Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Issue #3030 Enforce Content-Encoding check only on parameter extraction. (#3031)

This commit is contained in:
Greg Wilkins 2018-10-26 06:44:40 +11:00 committed by GitHub
parent 8500e806ec
commit 898560bec5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 36 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
jetty-server/src/main/java/org/eclipse/jetty/server/Request.java
View File

@ -455,23 +455,21 @@ public class Request implements HttpServletRequest
/* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */
private void extractContentParameters() private void extractContentParameters()
{ {
// Content cannot be encoded
if (_metaData!=null && getHttpFields().contains(HttpHeader.CONTENT_ENCODING))
throw new BadMessageException(HttpStatus.NOT_IMPLEMENTED_501,"Unsupported Content-Encoding");
String contentType = getContentType(); String contentType = getContentType();
if (contentType == null || contentType.isEmpty()) if (contentType == null || contentType.isEmpty())
_contentParameters=NO_PARAMS; _contentParameters=NO_PARAMS;
else else
{ {
_contentParameters=new MultiMap<>(); _contentParameters=new MultiMap<>();
contentType = HttpFields.valueParameters(contentType, null);
int contentLength = getContentLength(); int contentLength = getContentLength();
if (contentLength != 0 && _inputState == __NONE) if (contentLength != 0 && _inputState == __NONE)
{ {
contentType = HttpFields.valueParameters(contentType, null);
if (MimeTypes.Type.FORM_ENCODED.is(contentType) && if (MimeTypes.Type.FORM_ENCODED.is(contentType) &&
_channel.getHttpConfiguration().isFormEncodedMethod(getMethod())) _channel.getHttpConfiguration().isFormEncodedMethod(getMethod()))
{ {
if (_metaData!=null && getHttpFields().contains(HttpHeader.CONTENT_ENCODING))
throw new BadMessageException(HttpStatus.NOT_IMPLEMENTED_501,"Unsupported Content-Encoding");
extractFormParameters(_contentParameters); extractFormParameters(_contentParameters);
} }
else if (MimeTypes.Type.MULTIPART_FORM_DATA.is(contentType) && else if (MimeTypes.Type.MULTIPART_FORM_DATA.is(contentType) &&
@ -480,6 +478,8 @@ public class Request implements HttpServletRequest
{ {
try try
{ {
if (_metaData!=null && getHttpFields().contains(HttpHeader.CONTENT_ENCODING))
throw new BadMessageException(HttpStatus.NOT_IMPLEMENTED_501,"Unsupported Content-Encoding");
getParts(_contentParameters); getParts(_contentParameters);
} }
catch (IOException | ServletException e) catch (IOException | ServletException e)
@ -490,7 +490,6 @@ public class Request implements HttpServletRequest
} }
} }
} }
} }
/* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */

34
jetty-server/src/test/java/org/eclipse/jetty/server/RequestTest.java
View File

@ -18,6 +18,7 @@
package org.eclipse.jetty.server; package org.eclipse.jetty.server;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.not; import static org.hamcrest.Matchers.not;
@ -28,7 +29,6 @@ import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertNotSame; import static org.junit.jupiter.api.Assertions.assertNotSame;
import static org.junit.jupiter.api.Assertions.assertNull; import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.assertSame; import static org.junit.jupiter.api.Assertions.assertSame;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue; import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.jupiter.api.Assertions.fail; import static org.junit.jupiter.api.Assertions.fail;
@ -634,7 +634,7 @@ public class RequestTest
}; };
//Send a request with encoded form content //Send a request with encoded form content
String request="GET / HTTP/1.1\r\n"+ String request="POST / HTTP/1.1\r\n"+
"Host: whatever\r\n"+ "Host: whatever\r\n"+
"Content-Type: application/x-www-form-urlencoded; charset=utf-8\n"+ "Content-Type: application/x-www-form-urlencoded; charset=utf-8\n"+
"Content-Length: 10\n"+ "Content-Length: 10\n"+
@ -647,6 +647,34 @@ public class RequestTest
assertThat(responses,startsWith("HTTP/1.1 200")); assertThat(responses,startsWith("HTTP/1.1 200"));
} }
@Test
public void testEncodedNotParams() throws Exception
{
_handler._checker = new RequestTester()
{
@Override
public boolean check(HttpServletRequest request,HttpServletResponse response)
{
return request.getParameter("param")==null;
}
};
//Send a request with encoded form content
String request="POST / HTTP/1.1\r\n"+
"Host: whatever\r\n"+
"Content-Type: application/octet-stream\n"+
"Content-Length: 10\n"+
"Content-Encoding: gzip\n"+
"Connection: close\n"+
"\n"+
"0123456789\n";
String responses=_connector.getResponse(request);
assertThat(responses,startsWith("HTTP/1.1 200"));
}
@Test @Test
public void testInvalidHostHeader() throws Exception public void testInvalidHostHeader() throws Exception
{ {
@ -1815,7 +1843,7 @@ public class RequestTest
((Request)request).setHandled(true); ((Request)request).setHandled(true);
if (request.getContentLength()>0 if (request.getContentLength()>0
&& !MimeTypes.Type.FORM_ENCODED.asString().equals(request.getContentType()) && !request.getContentType().startsWith(MimeTypes.Type.FORM_ENCODED.asString())
&& !request.getContentType().startsWith("multipart/form-data")) && !request.getContentType().startsWith("multipart/form-data"))
_content=IO.toString(request.getInputStream()); _content=IO.toString(request.getInputStream());