bin/58881: .bzabsredirect doesn't support scheme-relative redirects

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/58881: .bzabsredirect doesn't support scheme-relative redirects
From: campbell+netbsd%mumble.net@localhost
Date: Sat, 7 Dec 2024 16:20:01 +0000 (UTC)

>Number:         58881
>Category:       bin
>Synopsis:       .bzabsredirect doesn't support scheme-relative redirects
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Dec 07 16:20:00 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current, 10, 9, ...
>Organization:
The NetBozoD 302 Foundation
>Environment:
>Description:
If you put an absolute URL like https://example.com/foo in .bzabsredirect, it redirects to that URL exactly.

$ curl http://...
HTTP/1.1 301 Document Moved
Server: bozohttpd/20220517
Content-Type: text/html
Location: https://example.com/foo
...

If you put a scheme-relative URL like example.com/foo in .bzabsredirect, and you query it over HTTP you get an http:// URL, while if you query it over HTTPS -- provided the HTTPS is terminated by bozohttpd itself -- you get an https:// URL:

$ curl http://...
HTTP/1.1 301 Document Moved
Server: bozohttpd/20220517
Content-Type: text/html
Location: http://example.com/foo
...
$ curl https://...
HTTP/1.1 301 Document Moved
Server: bozohttpd/20220517
Content-Type: text/html
Location: https://example.com/foo
...

But there seems to be no way for bozohttpd to return a relative URL (endorsed by RFC 7231, Sec. 7.1.2 `Location') like:

$ curl http://...
HTTP/1.1 301 Document Moved
Server: bozohttpd/20220517
Content-Type: text/html
Location: //example.com/foo
...

This would be nice to have to allow a site to work over HTTP or HTTPS behind a CDN -- e.g., right now, http://cdn.NetBSD.org/pub/NetBSD-daily unconditionally redirects to https://nycdn.NetBSD.org/pub/NetBSD-daily but it would be nice if it redirected to //nycdn.NetBSD.org/pub/NetBSD-daily so the browser can stay in the same scheme.

It may also be more important for a setup where bozohttpd doesn't terminate TLS itself and instead serves to a front end load balancer.
>How-To-Repeat:

>Fix:
Possibilities:

1. Change the existing semantics of .bzabsredirect -> <host>/<path> so that bozohttpd returns a scheme-relative URL: `Location: //<host>/<path>'.

2. Instead of changing the semantics for that form, do instead for .bzabsredirect -> //<host>/</path>, so users can opt into it.

   In principle this could have been meant to be an absolute local path on the file system, with a redundant / at the root, but even POSIX endorses treating pathnames that begin with `//' specially:

     `Multiple successive <slash> characters are considered to be the same as one <slash>, except for the case of exactly two leading <slash> characters.'  https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_271)

     `If a pathname begins with two successive <slash> characters, the first component following the leading <slash> characters may be interpreted in an implementation-defined manner, although more than two leading <slash> characters shall be treated as a single <slash> character.'  https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html#tag_04_13

Prev by Date: Re: bin/58881 (.bzabsredirect doesn't support scheme-relative redirects)
Next by Date: Re: kern/58724 (Pull up FFS signed/unsigned fixes from chs)
Previous by Thread: Re: bin/58881 (.bzabsredirect doesn't support scheme-relative redirects)
Next by Thread: PR/58666 CVS commit: src/sys/kern
Indexes:

Home | Main Index | Thread Index | Old Index