-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
_HTTPConnection: check location on _should_follow_redirect() and retain safe request when following redirects #2409
Conversation
…ould_follow_redirect()
tornado/simple_httpclient.py
Outdated
self.code in (301, 302, 303, 307, 308)): | ||
return False | ||
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.4 | ||
# According to the spec, the temporary URI may not be specified when the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you're misreading the spec. The Location header SHOULD be given no matter what the request method was. The only difference with HEAD is whether there should be a body for clients that don't follow redirects automatically (there's nothing special about HEAD with 302 in this respect; that's how HEAD always works).
Also, RFC2616 is obsolete. The current definition of the 302 response code is https://tools.ietf.org/html/rfc7231#section-6.4.3.
tornado/simple_httpclient.py
Outdated
# TODO: Unless the request method was HEAD, give a warning or raise an | ||
# exception when the temporary URI is not specified? | ||
redirect_location = self.headers.get("Location") | ||
return (redirect_location is not None) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The actual code change is fine, but I think I'd add it in to the same return expression above (and self.headers.get('Location') is not None
) instead of making this method have two separate return statements.
Sorry, I really misunderstood the spec because of my poor English! |
…hen following redirects
tornado/simple_httpclient.py
Outdated
@@ -209,6 +209,7 @@ def _on_timeout(self, key, info=None): | |||
|
|||
class _HTTPConnection(httputil.HTTPMessageDelegate): | |||
_SUPPORTED_METHODS = set(["GET", "HEAD", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]) | |||
_SAFE_NETHODS = set(["GET", "HEAD", "OPTIONS"]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor typo: N
should be M
in "NETHODS"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your reminding. I‘m too careless.
Thanks! |
…and retain safe request when following redirects (tornadoweb#2409)" This reverts commit 859a038. This commit was merged after the release of 5.1b1 with insufficient consideration and testing. I'll bring this back in the 6.0 cycle with a test
…irect() and retain safe request when following redirects (tornadoweb#2409)"" This reverts commit dda77f2.
…irect() and retain safe request when following redirects (tornadoweb#2409)"" This reverts commit dda77f2.
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.3
According to the spec, the temporary URI may not be specified when the request method was HEAD.
while check _should_follow_redirect(), doesn't verify whether location is specified.
tornado/tornado/simple_httpclient.py
Lines 493 to 496 in 9bb6463
AsyncHTTPClient always use GET method on following redirects:
tornado/tornado/simple_httpclient.py
Lines 517 to 518 in 9bb6463
but while use CURL with HEAD method, CURL will also use HEAD method on following redirects: