This makes Squid send an HTTP/1.1 307 status response to 1.1+ clients if
the deny_info directive is used to redirect non-GET/HEAD requests.
Current behaviour is to use a 302, which browsers will prevent
displaying for security protection against injection attacks. Using 307
will give browsers a better chance to identify the redirects and handle
them safely.
3.2+ has a different patch coming which allows configuration of the 3xx
status code to override this default.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.9
Beta testers wanted for 3.2.0.3
=== modified file 'src/errorpage.cc'
--- src/errorpage.cc 2010-09-30 04:38:54 +0000
+++ src/errorpage.cc 2010-11-17 04:14:28 +0000
@@ -870,7 +870,10 @@
if (strchr(name, ':')) {
/* Redirection */
- rep->setHeaders(HTTP_MOVED_TEMPORARILY, NULL, "text/html", 0, 0, -1);
+ if (request->method != METHOD_GET && request->method != METHOD_HEAD && request->http_ver >= HttpVersion(1,1))
+ rep->setHeaders(HTTP_TEMPORARY_REDIRECT, NULL, "text/html", 0, 0, -1);
+ else
+ rep->setHeaders(HTTP_MOVED_TEMPORARILY, NULL, "text/html", 0, 0, -1);
if (request) {
char *quoted_url = rfc1738_escape_part(urlCanonical(request));
