Issue #8716 - Handle bad host/authority headers better (#8717)

* Issue #8716 - Handle bad host/authority headers better
* Remove extra `Host` header in testcase that doesn't deal with bad Host headers
* Create URIUtil.isRegName
* Correcting HostPortTest.testValidAuthority
* Correcting RequestTest.testInvalidHostHeader
* Remove clonable, set to final

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
This commit is contained in:
Joakim Erdfelt 2022-11-08 18:08:20 -06:00 committed by GitHub
parent f99da578af
commit 793bee9e14
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 206 additions and 30 deletions

View File

@ -1028,6 +1028,8 @@ public class HttpParser
break;
case HOST:
if (_host)
throw new BadMessageException(HttpStatus.BAD_REQUEST_400, "Bad Host: multiple headers");
_host = true;
if (!(_field instanceof HostPortHttpField) && _valueString != null && !_valueString.isEmpty())
{

View File

@ -40,6 +40,7 @@ import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.empty;
import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.nullValue;
import static org.hamcrest.Matchers.startsWith;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertNotNull;
@ -2040,19 +2041,52 @@ public class HttpParserTest
assertEquals(8888, _port);
}
@Test
public void testHostBadPort()
@ParameterizedTest
@ValueSource(strings = {
"Host: whatever.com:xxxx",
"Host: myhost:testBadPort",
"Host: a b c d", // whitespace in reg-name
"Host: a\to\tz", // tabs in reg-name
"Host: hosta, hostb, hostc", // spaces in reg-name
"Host: [sd ajklf;d sajklf;d sajfkl;d]", // not a valid IPv6 address
"Host: hosta\nHost: hostb\nHost: hostc" // multi-line
})
public void testBadHost(String hostline)
{
ByteBuffer buffer = BufferUtil.toBuffer(
"GET / HTTP/1.1\r\n" +
"Host: myhost:testBadPort\r\n" +
"Connection: close\r\n" +
"\r\n");
"GET / HTTP/1.1\n" +
hostline + "\n" +
"Connection: close\n" +
"\n");
HttpParser.RequestHandler handler = new Handler();
HttpParser parser = new HttpParser(handler);
parser.parseNext(buffer);
assertThat(_bad, containsString("Bad Host"));
assertThat(_bad, startsWith("Bad"));
}
@ParameterizedTest
@ValueSource(strings = {
"Host: whatever.com:123",
"Host: myhost.com",
"Host: ::", // fake, no value, IPv6 (allowed)
"Host: a-b-c-d",
"Host: hosta,hostb,hostc", // commas are allowed
"Host: [fde3:827b:ea49:0:893:8016:e3ac:9778]:444", // IPv6 with port
"Host: [fde3:827b:ea49:0:893:8016:e3ac:9778]", // IPv6 without port
})
public void testGoodHost(String hostline)
{
ByteBuffer buffer = BufferUtil.toBuffer(
"GET / HTTP/1.1\n" +
hostline + "\n" +
"Connection: close\n" +
"\n");
HttpParser.RequestHandler handler = new Handler();
HttpParser parser = new HttpParser(handler);
parser.parseNext(buffer);
assertNull(_bad);
}
@Test

View File

@ -1134,7 +1134,6 @@ public class ConstraintTest
response = _connector.getResponse("POST /ctx/auth/info HTTP/1.1\r\n" +
"Host: test\r\n" +
"Host: localhost\r\n" +
"Content-Type: text/plain\r\n" +
"Content-Length: 10\r\n" +
"\r\n" +

View File

@ -87,6 +87,8 @@ import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.ValueSource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -783,8 +785,16 @@ public class RequestTest
assertThat(responses, startsWith("HTTP/1.1 200"));
}
@Test
public void testInvalidHostHeader() throws Exception
@ParameterizedTest
@ValueSource(strings = {
"Host: whatever.com:xxxx", // invalid port
"Host: myhost:testBadPort", // invalid port
"Host: a b c d", // spaces
"Host: a\to\tz", // control characters
"Host: hosta, hostb, hostc", // spaces (commas are ok)
"Host: hosta\nHost: hostb\nHost: hostc" // multi-line
})
public void testInvalidHostHeader(String hostline) throws Exception
{
// Use a contextHandler with vhosts to force call to Request.getServerName()
ContextHandler context = new ContextHandler();
@ -795,7 +805,7 @@ public class RequestTest
// Request with illegal Host header
String request = "GET / HTTP/1.1\n" +
"Host: whatever.com:xxxx\n" +
hostline + "\n" +
"Content-Type: text/html;charset=utf8\n" +
"Connection: close\n" +
"\n";

View File

@ -13,6 +13,8 @@
package org.eclipse.jetty.util;
import java.net.InetAddress;
import org.eclipse.jetty.util.annotation.ManagedAttribute;
/**
@ -49,9 +51,12 @@ public class HostPort
if (close < 0)
throw new IllegalArgumentException("Bad IPv6 host");
_host = authority.substring(0, close + 1);
if (!isValidIpAddress(_host))
throw new IllegalArgumentException("Bad IPv6 host");
if (authority.length() > close + 1)
{
// ipv6 with port
if (authority.charAt(close + 1) != ':')
throw new IllegalArgumentException("Bad IPv6 port");
_port = parsePort(authority.substring(close + 2));
@ -67,21 +72,29 @@ public class HostPort
int c = authority.lastIndexOf(':');
if (c >= 0)
{
// ipv6address
if (c != authority.indexOf(':'))
{
// ipv6address no port
_host = "[" + authority + "]";
if (!isValidIpAddress(_host))
throw new IllegalArgumentException("Bad IPv6 host");
_port = 0;
}
else
{
// host/ipv4 with port
_host = authority.substring(0, c);
if (StringUtil.isBlank(_host) || !isValidHostName(_host))
throw new IllegalArgumentException("Bad Authority");
_port = parsePort(authority.substring(c + 1));
}
}
else
{
// host/ipv4 without port
_host = authority;
if (StringUtil.isBlank(_host) || !isValidHostName(_host))
throw new IllegalArgumentException("Bad Authority");
_port = 0;
}
}
@ -96,6 +109,26 @@ public class HostPort
}
}
protected boolean isValidIpAddress(String ip)
{
try
{
// Per javadoc, If a literal IP address is supplied, only the validity of the
// address format is checked.
InetAddress.getByName(ip);
return true;
}
catch (Throwable ignore)
{
return false;
}
}
protected boolean isValidHostName(String name)
{
return URIUtil.isValidHostRegisteredName(name);
}
/**
* Get the host.
*

View File

@ -17,6 +17,7 @@ import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import org.eclipse.jetty.util.Utf8Appendable.NotUtf8Exception;
import org.slf4j.Logger;
@ -33,14 +34,31 @@ import org.slf4j.LoggerFactory;
*
* @see UrlEncoded
*/
public class URIUtil
implements Cloneable
public final class URIUtil
{
private static final Logger LOG = LoggerFactory.getLogger(URIUtil.class);
public static final String SLASH = "/";
public static final String HTTP = "http";
public static final String HTTPS = "https";
// From https://www.rfc-editor.org/rfc/rfc3986
private static final String UNRESERVED = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-._~";
private static final String SUBDELIMS = "!$&'()*+,;=";
private static final String REGNAME = UNRESERVED + SUBDELIMS;
// Allowed characters in https://www.rfc-editor.org/rfc/rfc3986 reg-name
private static final boolean[] REGNAME_ALLOWED;
static
{
REGNAME_ALLOWED = new boolean[128];
Arrays.fill(REGNAME_ALLOWED, false);
for (char c : REGNAME.toCharArray())
{
REGNAME_ALLOWED[c] = true;
}
}
// Use UTF-8 as per http://www.w3.org/TR/html40/appendix/notes.html#non-ascii-chars
public static final Charset __CHARSET = StandardCharsets.UTF_8;
@ -1122,6 +1140,50 @@ public class URIUtil
return false;
}
/**
* True if token is a <a href="https://www.rfc-editor.org/rfc/rfc3986">RFC3986</a> {@code reg-name} (Registered Name)
*
* @param token the to test
* @return true if the token passes as a valid Host Registered Name
*/
public static boolean isValidHostRegisteredName(String token)
{
/* reg-name ABNF is defined as :
* reg-name = *( unreserved / pct-encoded / sub-delims )
* unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
* pct-encoded = "%" HEXDIG HEXDIG
* sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
* / "*" / "+" / "," / ";" / "="
*/
if (token == null)
return true; // null token is considered valid
int length = token.length();
for (int i = 0; i < length; i++)
{
char c = token.charAt(i);
if (c > 127)
return false;
if (REGNAME_ALLOWED[c])
continue;
if (c == '%')
{
if (StringUtil.isHex(token, i + 1, 2))
{
i += 2;
continue;
}
else
{
return false;
}
}
return false;
}
return true;
}
/**
* Create a new URI from the arguments, handling IPv6 host encoding and default ports
*

