fix: prevent multiple location headers on redirect (#3298) (#3311)

leptos-rs · Dec 2, 2024 · fcba8b3 · fcba8b3
1 parent d665dd4
commit fcba8b3
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 6 deletions.
diff --git a/integrations/actix/src/lib.rs b/integrations/actix/src/lib.rs
@@ -375,8 +375,8 @@ pub fn handle_server_fns_with_context(
                                     .take(),
                             );
 
-                            // it it accepts text/html (i.e., is a plain form post) and doesn't already have a
-                            // Location set, then redirect to to Referer
+                            // if it accepts text/html (i.e., is a plain form post) and doesn't already have a
+                            // Location set, then redirect to the Referer
                             if accepts_html {
                                 if let Some(referrer) = referrer {
                                     let has_location =
@@ -390,7 +390,20 @@ pub fn handle_server_fns_with_context(
                                 }
                             }
 
-                            // apply status code and headers if used changed them
+                            // the Location header may have been set to Referer, so any redirection by the
+                            // user must overwrite it
+                            {
+                                let mut res_options = res_options.0.write();
+                                let headers = res.0.headers_mut();
+
+                                for location in
+                                    res_options.headers.remove(header::LOCATION)
+                                {
+                                    headers.insert(header::LOCATION, location);
+                                }
+                            }
+
+                            // apply status code and headers if user changed them
                             res.extend_response(&res_options);
                             res.0
                         })

diff --git a/integrations/axum/src/lib.rs b/integrations/axum/src/lib.rs
@@ -399,8 +399,8 @@ async fn handle_server_fns_inner(
                     // actually run the server fn
                     let mut res = AxumResponse(service.run(req).await);
 
-                    // it it accepts text/html (i.e., is a plain form post) and doesn't already have a
-                    // Location set, then redirect to to Referer
+                    // if it accepts text/html (i.e., is a plain form post) and doesn't already have a
+                    // Location set, then redirect to the Referer
                     if accepts_html {
                         if let Some(referrer) = referrer {
                             let has_location =
@@ -412,7 +412,7 @@ async fn handle_server_fns_inner(
                         }
                     }
 
-                    // apply status code and headers if used changed them
+                    // apply status code and headers if user changed them
                     res.extend_response(&res_options);
                     Ok(res.0)
                 })