_HTTPConnection: check location on _should_follow_redirect() and retain safe request when following redirects (#2409)

garenchan · bdarnell · commit 859a038eb9c1 · 2018-06-27T21:08:41.000-04:00
diff --git a/tornado/simple_httpclient.py b/tornado/simple_httpclient.py
@@ -210,6 +210,7 @@ def _on_timeout(self, key, info=None):
 
 class _HTTPConnection(httputil.HTTPMessageDelegate):
     _SUPPORTED_METHODS = set(["GET", "HEAD", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"])
+    _SAFE_METHODS = set(["GET", "HEAD", "OPTIONS"])
 
     def __init__(self, client, request, release_callback,
                  final_callback, max_buffer_size, tcp_client,
@@ -496,7 +497,8 @@ def headers_received(self, first_line, headers):
     def _should_follow_redirect(self):
         return (self.request.follow_redirects and
                 self.request.max_redirects > 0 and
-                self.code in (301, 302, 303, 307, 308))
+                self.code in (301, 302, 303, 307, 308) and
+                self.headers.get("Location") is not None)
 
     def finish(self):
         data = b''.join(self.chunks)
@@ -517,8 +519,9 @@ def finish(self):
             # treat 302 the same as 303, and many servers use 302 for
             # compatibility with pre-HTTP/1.1 user agents which don't
             # understand the 303 status.
-            if self.code in (302, 303):
-                new_request.method = "GET"
+            if self.code in (301, 302, 303):
+                if self.request.method not in self._SAFE_METHODS:
+                    new_request.method = "GET"
                 new_request.body = None
                 for h in ["Content-Length", "Content-Type",
                           "Content-Encoding", "Transfer-Encoding"]:
