https://bz.apache.org/bugzilla/show_bug.cgi?id=65105
Bug ID: 65105
Summary: http condition does not follow http to https redirect
Product: Ant
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Core tasks
Assignee: notifications@ant.apache.org
Reporter: ma...@apache.org
Target Milestone: ---
The Apache Ant team may wish to move this to an enhancement.
While investigating Apache Tomcat bug 65102, I have identified what, for me at
least, is unexpected behaviour of the http condition.
Redirects from http to http are followed as expected.
Redirects from https to https are followed as expected.
Redirects from http to https are not followed. This is unexpected.
This triggered a failure in the Tomcat build script when an original download
URL was provided with an http URL that redirected (via the ASF mirror system)
to an https URL and the script checked it was valid before performing the
actual download.
The behaviour traces back to a deliberate decision by the Java team not to
follow redirects across protocols - including http to https:
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4620571
While I can see an argument for not following https to http redirection (at
least by default but there are edge cases where I would consider this safe) in
the context of a build tool such as Ant following an http to https redirect
seems reasonable.
Just as a suggestion, maybe two new attributes for this condition:
- allowSecureRedirects: Defaults to true. Allows http->https
- allowInsecureRedirects: Defaults to false. Allows https->http
Tomcat has worked around this problem so it does not represent and immediate
issue for us.
--
You are receiving this mail because:
You are the assignee for the bug.
