You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Gary Gregory <ga...@gmail.com> on 2019/04/10 17:35:32 UTC
Re: [httpcomponents-client] 01/01: HTTPCLIENT-1981: disallow TRACE
requests with an enclosed entity
Oleg,
> StandardMethods.TRACE.name <http://standardmethods.trace.name/>() +
"requests may not include an entity."
I think you are missing a space before "request":
StandardMethods.TRACE.name <http://standardmethods.trace.name/>() + "
requests may not include an entity."
Gary
On Wed, Apr 10, 2019 at 1:20 PM <ol...@apache.org> wrote:
> This is an automated email from the ASF dual-hosted git repository.
>
> olegk pushed a commit to branch HTTPCLIENT-1981
> in repository
> https://gitbox.apache.org/repos/asf/httpcomponents-client.git
>
> commit 63a6bd760ec1ec1f8daa6faf5a669aee3da3a06e
> Author: Jay Modi <jay at elastic dot com>
> AuthorDate: Wed Apr 10 19:13:12 2019 +0200
>
> HTTPCLIENT-1981: disallow TRACE requests with an enclosed entity
> ---
> .../http/async/methods/AsyncRequestBuilder.java | 5 +++
> .../hc/client5/http/classic/methods/HttpTrace.java | 7 ++++
> .../http/classic/methods/RequestBuilder.java | 5 +++
> .../async/methods/TestAsyncRequestBuilder.java} | 39
> +++++-----------------
> .../http/classic/methods/TestHttpTrace.java} | 35
> ++++---------------
> .../http/classic/methods/TestRequestBuilder.java | 7 ++++
> 6 files changed, 39 insertions(+), 59 deletions(-)
>
> diff --git
> a/httpclient5/src/main/java/org/apache/hc/client5/http/async/methods/AsyncRequestBuilder.java
> b/httpclient5/src/main/java/org/apache/hc/client5/http/async/methods/AsyncRequestBuilder.java
> index 97c567b..59d332e 100644
> ---
> a/httpclient5/src/main/java/org/apache/hc/client5/http/async/methods/AsyncRequestBuilder.java
> +++
> b/httpclient5/src/main/java/org/apache/hc/client5/http/async/methods/AsyncRequestBuilder.java
> @@ -430,6 +430,11 @@ public class AsyncRequestBuilder {
> }
> }
> }
> +
> + if (entityProducerCopy != null && StandardMethods.TRACE.name().equalsIgnoreCase(method))
> {
> + throw new IllegalStateException(StandardMethods.TRACE.name()
> + "requests may not include an entity.");
> + }
> +
> final ConfigurableHttpRequest request = host != null ?
> new ConfigurableHttpRequest(method, host,
> !TextUtils.isBlank(path) ? path : "/") :
> new ConfigurableHttpRequest(method, uri != null ? uri :
> URI.create("/"));
> diff --git
> a/httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/HttpTrace.java
> b/httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/HttpTrace.java
> index 17092a1..a937ba2 100644
> ---
> a/httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/HttpTrace.java
> +++
> b/httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/HttpTrace.java
> @@ -29,6 +29,8 @@ package org.apache.hc.client5.http.classic.methods;
>
> import java.net.URI;
>
> +import org.apache.hc.core5.http.HttpEntity;
> +
> /**
> * HTTP TRACE method.
> *
> @@ -60,4 +62,9 @@ public class HttpTrace extends HttpUriRequestBase {
> this(URI.create(uri));
> }
>
> + @Override
> + public void setEntity(final HttpEntity entity) {
> + throw new IllegalStateException(METHOD_NAME + " requests may not
> include an entity.");
> + }
> +
> }
> diff --git
> a/httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/RequestBuilder.java
> b/httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/RequestBuilder.java
> index 4a3572a..6a70bc6 100644
> ---
> a/httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/RequestBuilder.java
> +++
> b/httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/RequestBuilder.java
> @@ -482,6 +482,11 @@ public class RequestBuilder {
> }
> }
> }
> +
> + if (entityCopy != null && StandardMethods.TRACE.name().equalsIgnoreCase(method))
> {
> + throw new IllegalStateException(StandardMethods.TRACE.name()
> + "requests may not include an entity.");
> + }
> +
> final HttpUriRequestBase result = new HttpUriRequestBase(method,
> uriNotNull);
> result.setVersion(this.version != null ? this.version :
> HttpVersion.HTTP_1_1);
> if (this.headerGroup != null) {
> diff --git
> a/httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/HttpTrace.java
> b/httpclient5/src/test/java/org/apache/hc/client5/http/async/methods/TestAsyncRequestBuilder.java
> similarity index 59%
> copy from
> httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/HttpTrace.java
> copy to
> httpclient5/src/test/java/org/apache/hc/client5/http/async/methods/TestAsyncRequestBuilder.java
> index 17092a1..cb1e5e9 100644
> ---
> a/httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/HttpTrace.java
> +++
> b/httpclient5/src/test/java/org/apache/hc/client5/http/async/methods/TestAsyncRequestBuilder.java
> @@ -25,39 +25,18 @@
> *
> */
>
> -package org.apache.hc.client5.http.classic.methods;
> +package org.apache.hc.client5.http.async.methods;
>
> -import java.net.URI;
> +import org.apache.hc.core5.http.nio.entity.BasicAsyncEntityProducer;
> +import org.junit.Test;
>
> -/**
> - * HTTP TRACE method.
