Apache
/
httpcomponents-client
mirror of https://github.com/apache/httpcomponents-client.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

HTTPCLIENT-1981: disallow TRACE requests with an enclosed entity

This commit is contained in:
Jay Modi 2019-04-10 19:13:12 +02:00 committed by Oleg Kalnichevski
parent 8fdc2ec1b8
commit 7fbbe7c98f
6 changed files with 106 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
httpclient5/src/main/java/org/apache/hc/client5/http/async/methods/AsyncRequestBuilder.java
View File

@ -430,6 +430,11 @@ public class AsyncRequestBuilder {
}
}
}
if (entityProducerCopy != null && StandardMethods.TRACE.name().equalsIgnoreCase(method)) {
throw new IllegalStateException(StandardMethods.TRACE.name() + " requests may not include an entity.");
}
final ConfigurableHttpRequest request = host != null ?
new ConfigurableHttpRequest(method, host, !TextUtils.isBlank(path) ? path : "/") :
new ConfigurableHttpRequest(method, uri != null ? uri : URI.create("/"));

7
httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/HttpTrace.java
View File

@ -29,6 +29,8 @@ package org.apache.hc.client5.http.classic.methods;
import java.net.URI;
import org.apache.hc.core5.http.HttpEntity;
/**
* HTTP TRACE method.
*
@ -60,4 +62,9 @@ public class HttpTrace extends HttpUriRequestBase {
this(URI.create(uri));
}
@Override
public void setEntity(final HttpEntity entity) {
throw new IllegalStateException(METHOD_NAME + " requests may not include an entity.");
}
}

5
httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/RequestBuilder.java
View File

@ -482,6 +482,11 @@ public class RequestBuilder {
}
}
}
if (entityCopy != null && StandardMethods.TRACE.name().equalsIgnoreCase(method)) {
throw new IllegalStateException(StandardMethods.TRACE.name() + " requests may not include an entity.");
}
final HttpUriRequestBase result = new HttpUriRequestBase(method, uriNotNull);
result.setVersion(this.version != null ? this.version : HttpVersion.HTTP_1_1);
if (this.headerGroup != null) {

42
httpclient5/src/test/java/org/apache/hc/client5/http/async/methods/TestAsyncRequestBuilder.java Normal file
View File

@ -0,0 +1,42 @@
/*
* ====================================================================
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
*/
package org.apache.hc.client5.http.async.methods;
import org.apache.hc.core5.http.nio.entity.BasicAsyncEntityProducer;
import org.junit.Test;
public class TestAsyncRequestBuilder {
@Test(expected = IllegalStateException.class)
public void testBuildTraceWithEntity() {
final AsyncRequestBuilder builder = AsyncRequestBuilder.create("TRACE").setUri("/path");
builder.setEntity(new BasicAsyncEntityProducer("stuff"));
builder.build();
}
}

40
httpclient5/src/test/java/org/apache/hc/client5/http/classic/methods/TestHttpTrace.java Normal file
View File

@ -0,0 +1,40 @@
/*
* ====================================================================
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
*/
package org.apache.hc.client5.http.classic.methods;
import org.junit.Test;
public class TestHttpTrace {
@Test(expected = IllegalStateException.class)
public void testHttpTraceSetEntity() {
final HttpTrace httpTrace = new HttpTrace("/path");
httpTrace.setEntity(null);
}
}

7
httpclient5/src/test/java/org/apache/hc/client5/http/classic/methods/TestRequestBuilder.java
View File

@ -264,6 +264,13 @@ public class TestRequestBuilder {
assertBuild(StandardCharsets.ISO_8859_1);
}
@Test(expected = IllegalStateException.class)
public void testBuildTraceWithEntity() {
final RequestBuilder requestBuilder = RequestBuilder.create("TRACE").setUri("/path");
requestBuilder.setEntity(new StringEntity("foo"));
requestBuilder.build();
}
private void assertBuild(final Charset charset) throws Exception {
final RequestBuilder requestBuilder = RequestBuilder.create("GET").setCharset(charset);
requestBuilder.setUri("https://somehost.com/stuff");