Skip to content

Commit

Permalink
Reject redirects with invalid scheme (seanmonstar#2068)
Browse files Browse the repository at this point in the history
  • Loading branch information
jan-auer authored and Nutomic committed Nov 7, 2024
1 parent d1403ee commit 1fdc878
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 0 deletions.
4 changes: 4 additions & 0 deletions src/async_impl/client.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2382,6 +2382,10 @@ impl Future for PendingRequest {
redirect::ActionKind::Follow => {
debug!("redirecting '{}' to '{}'", self.url, loc);

if loc.scheme() != "http" && loc.scheme() != "https" {
return Poll::Ready(Err(error::url_bad_scheme(loc)));
}

if self.client.https_only && loc.scheme() != "https" {
return Poll::Ready(Err(error::redirect(
error::url_bad_scheme(loc.clone()),
Expand Down
16 changes: 16 additions & 0 deletions tests/redirect.rs
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,22 @@ async fn test_invalid_location_stops_redirect_gh484() {
assert_eq!(res.status(), reqwest::StatusCode::FOUND);
}

#[tokio::test]
async fn test_invalid_scheme_is_rejected() {
let server = server::http(move |_req| async move {
http::Response::builder()
.status(302)
.header("location", "htt://www.yikes.com/")
.body(Body::default())
.unwrap()
});

let url = format!("http://{}/yikes", server.addr());

let err = reqwest::get(&url).await.unwrap_err();
assert!(err.is_builder());
}

#[cfg(feature = "cookies")]
#[tokio::test]
async fn test_redirect_302_with_set_cookies() {
Expand Down

0 comments on commit 1fdc878

Please sign in to comment.