HTTP/1.1 support: Send 307 status on deny_info redirection

This makes Squid send an HTTP/1.1 307 status response to 1.1+ clients if
the deny_info directive is used to redirect non-GET/HEAD requests.

Current behaviour is to use a 302, which browsers will prevent
displaying for security protection against injection attacks. Using 307
will give browsers a better chance to identify the redirects and handle
them safely.

diff --git a/src/cf.data.pre b/src/cf.data.pre
index af58303e8c4c83e9dc1815a2fcefa0959b67334f..7ebd859bc7f2fdef0862aa4a8b74aab2be0e1e82 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -5381,7 +5381,7 @@ DOC_START
            Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
 
        Alternatively you can specify an error URL. The browsers will
-       get redirected (302) to the specified URL. %s in the redirection
+       get redirected (302 or 307) to the specified URL. %s in the redirection
        URL will be replaced by the requested URL.
 
        Alternatively you can tell Squid to reset the TCP connection

diff --git a/src/errorpage.cc b/src/errorpage.cc
index 49908ce02a0b45ab7fd64cdb23870f760552163a..80d548431abd6e2327da0b6ef8b41100e1352a2b 100644 (file)
--- a/src/errorpage.cc
+++ b/src/errorpage.cc
@@ -870,7 +870,10 @@ ErrorState::BuildHttpReply()
 
     if (strchr(name, ':')) {
         /* Redirection */
-        rep->setHeaders(HTTP_MOVED_TEMPORARILY, NULL, "text/html", 0, 0, -1);
+        if (request->method != METHOD_GET && request->method != METHOD_HEAD && request->http_ver >= HttpVersion(1,1))
+            rep->setHeaders(HTTP_TEMPORARY_REDIRECT, NULL, "text/html", 0, 0, -1);
+        else
+            rep->setHeaders(HTTP_MOVED_TEMPORARILY, NULL, "text/html", 0, 0, -1);
 
         if (request) {
             char *quoted_url = rfc1738_escape_part(urlCanonical(request));