_HTTPConnection: check location on _should_follow_redirect() and retain safe request...

diff --git a/tornado/simple_httpclient.py b/tornado/simple_httpclient.py
index 60b7956fe320166cfda79abb4dc7bb0f013c9bc2..03cac3d2a99733bc59ba147cd21c4a6d6bb8e689 100644 (file)
--- a/tornado/simple_httpclient.py
+++ b/tornado/simple_httpclient.py
@@ -210,6 +210,7 @@ class SimpleAsyncHTTPClient(AsyncHTTPClient):
 
 class _HTTPConnection(httputil.HTTPMessageDelegate):
     _SUPPORTED_METHODS = set(["GET", "HEAD", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"])
+    _SAFE_METHODS = set(["GET", "HEAD", "OPTIONS"])
 
     def __init__(self, client, request, release_callback,
                  final_callback, max_buffer_size, tcp_client,
@@ -496,7 +497,8 @@ class _HTTPConnection(httputil.HTTPMessageDelegate):
     def _should_follow_redirect(self):
         return (self.request.follow_redirects and
                 self.request.max_redirects > 0 and
-                self.code in (301, 302, 303, 307, 308))
+                self.code in (301, 302, 303, 307, 308) and
+                self.headers.get("Location") is not None)
 
     def finish(self):
         data = b''.join(self.chunks)
@@ -517,8 +519,9 @@ class _HTTPConnection(httputil.HTTPMessageDelegate):
             # treat 302 the same as 303, and many servers use 302 for
             # compatibility with pre-HTTP/1.1 user agents which don't
             # understand the 303 status.
-            if self.code in (302, 303):
-                new_request.method = "GET"
+            if self.code in (301, 302, 303):
+                if self.request.method not in self._SAFE_METHODS:
+                    new_request.method = "GET"
                 new_request.body = None
                 for h in ["Content-Length", "Content-Type",
                           "Content-Encoding", "Transfer-Encoding"]: