From fcba8b3b17a26d4d3cb30d1460f83509fefe6b21 Mon Sep 17 00:00:00 2001
From: Gabriel Lopes Veiga <veigo@veigo.dev>
Date: Sun, 1 Dec 2024 23:54:35 -0300
Subject: [PATCH] fix: prevent multiple location headers on redirect (#3298)
 (#3311)

---
 integrations/actix/src/lib.rs | 19 ++++++++++++++++---
 integrations/axum/src/lib.rs  |  6 +++---
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/integrations/actix/src/lib.rs b/integrations/actix/src/lib.rs
index ee0d112c90..bdf9d61a9d 100644
--- a/integrations/actix/src/lib.rs
+++ b/integrations/actix/src/lib.rs
@@ -375,8 +375,8 @@ pub fn handle_server_fns_with_context(
                                     .take(),
                             );
 
-                            // it it accepts text/html (i.e., is a plain form post) and doesn't already have a
-                            // Location set, then redirect to to Referer
+                            // if it accepts text/html (i.e., is a plain form post) and doesn't already have a
+                            // Location set, then redirect to the Referer
                             if accepts_html {
                                 if let Some(referrer) = referrer {
                                     let has_location =
@@ -390,7 +390,20 @@ pub fn handle_server_fns_with_context(
                                 }
                             }
 
-                            // apply status code and headers if used changed them
+                            // the Location header may have been set to Referer, so any redirection by the
+                            // user must overwrite it
+                            {
+                                let mut res_options = res_options.0.write();
+                                let headers = res.0.headers_mut();
+
+                                for location in
+                                    res_options.headers.remove(header::LOCATION)
+                                {
+                                    headers.insert(header::LOCATION, location);
+                                }
+                            }
+
+                            // apply status code and headers if user changed them
                             res.extend_response(&res_options);
                             res.0
                         })
diff --git a/integrations/axum/src/lib.rs b/integrations/axum/src/lib.rs
index b3c52d8bc8..9c4ac0b22d 100644
--- a/integrations/axum/src/lib.rs
+++ b/integrations/axum/src/lib.rs
@@ -399,8 +399,8 @@ async fn handle_server_fns_inner(
                     // actually run the server fn
                     let mut res = AxumResponse(service.run(req).await);
 
-                    // it it accepts text/html (i.e., is a plain form post) and doesn't already have a
-                    // Location set, then redirect to to Referer
+                    // if it accepts text/html (i.e., is a plain form post) and doesn't already have a
+                    // Location set, then redirect to the Referer
                     if accepts_html {
                         if let Some(referrer) = referrer {
                             let has_location =
@@ -412,7 +412,7 @@ async fn handle_server_fns_inner(
                         }
                     }
 
-                    // apply status code and headers if used changed them
+                    // apply status code and headers if user changed them
                     res.extend_response(&res_options);
                     Ok(res.0)
                 })