HTTPCLIENT-2372 - Normalize HttpHost port comparison to treat implicit default ports as equal (#643)

arturobernalg · web-flow · commit 5cef6edeb74d · 2025-06-05T18:17:09.000+02:00
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/DefaultRedirectStrategy.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/DefaultRedirectStrategy.java
@@ -32,6 +32,7 @@
 import java.util.Iterator;
 import java.util.Locale;
 
+import org.apache.hc.client5.http.SchemePortResolver;
 import org.apache.hc.client5.http.protocol.RedirectStrategy;
 import org.apache.hc.client5.http.utils.URIUtils;
 import org.apache.hc.core5.annotation.Contract;
@@ -56,18 +57,44 @@
 @Contract(threading = ThreadingBehavior.STATELESS)
 public class DefaultRedirectStrategy implements RedirectStrategy {
 
+    private final SchemePortResolver schemePortResolver;
+
     /**
      * Default instance of {@link DefaultRedirectStrategy}.
      */
     public static final DefaultRedirectStrategy INSTANCE = new DefaultRedirectStrategy();
 
+    /**
+     * Creates a new {@code DefaultRedirectStrategy} using the given {@link SchemePortResolver}.
+     * If {@code schemePortResolver} is {@code null}, this will default to
+     * {@link DefaultSchemePortResolver#INSTANCE}.
+     *
+     * @param schemePortResolver the resolver to use for determining default ports
+     * @since 5.6
+     */
+    public DefaultRedirectStrategy(final SchemePortResolver schemePortResolver) {
+        this.schemePortResolver = schemePortResolver != null ? schemePortResolver : DefaultSchemePortResolver.INSTANCE;
+    }
+
+    /**
+     * Creates a new {@code DefaultRedirectStrategy} with the default
+     * {@link DefaultSchemePortResolver#INSTANCE}.
+     *
+     * @since 5.6
+     */
+    public DefaultRedirectStrategy() {
+        this(null);
+    }
+
     @Override
     public boolean isRedirectAllowed(
             final HttpHost currentTarget,
             final HttpHost newTarget,
             final HttpRequest redirect,
             final HttpContext context) {
-        if (!currentTarget.equals(newTarget)) {
+
+        // If authority (host + effective port) differs, strip sensitive headers
+        if (!isSameAuthority(currentTarget, newTarget)) {
             for (final Iterator<Header> it = redirect.headerIterator(); it.hasNext(); ) {
                 final Header header = it.next();
                 if (header.isSensitive()
@@ -80,6 +107,20 @@ public boolean isRedirectAllowed(
         return true;
     }
 
+    private boolean isSameAuthority(final HttpHost h1, final HttpHost h2) {
+        if (h1 == null || h2 == null) {
+            return false;
+        }
+        final String host1 = h1.getHostName();
+        final String host2 = h2.getHostName();
+        if (!host1.equalsIgnoreCase(host2)) {
+            return false;
+        }
+        final int port1 = schemePortResolver.resolve(h1);
+        final int port2 = schemePortResolver.resolve(h2);
+        return port1 == port2;
+    }
+
     @Override
     public boolean isRedirected(
             final HttpRequest request,
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/H2AsyncClientBuilder.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/H2AsyncClientBuilder.java
@@ -836,7 +836,7 @@ public CloseableHttpAsyncClient build() {
         if (!redirectHandlingDisabled) {
             RedirectStrategy redirectStrategyCopy = this.redirectStrategy;
             if (redirectStrategyCopy == null) {
-                redirectStrategyCopy = DefaultRedirectStrategy.INSTANCE;
+                redirectStrategyCopy = schemePortResolver != null ? new DefaultRedirectStrategy(schemePortResolver) : DefaultRedirectStrategy.INSTANCE;
             }
             execChainDefinition.addFirst(
                     new AsyncRedirectExec(routePlannerCopy, redirectStrategyCopy),
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java
@@ -1023,7 +1023,7 @@ public CloseableHttpAsyncClient build() {
         if (!redirectHandlingDisabled) {
             RedirectStrategy redirectStrategyCopy = this.redirectStrategy;
             if (redirectStrategyCopy == null) {
-                redirectStrategyCopy = DefaultRedirectStrategy.INSTANCE;
+                redirectStrategyCopy = schemePortResolver != null ? new DefaultRedirectStrategy(schemePortResolver) : DefaultRedirectStrategy.INSTANCE;
             }
             execChainDefinition.addFirst(
                     new AsyncRedirectExec(routePlannerCopy, redirectStrategyCopy),
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/HttpClientBuilder.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/HttpClientBuilder.java
@@ -1011,7 +1011,7 @@ public CloseableHttpClient build() {
         if (!redirectHandlingDisabled) {
             RedirectStrategy redirectStrategyCopy = this.redirectStrategy;
             if (redirectStrategyCopy == null) {
-                redirectStrategyCopy = DefaultRedirectStrategy.INSTANCE;
+                redirectStrategyCopy = schemePortResolver != null ? new DefaultRedirectStrategy(schemePortResolver) : DefaultRedirectStrategy.INSTANCE;
             }
             execChainDefinition.addFirst(
                     new RedirectExec(routePlannerCopy, redirectStrategyCopy),
diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/impl/TestDefaultRedirectStrategy.java b/httpclient5/src/test/java/org/apache/hc/client5/http/impl/TestDefaultRedirectStrategy.java
@@ -324,4 +324,48 @@ void testRedirectAllowed() throws Exception {
                 null));
     }
 
