Message 27431 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	jjlee
Recipients
Date	2006-02-06.20:24:25
SpamBayes Score
Marked as misclassified
Message-id
In-reply-to

Content
Logged In: YES user_id=261020 First, anyone replying to this, please read this page (and the whole of this tracker note!) first: http://ppewww.ph.gla.ac.uk/~flavell/www/post-redirect.html kxroberto: you say that with standard urllibX error handling you cannot get an exception on redirected 301/302/307 POST. That's not true of urllib2, since you may override HTTPRedirectHandler.redirect_request(), which method was designed and documented for precisely that purpose. It seems sensible to have a default that does what virtually all browsers do (speaking as a long-time lynx user!). I don't know about the urllib case. It's perfectly reasonable to extend urllib (if necessary) to allow the option of raising an exception. Note that (IIRC!) urllib's exceptions do not contain the response body data, however (urllib2's HTTPErrors do contain the response body data). It would of course break backwards compatibility to start raising exceptions by default here. I don't think it's reasonable to break old code on the basis of a notional security issue when the de-facto standard web client behaviour is to do the redirect. In reality, the the only "security" value of the original prescriptive rule was as a convention to be followed by white-hat web programmers and web client implementors to help users avoid unintentionally re-submitting non-idempotent requests. Since that convention is NOT followed in the real world (lynx doesn't count as the real world ;-), I see no value in sticking rigidly to the original RFC spec -- especially when 2616 even provides 307 precisely in response to this problem. Other web client libraries, for example libwww-perl and Java HTTPClient, do the same as Python here IIRC. RFC 2616 section 10.3.4 even suggests web programmers use 302 to get the behaviour you complain about! The only doubtful case here is 301. A decision was made on the default behaviour in that case back when the tracker item I pointed you to was resolved. I think it's a mistake to change our minds again on that default behaviour. kxroberto.seek(nrBytes) assert kxroberto.readline() == """\ To redirect POST as GET _while_ simply loosing (!) the data (and not appending it to the GET-URL) is most bad for a lib.""" No. There is no value in supporting behaviour which is simply contrary to both de-facto and prescriptive standards (see final paragraph of RFC 2616 section 10.3.3: if we accept the "GET on POST redirect" rule, we must accept that the Location header is exactly the URL that should be followed). FYI, many servers return a redirect URL containing the urlencoded POST data from the original request. kxroberto: """Don't know if the MS & netscape's also transpose to GET with long data? ...""" urllib2's behaviour (and urllib's, I believe) on these issues is identical to that of IE and Firefox. jimjewett: """In theory, a GET may be automatic, but a POST requires user interaction, so the user can be held accountable for the results of a POST, but not of a GET.""" That theory has been experimentally falsified ;-)

Logged In: YES 
user_id=261020

First, anyone replying to this, *please* read this page (and
the whole of this tracker note!) first:

http://ppewww.ph.gla.ac.uk/~flavell/www/post-redirect.html


kxroberto: you say that with standard urllibX error handling
you cannot get an exception on redirected 301/302/307 POST.
 That's not true of urllib2, since you may override
HTTPRedirectHandler.redirect_request(), which method was
designed and documented for precisely that purpose.  It
seems sensible to have a default that does what virtually
all browsers do (speaking as a long-time lynx user!).  I
don't know about the urllib case.

It's perfectly reasonable to extend urllib (if necessary) to
allow the option of raising an exception.  Note that (IIRC!)
 urllib's exceptions do not contain the response body data,
however (urllib2's HTTPErrors do contain the response body
data).

It would of course break backwards compatibility to start
raising exceptions by default here.  I don't think it's
reasonable to break old code on the basis of a notional
security issue when the de-facto standard web client
behaviour is to do the redirect.  In reality, the the only
"security" value of the original prescriptive rule was as a
convention to be followed by white-hat web programmers and
web client implementors to help users avoid unintentionally
re-submitting non-idempotent requests.  Since that
convention is NOT followed in the real world (lynx doesn't
count as the real world ;-), I see no value in sticking
rigidly to the original RFC spec -- especially when 2616
even provides 307 precisely in response to this problem. 
Other web client libraries, for example libwww-perl and Java
HTTPClient, do the same as Python here IIRC.  RFC 2616
section 10.3.4 even suggests web programmers use 302 to get
the behaviour you complain about!

The only doubtful case here is 301.  A decision was made on
the default behaviour in that case back when the tracker
item I pointed you to was resolved.  I think it's a mistake
to change our minds again on that default behaviour.


kxroberto.seek(nrBytes)
assert kxroberto.readline() == """\
To redirect POST as GET _while_ simply loosing (!) the data
(and not appending it to the GET-URL) is most bad for a lib."""

No.  There is no value in supporting behaviour which is
simply contrary to both de-facto and prescriptive standards
(see final paragraph of RFC 2616 section 10.3.3: if we
accept the "GET on POST redirect" rule, we must accept that
the Location header is exactly the URL that should be
followed).  FYI, many servers return a redirect URL
containing the urlencoded POST data from the original request.


kxroberto: """Don't know if the MS & netscape's also
transpose to GET with long data? ..."""

urllib2's behaviour (and urllib's, I believe) on these
issues is identical to that of IE and Firefox.


jimjewett: """In theory, a GET may be automatic, but a POST
requires user interaction, so the user can be held
accountable for the results of a POST, but not of a GET."""

That theory has been experimentally falsified ;-)

History
Date	User	Action	Args
2007-08-23 14:37:39	admin	link	issue1424148 messages
2007-08-23 14:37:39	admin	create