View File

@ -31,14 +31,10 @@ public class HostPortTest
return Stream.of(
Arguments.of("", "", null),
Arguments.of(":80", "", "80"),
Arguments.of("host", "host", null),
Arguments.of("host:80", "host", "80"),
Arguments.of("10.10.10.1", "10.10.10.1", null),
Arguments.of("10.10.10.1:80", "10.10.10.1", "80"),
Arguments.of("[0::0::0::1]", "[0::0::0::1]", null),
Arguments.of("[0::0::0::1]:80", "[0::0::0::1]", "80"),
Arguments.of("0:1:2:3:4:5:6", "[0:1:2:3:4:5:6]", null),
Arguments.of("127.0.0.1:65535", "127.0.0.1", "65535"),
// Localhost tests
Arguments.of("localhost:80", "localhost", "80"),
@ -68,18 +64,21 @@ public class HostPortTest
{
return Stream.of(
null,
"host:",
"127.0.0.1:",
"[0::0::0::0::1]:",
"host:xxx",
"127.0.0.1:xxx",
"[0::0::0::0::1]:xxx",
"host:-80",
"127.0.0.1:-80",
"[0::0::0::0::1]:-80",
"127.0.0.1:65536"
)
.map(Arguments::of);
":80", // no host, port only
"host:", // no port
"127.0.0.1:", // no port
"[0::0::0::0::1]:", // no port
"[0::0::0::1]", // not valid to Java (InetAddress, InetSocketAddress, or URI) : "Expected hex digits or IPv4 address"
"[0::0::0::1]:80", // not valid to Java (InetAddress, InetSocketAddress, or URI) : "Expected hex digits or IPv4 address"
"0:1:2:3:4:5:6", // not valid to Java (InetAddress, InetSocketAddress, or URI) : "IPv6 address too short"
"host:xxx", // invalid port
"127.0.0.1:xxx", // host + invalid port
"[0::0::0::0::1]:xxx", // ipv6 + invalid port
"host:-80", // host + invalid port
"127.0.0.1:-80", // ipv4 + invalid port
"[0::0::0::0::1]:-80", // ipv6 + invalid port
"127.0.0.1:65536" // ipv4 + port value too high
).map(Arguments::of);
}
@ParameterizedTest

View File

@ -40,6 +40,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;
import org.junit.jupiter.params.provider.ValueSource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -751,4 +752,40 @@ public class URIUtilTest
String decoded = URIUtil.decodePath(encoded);
assertEquals(path, decoded);
}
@ParameterizedTest
@ValueSource(strings = {
"a",
"deadbeef",
"321zzz123",
"pct%25encoded",
"a,b,c",
"*",
"_-_-_",
"192.168.1.22",
"192.168.1.com"
})
public void testIsValidHostRegisteredNameTrue(String token)
{
assertTrue(URIUtil.isValidHostRegisteredName(token), "Token [" + token + "] should be a valid reg-name");
}
@ParameterizedTest
@ValueSource(strings = {
" ",
"tab\tchar",
"a long name with spaces",
"8-bit-\u00dd", // 8-bit characters
"пример.рф", // unicode - raw IDN (not normalized to punycode)
// Invalid pct-encoding
"%XX",
"%%",
"abc%d",
"100%",
"[brackets]"
})
public void testIsValidHostRegisteredNameFalse(String token)
{
assertFalse(URIUtil.isValidHostRegisteredName(token), "Token [" + token + "] should be an invalid reg-name");
}
}