_callback, max_buffer_size, tcp_client, @@ -496,7 +497,8 @@ def headers_received(self, first_line, headers): def _should_follow_redirect(self): return (self.request.follow_redirects and self.request.max_redirects > 0 and - self.code in (301, 302, 303, 307, 308)) + self.code in (301, 302, 303, 307, 308) and + self.headers.get("Location") is not None) def finish(self): data = b''.join(self.chunks) @@ -517,8 +519,9 @@ def finish(self): # treat 302 the same as 303, and many servers use 302 for # compatibility with pre-HTTP/1.1 user agents which don't # understand the 303 status. - if self.code in (302, 303): - new_request.method = "GET" + if self.code in (301, 302, 303): + if self.request.method not in self._SAFE_METHODS: + new_request.method = "GET" new_request.body = None for h in ["Content-Length", "Content-Type", "Content-Encoding", "Transfer-Encoding"]: