From 859a038eb9c1af99d3871c9972f0826a1d05475d Mon Sep 17 00:00:00 2001 From: garenchan <1412950785@qq.com> Date: Thu, 28 Jun 2018 09:08:41 +0800 Subject: [PATCH] _HTTPConnection: check location on _should_follow_redirect() and retain safe request when following redirects (#2409) --- tornado/simple_httpclient.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tornado/simple_httpclient.py b/tornado/simple_httpclient.py index 60b7956fe..03cac3d2a 100644 --- a/tornado/simple_httpclient.py +++ b/tornado/simple_httpclient.py @@ -210,6 +210,7 @@ class SimpleAsyncHTTPClient(AsyncHTTPClient): class _HTTPConnection(httputil.HTTPMessageDelegate): _SUPPORTED_METHODS = set(["GET", "HEAD", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]) + _SAFE_METHODS = set(["GET", "HEAD", "OPTIONS"]) def __init__(self, client, request, release_callback, final_callback, max_buffer_size, tcp_client, @@ -496,7 +497,8 @@ class _HTTPConnection(httputil.HTTPMessageDelegate): def _should_follow_redirect(self): return (self.request.follow_redirects and self.request.max_redirects > 0 and - self.code in (301, 302, 303, 307, 308)) + self.code in (301, 302, 303, 307, 308) and + self.headers.get("Location") is not None) def finish(self): data = b''.join(self.chunks) @@ -517,8 +519,9 @@ class _HTTPConnection(httputil.HTTPMessageDelegate): # treat 302 the same as 303, and many servers use 302 for # compatibility with pre-HTTP/1.1 user agents which don't # understand the 303 status. - if self.code in (302, 303): - new_request.method = "GET" + if self.code in (301, 302, 303): + if self.request.method not in self._SAFE_METHODS: + new_request.method = "GET" new_request.body = None for h in ["Content-Length", "Content-Type", "Content-Encoding", "Transfer-Encoding"]: -- 2.47.2