fix: improper handling of relative location header (#1523)

nodejs · Jul 4, 2022 · 42c43f2 · 42c43f2
1 parent 57e2434
commit 42c43f2
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 2 deletions.
diff --git a/lib/handler/redirect.js b/lib/handler/redirect.js
@@ -99,7 +99,7 @@ class RedirectHandler {
       return this.handler.onHeaders(statusCode, headers, resume, statusText)
     }
 
-    const { origin, pathname, search } = util.parseURL(new URL(this.location, this.opts.origin))
+    const { origin, pathname, search } = util.parseURL(new URL(this.location, this.opts.origin && new URL(this.opts.path, this.opts.origin)))
     const path = search ? `${pathname}${search}` : pathname
 
     // Remove headers referring to the original URL.

diff --git a/test/redirect-relative.js b/test/redirect-relative.js
@@ -0,0 +1,22 @@
+'use strict'
+
+const t = require('tap')
+const { request } = require('..')
+const {
+  startRedirectingWithRelativePath
+} = require('./utils/redirecting-servers')
+
+t.test('should redirect to relative URL according to RFC 7231', async t => {
+  t.plan(2)
+
+  const server = await startRedirectingWithRelativePath(t)
+
+  const { statusCode, body } = await request(`http://${server}`, {
+    maxRedirections: 3
+  })
+
+  const finalPath = await body.text()
+
+  t.equal(statusCode, 200)
+  t.equal(finalPath, '/absolute/b')
+})
diff --git a/test/utils/redirecting-servers.js b/test/utils/redirecting-servers.js
@@ -178,11 +178,33 @@ async function startRedirectingWithAuthorization (t, authorization) {
   return [server1, server2]
 }
 
+async function startRedirectingWithRelativePath (t) {
+  const server = await startServer(t, (req, res) => {
+    res.setHeader('Connection', 'close')
+
+    if (req.url === '/') {
+      res.statusCode = 301
+      res.setHeader('Location', '/absolute/a')
+      res.end('')
+    } else if (req.url === '/absolute/a') {
+      res.statusCode = 301
+      res.setHeader('Location', 'b')
+      res.end('')
+    } else {
+      res.statusCode = 200
+      res.end(req.url)
+    }
+  })
+
+  return server
+}
+
 module.exports = {
   startServer,
   startRedirectingServer,
   startRedirectingWithBodyServer,
   startRedirectingWithoutLocationServer,
   startRedirectingChainServers,
-  startRedirectingWithAuthorization
+  startRedirectingWithAuthorization,
+  startRedirectingWithRelativePath
 }