WebRequestPSCmdlet does not check existence of Location header when Authorization is present #6543
Description
The code introduced in #3885 seems to have introduced a regression bug which was quite hard to identify as the error message points to issues with the URI and not to anything related to redirection. The code introduced in the pull request initializes an URI using the Location Header, without first checking if the Location Header is present in the response of a redirect.. The HTTP RFC 7231 does not specify the Location Header to be mandatory and thus it's existence must be checked.
I discovered this while checking strange PowerShell errors when issuing a GET or HEAD request against a AWS S3 Bucket while connecting to the wrong region. AWS S3 does respond with HTTP 301 but without a Location header.
The issue only occurs if the Server responds with a redirect HTTP Status Code 3XX and without the Location header and if the client has specified the Authorization Header in the initial request.
The issue can probably be fixed by modifying line 1290 to if (stripAuthorization && IsRedirectCode(response.StatusCode) && response.Headers.Location).
I'd be glad to create a pull request to fix this issue if my analyzis is correct and the proposed change is the correct way to fix the issue.
Actual behavior
The following simple HEAD request demonstrates the unexpected error message:
Invoke-WebRequest -Uri https://s3.amazonaws.com/test-301-redirection/ -Method HEAD -Headers @{Authorization="test"}
Invoke-WebRequest : Value cannot be null.
Parameter name: uri
At line:1 char:1
+ Invoke-WebRequest -Uri https://s3.amazonaws.com/test-301-redirection/ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Invoke-WebRequest], ArgumentNullException
+ FullyQualifiedErrorId : System.ArgumentNullException,Microsoft.PowerShell.Commands.InvokeWebRequestCommandExpected behavior
The response should be
Invoke-WebRequest -Uri https://s3.amazonaws.com/test-301-redirection/ -Method HEAD -Headers @{Authorization="test"}
Invoke-WebRequest : Response status code does not indicate success: 301 (Moved Permanently).
At line:1 char:1
+ Invoke-WebRequest -Uri https://s3.amazonaws.com/test-301-redirection/ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Method: HEAD, R...rShell/6.0.2
}:HttpRequestMessage) [Invoke-WebRequest], HttpResponseException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommandA workaround is, to specify the PreserveAuthorizationOnRedirect Parameter which will skip the section introduced in #3885 :
Invoke-WebRequest -Uri https://s3.amazonaws.com/test-301-redirection/ -Method HEAD -Headers @{Authorization="test"} -PreserveAuthorizationOnRedirect
Invoke-WebRequest : Response status code does not indicate success: 301 (Moved Permanently).
At line:1 char:1
+ Invoke-WebRequest -Uri https://s3.amazonaws.com/test-301-redirection/ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Method: HEAD, R...rShell/6.0.2
}:HttpRequestMessage) [Invoke-WebRequest], HttpResponseException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommandEnvironment data
$PSVersionTable
Name Value
---- -----
PSVersion 6.0.2
PSEdition Core
GitCommitId v6.0.2
OS Darwin 17.4.0 Darwin Kernel Version 17.4.0: Sun Dec 17 09:19:54 PST 2017; root:xnu-4570.41.2~1/RELEASE_X86_64
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0