in reply to Re: Instant redirect from form input
in thread Instant redirect from form input

Please explain "internal redirect". My read of CGI.pm 2.46 shows that redirect() merely produces Status: 302 Moved and Location: headers, which get sent back to the browser. How could this result in private pages being made visible?

Is there something going on here that isn't obvious?

Update: I've tried this on both IIS and Apache, and in both cases a Location: header is send back to the browser, even for a scheme-less URL.

I may have misunderstood what you meant by "internal transfer," which seemed to imply that this could expose files that weren't otherwise available to a browser that knew their name.

Update*2:It turns out that the behavior I'm observing and the behavior merlyn is claiming is based, at least for Apache, on the presense or absense of the Status: 302 header. With that header present, Apache generates an external redirect, though IIS will generate an internal one.

that is,   print "Location: /xyz/foo.txt\n\n"; and 

  use CGI;
  my $q = new CGI();
  print $q->redirect("/xyz/foo.txt");

[download]
will yield different results on Apache (1.3.17) and IIS 4.0. Bleh.

Replies are listed 'Best First'.
Re: Re: Re: Instant redirect from form input
by merlyn (Sage) on Mar 14, 2001 at 07:14 UTC
    If the Location: header doesn't start with a scheme, it's an internal redirect, which is a CGI operation, not an HTTP operation. The browser doesn't refetch a page, and everything gets pretty mucked up at that.

    -- Randal L. Schwartz, Perl hacker

[reply]

In Section Cool Uses for Perl