Fixes #2022 - Ignore invalid chars in http header names, when the compliance mode is not RFC7230

Signed-off-by: fb <fb@baqend.com>
2017-12-14 11:48:32 +01:00 · 2017-12-14 11:48:32 +01:00 · b76240e678
parent ba5ed4c6ce
commit b76240e678
4 changed files with 73 additions and 13 deletions
--- a/jetty-client/src/main/java/org/eclipse/jetty/client/AbstractConnectorHttpClientTransport.java
+++ b/jetty-client/src/main/java/org/eclipse/jetty/client/AbstractConnectorHttpClientTransport.java
@ -160,6 +160,7 @@ public abstract class AbstractConnectorHttpClientTransport extends AbstractHttpC
        {
            SocketChannelEndPoint endp = new SocketChannelEndPoint(channel, selector, key, getScheduler());
            endp.setIdleTimeout(client.getIdleTimeout());
+            //TODO: make compliance mode configurable
            return endp;
        }

--- a/jetty-client/src/main/java/org/eclipse/jetty/client/http/HttpReceiverOverHTTP.java
+++ b/jetty-client/src/main/java/org/eclipse/jetty/client/http/HttpReceiverOverHTTP.java
@ -26,6 +26,7 @@ import org.eclipse.jetty.client.HttpExchange;
 import org.eclipse.jetty.client.HttpReceiver;
 import org.eclipse.jetty.client.HttpResponse;
 import org.eclipse.jetty.client.HttpResponseException;
+import org.eclipse.jetty.http.HttpCompliance;
 import org.eclipse.jetty.http.HttpField;
 import org.eclipse.jetty.http.HttpMethod;
 import org.eclipse.jetty.http.HttpParser;
@ -38,7 +39,7 @@ import org.eclipse.jetty.util.CompletableCallback;

 public class HttpReceiverOverHTTP extends HttpReceiver implements HttpParser.ResponseHandler
 {
-    private final HttpParser parser = new HttpParser(this);
+    private final HttpParser parser = new HttpParser(this, -1, HttpCompliance.RFC2616);
    private ByteBuffer buffer;
    private boolean shutdown;

--- a/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
+++ b/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
@ -1287,7 +1287,13 @@ public class HttpParser
                        break;
                    }

+                    //Ignore all invalid characters
+                    if (complianceViolation(RFC7230,"https://tools.ietf.org/html/rfc7230#section-3.2 Invalid token in header name"))
+                    {
                        throw new IllegalCharacterException(_state,b,buffer);
+                    }
+
+                    break;

                case VALUE:
                    if (b>HttpTokens.SPACE || b<0)
--- a/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java
+++ b/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java
@ -21,6 +21,7 @@ package org.eclipse.jetty.http;
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;

 import org.eclipse.jetty.http.HttpParser.State;
@ -378,6 +379,57 @@ public class HttpParserTest
        Assert.assertThat(_complianceViolation, Matchers.containsString("No colon"));
    }

+    @Test
+    public void testNoneComplientCharsInHeaderNameLegacy() throws Exception
+    {
+        ByteBuffer buffer = BufferUtil.toBuffer(
+                "HTTP/1.1 204 No Content\r\n" +
+                        "Access-Control-Allow-Headers : Origin\r\n" +
+                        "Other: value\r\n" +
+                        "\r\n");
+
+        HttpParser.ResponseHandler handler = new Handler();
+        HttpParser parser = new HttpParser(handler, -1, HttpCompliance.LEGACY);
+        parseAll(parser, buffer);
+
+        Assert.assertTrue(_headerCompleted);
+        Assert.assertTrue(_messageCompleted);
+
+        Assert.assertEquals("HTTP/1.1", _methodOrVersion);
+        Assert.assertEquals("204", _uriOrStatus);
+        Assert.assertEquals("No Content", _versionOrReason);
+        Assert.assertEquals(null, _content);
+
+        Assert.assertEquals(2, _headers);
+        System.out.println(Arrays.asList(_hdr));
+        System.out.println(Arrays.asList(_val));
+        Assert.assertEquals("Access-Control-Allow-Headers", _hdr[1]);
+        Assert.assertEquals("Origin", _val[1]);
+        Assert.assertEquals("Other", _hdr[2]);
+        Assert.assertEquals("value", _val[2]);
+
+        Assert.assertThat(_complianceViolation, Matchers.containsString("Invalid token in header name"));
+    }
+
+    @Test
+    public void testNoneComplientCharsInHeaderNameNoLegacy() throws Exception
+    {
+        ByteBuffer buffer = BufferUtil.toBuffer(
+                "HTTP/1.1 204 No Content\r\n" +
+                        "Access-Control-Allow-Headers : Origin\r\n" +
+                        "Other: value\r\n" +
+                        "\r\n");
+
+        HttpParser.ResponseHandler handler = new Handler();
+        HttpParser parser = new HttpParser(handler);
+        parseAll(parser, buffer);
+
+        Assert.assertEquals("HTTP/1.1", _methodOrVersion);
+        Assert.assertEquals("204", _uriOrStatus);
+        Assert.assertEquals("No Content", _versionOrReason);
+        Assert.assertThat(_bad, Matchers.containsString("Illegal character 0x20"));
+    }
+
    @Test
    public void testNoColon7230() throws Exception
    {