+
+
+
+    @Test
+    void testRedirectAllowedDefaultPortNormalization() {
+        final DefaultRedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
+
+        // HTTPS with explicit 443 vs HTTPS with no port (defaults to 443)
+        final HttpHost explicitHttps = new HttpHost("https", "example.com", 443);
+        final HttpHost implicitHttps = new HttpHost("https", "example.com", -1);
+        Assertions.assertTrue(redirectStrategy.isRedirectAllowed(
+                explicitHttps,
+                implicitHttps,
+                BasicRequestBuilder.get("/")
+                        .addHeader(HttpHeaders.AUTHORIZATION, "token")
+                        .build(),
+                null));
+        Assertions.assertTrue(redirectStrategy.isRedirectAllowed(
+                implicitHttps,
+                explicitHttps,
+                BasicRequestBuilder.get("/")
+                        .addHeader(HttpHeaders.COOKIE, "cookie=123")
+                        .build(),
+                null));
+
+        final HttpHost explicitHttp = new HttpHost("http", "example.org", 80);
+        final HttpHost implicitHttp = new HttpHost("http", "example.org", -1);
+        Assertions.assertTrue(redirectStrategy.isRedirectAllowed(
+                explicitHttp,
+                implicitHttp,
+                BasicRequestBuilder.get("/")
+                        .addHeader(HttpHeaders.AUTHORIZATION, "token123")
+                        .build(),
+                null));
+        Assertions.assertTrue(redirectStrategy.isRedirectAllowed(
+                implicitHttp,
+                explicitHttp,
+                BasicRequestBuilder.get("/")
+                        .addHeader(HttpHeaders.COOKIE, "cookie=abc")
+                        .build(),
+                null));
+    }
+
+
 }

Original file line number	Diff line number	Diff line change
`@@ -836,7 +836,7 @@ public CloseableHttpAsyncClient build() {`
`836`	`836`	`if (!redirectHandlingDisabled) {`
`837`	`837`	`RedirectStrategy redirectStrategyCopy = this.redirectStrategy;`
`838`	`838`	`if (redirectStrategyCopy == null) {`
`839`		`- redirectStrategyCopy = DefaultRedirectStrategy.INSTANCE;`
	`839`	`+ redirectStrategyCopy = schemePortResolver != null ? new DefaultRedirectStrategy(schemePortResolver) : DefaultRedirectStrategy.INSTANCE;`
`840`	`840`	`}`
`841`	`841`	`execChainDefinition.addFirst(`
`842`	`842`	`new AsyncRedirectExec(routePlannerCopy, redirectStrategyCopy),`
Original file line number	Diff line number	Diff line change
`@@ -1023,7 +1023,7 @@ public CloseableHttpAsyncClient build() {`
`1023`	`1023`	`if (!redirectHandlingDisabled) {`
`1024`	`1024`	`RedirectStrategy redirectStrategyCopy = this.redirectStrategy;`
`1025`	`1025`	`if (redirectStrategyCopy == null) {`
`1026`		`- redirectStrategyCopy = DefaultRedirectStrategy.INSTANCE;`
	`1026`	`+ redirectStrategyCopy = schemePortResolver != null ? new DefaultRedirectStrategy(schemePortResolver) : DefaultRedirectStrategy.INSTANCE;`
`1027`	`1027`	`}`
`1028`	`1028`	`execChainDefinition.addFirst(`
`1029`	`1029`	`new AsyncRedirectExec(routePlannerCopy, redirectStrategyCopy),`
Original file line number	Diff line number	Diff line change
`@@ -1011,7 +1011,7 @@ public CloseableHttpClient build() {`
`1011`	`1011`	`if (!redirectHandlingDisabled) {`
`1012`	`1012`	`RedirectStrategy redirectStrategyCopy = this.redirectStrategy;`
`1013`	`1013`	`if (redirectStrategyCopy == null) {`
`1014`		`- redirectStrategyCopy = DefaultRedirectStrategy.INSTANCE;`
	`1014`	`+ redirectStrategyCopy = schemePortResolver != null ? new DefaultRedirectStrategy(schemePortResolver) : DefaultRedirectStrategy.INSTANCE;`
`1015`	`1015`	`}`
`1016`	`1016`	`execChainDefinition.addFirst(`
`1017`	`1017`	`new RedirectExec(routePlannerCopy, redirectStrategyCopy),`