Unclear HTTP redirect check for looping #830
Description
One of the default HTTP redirect checks, located here, is to prevent a redirect onto itself:
-- make sure we're actually being redirected somewhere and not to the same url
function (url, host, port)
-- path cannot be unchanged unless host has changed
-- loc.path must be set if returning true
if ( not url.path or url.path == "/" ) and url.host == ( host.targetname or host.ip) then return false end
if not url.path then return true end
return true
end,There is a discrepancy between a comment and the actual code about whether the path is required or not. I presume that the comment is correct and the code is not, in which case the following patch remediates the issue:
--- a/nselib/http.lua
+++ b/nselib/http.lua
@@ -1514,10 +1514,12 @@
-- make sure we're actually being redirected somewhere and not to the same url
function (url, host, port)
+ -- url.path must be set if returning true
-- path cannot be unchanged unless host has changed
- -- loc.path must be set if returning true
- if ( not url.path or url.path == "/" ) and url.host == ( host.targetname or host.ip) then return false end
- if not url.path then return true end
+ -- TODO: Since we do not know here what the actual old path was then
+ -- the effectiveness of this code is a bit unclear.
+ if not url.path then return false end
+ if url.path == "/" and url.host == (host.targetname or host.ip) then return false end
return true
end,
}This patch deserves scrutiny from other folks before committing.