From: Amos Jeffries Date: Fri, 14 Jan 2011 06:30:28 +0000 (-0700) Subject: HTTP/1.1 support: Send 307 status on deny_info redirection X-Git-Tag: SQUID_3_1_11~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=67c3f807171007dfb31c7a47496ae8a1e2ed77d2;p=thirdparty%2Fsquid.git HTTP/1.1 support: Send 307 status on deny_info redirection This makes Squid send an HTTP/1.1 307 status response to 1.1+ clients if the deny_info directive is used to redirect non-GET/HEAD requests. Current behaviour is to use a 302, which browsers will prevent displaying for security protection against injection attacks. Using 307 will give browsers a better chance to identify the redirects and handle them safely. --- diff --git a/src/cf.data.pre b/src/cf.data.pre index af58303e8c..7ebd859bc7 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -5381,7 +5381,7 @@ DOC_START Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys Alternatively you can specify an error URL. The browsers will - get redirected (302) to the specified URL. %s in the redirection + get redirected (302 or 307) to the specified URL. %s in the redirection URL will be replaced by the requested URL. Alternatively you can tell Squid to reset the TCP connection diff --git a/src/errorpage.cc b/src/errorpage.cc index 49908ce02a..80d548431a 100644 --- a/src/errorpage.cc +++ b/src/errorpage.cc @@ -870,7 +870,10 @@ ErrorState::BuildHttpReply() if (strchr(name, ':')) { /* Redirection */ - rep->setHeaders(HTTP_MOVED_TEMPORARILY, NULL, "text/html", 0, 0, -1); + if (request->method != METHOD_GET && request->method != METHOD_HEAD && request->http_ver >= HttpVersion(1,1)) + rep->setHeaders(HTTP_TEMPORARY_REDIRECT, NULL, "text/html", 0, 0, -1); + else + rep->setHeaders(HTTP_MOVED_TEMPORARILY, NULL, "text/html", 0, 0, -1); if (request) { char *quoted_url = rfc1738_escape_part(urlCanonical(request));