https://bz.apache.org/bugzilla/show_bug.cgi?id=57785
Bug ID: 57785
Summary: REDIRECT_URL is not suitable for use in
server-generated pages
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Core
Assignee: [email protected]
Reporter: [email protected]
The non-standard REDIRECT_URL environment variable is introduced in UTIL_SCRIPT
in r1053363 . Although the commit message is not clear, it appears to be
intended to serve as a "return to" URL when the server executes an internal
redirect.
To serve correctly as such, it must return a full URL. Instead, it simply
returns r->prev->uri, which is likely to be a relative URL, and may resolve
incorrectly in an application.
The example we recently encountered was using mod_auth_form, where we needed to
patch util_script to generate a variable we could use with SSI in
<input type="hidden" name="httpd_location_old" value="<!--#echo
var="REDIRECT_URL"-->">.
I propose to tidy my patch and apply in trunk. I'll also check whether pr53772
might be low-hanging fruit for this patch.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
