0

I recently came across a server that's sending a Location header (for a redirect) that looks like this:

Location: http://www.example.com/something.ext?auth=123|123

When I try to use this in my Java program it complains about an "Illegal character in query" and fails.

So is the server doing something incorrect? Is this legal?

yydl
  • 24,284
  • 16
  • 65
  • 104
  • @AdamBernier Don't think so: I'm specifically asking about the Location header. – yydl Feb 24 '12 at 03:02
  • @yddl Even though the URL is located in the Location header, it still must follow the definition of a URL. – Brad Rem Mar 11 '14 at 16:13

1 Answers1

2

Use escapes:

| is escaped with %7C, so your URL becomes:

Location: http://www.example.com/something.ext?auth=123%7C123

Location header as per HTTP/1.1 is defined as:

Location       = "Location" ":" absoluteURI

Per HTTP/1.1:

For definitive information on URL syntax and semantics, see "Uniform Resource Identifiers (URI): Generic Syntax and Semantics," RFC 2396

RFC 2396 is obsoleted by RFC 3986, which requires escaping of some characters (see the RFC for the definitive information). It's the responsibility of the source to provide the correct URL, so yes - you are responsible to provide a correctly escaped URL in this case.

Community
  • 1
  • 1
icyrock.com
  • 27,952
  • 4
  • 66
  • 85
  • So are you saying it's the responsibility of the client (i.e. me) to do this escaping? – yydl Feb 24 '12 at 03:03
  • That's correct - see my edit for a bit more information. Basically, as a source, you need to provide the correct URL. – icyrock.com Feb 24 '12 at 03:21
  • Well to be clear I'm not the server. I just happened to have come across a server that exhibits this behavior. So to be clear: you're saying that I'm not the one doing anything incorrect, and that the server should be giving me an escaped url, right? – yydl Feb 24 '12 at 03:25
  • 1
    Yes - whoever is **sending** the URI should be responsible for escaping it. In this case, you are the **receiver** from the server that is giving you wrong URIs. In this case, you'll probably have to use (or write if there's none) some pre-processor that will convert these for your application. – icyrock.com Feb 24 '12 at 03:30