Symfony version(s) affected

6.2

Description

Currently the HttpClient allows setting the option CURLOPT_POSTREDIR that controls how libcurl acts on redirects after POSTs that get a 301, 302 or 303 response back. However, the CurlResponse does not seem to take into account this option and strictly redirects to HEAD or GET.

How to reproduce

Create a POST request with the CurlHttpClient to an HTTP endpoint that redirects with the status 301, 302 or 303. The next hop wil be done using GET. This is correct.

Now do the same using the CURLOPT_POSTREDIR option. The next hop (redirect) will be made using GET, while I expect POST.

Possible Solution

This option should checked on CurlResponse.php:415. Second, we have to make sure that while using this option, the POST body will be included while redirecting. I didn't test this, but CurlResponse.php:395 does seem to empty CURLOPT_POSTFIELDS when it is a POST redirect. Of course, this should only be done when the CURLOPT_POSTREDIR is present.

The curl documentation states that this option has several flags to control the behaviour.

Pass a bitmask to control how libcurl acts on redirects after POSTs that get a 301, 302 or 303 response back. A parameter with bit 0 set (value CURL_REDIR_POST_301) tells the library to respect RFC 7231 (section 6.4.2 to 6.4.4) and not convert POST requests into GET requests when following a 301 redirection. Setting bit 1 (value CURL_REDIR_POST_302) makes libcurl maintain the request method after a 302 redirect whilst setting bit 2 (value CURL_REDIR_POST_303) makes libcurl maintain the request method after a 303 redirect. The value CURL_REDIR_POST_ALL is a convenience define that sets all three bits

Additional Context

No response