> - *
> - * @since 4.0
> - */
> -public class HttpTrace extends HttpUriRequestBase {
> -
> - private static final long serialVersionUID = 1L;
> -
> - public final static String METHOD_NAME = "TRACE";
> -
> - /**
> - * Creates a new instance initialized with the given URI.
> - *
> - * @param uri a non-null request URI.
> - * @throws IllegalArgumentException if the uri is null.
> - */
> - public HttpTrace(final URI uri) {
> - super(METHOD_NAME, uri);
> - }
> +public class TestAsyncRequestBuilder {
>
> - /**
> - * Creates a new instance initialized with the given URI.
> - *
> - * @param uri a non-null request URI.
> - * @throws IllegalArgumentException if the uri is invalid.
> - */
> - public HttpTrace(final String uri) {
> - this(URI.create(uri));
> + @Test(expected = IllegalStateException.class)
> + public void testBuildTraceWithEntity() {
> + final AsyncRequestBuilder builder =
> AsyncRequestBuilder.create("TRACE").setUri("/path");
> + builder.setEntity(new BasicAsyncEntityProducer("stuff"));
> + builder.build();
> }
>
> }
> diff --git
> a/httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/HttpTrace.java
> b/httpclient5/src/test/java/org/apache/hc/client5/http/classic/methods/TestHttpTrace.java
> similarity index 62%
> copy from
> httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/HttpTrace.java
> copy to
> httpclient5/src/test/java/org/apache/hc/client5/http/classic/methods/TestHttpTrace.java
> index 17092a1..27089d2 100644
> ---
> a/httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/HttpTrace.java
> +++
> b/httpclient5/src/test/java/org/apache/hc/client5/http/classic/methods/TestHttpTrace.java
> @@ -27,37 +27,14 @@
>
> package org.apache.hc.client5.http.classic.methods;
>
> -import java.net.URI;
> +import org.junit.Test;
>
> -/**
> - * HTTP TRACE method.
> - *
> - * @since 4.0
> - */
> -public class HttpTrace extends HttpUriRequestBase {
> -
> - private static final long serialVersionUID = 1L;
> -
> - public final static String METHOD_NAME = "TRACE";
> -
> - /**
> - * Creates a new instance initialized with the given URI.
> - *
> - * @param uri a non-null request URI.
> - * @throws IllegalArgumentException if the uri is null.
> - */
> - public HttpTrace(final URI uri) {
> - super(METHOD_NAME, uri);
> - }
> +public class TestHttpTrace {
>
> - /**
> - * Creates a new instance initialized with the given URI.
> - *
> - * @param uri a non-null request URI.
> - * @throws IllegalArgumentException if the uri is invalid.
> - */
> - public HttpTrace(final String uri) {
> - this(URI.create(uri));
> + @Test(expected = IllegalStateException.class)
> + public void testHttpTraceSetEntity() {
> + final HttpTrace httpTrace = new HttpTrace("/path");
> + httpTrace.setEntity(null);
> }
>
> }
> diff --git
> a/httpclient5/src/test/java/org/apache/hc/client5/http/classic/methods/TestRequestBuilder.java
> b/httpclient5/src/test/java/org/apache/hc/client5/http/classic/methods/TestRequestBuilder.java
> index f121933..b6789c2 100644
> ---
> a/httpclient5/src/test/java/org/apache/hc/client5/http/classic/methods/TestRequestBuilder.java
> +++
> b/httpclient5/src/test/java/org/apache/hc/client5/http/classic/methods/TestRequestBuilder.java
> @@ -264,6 +264,13 @@ public class TestRequestBuilder {
> assertBuild(StandardCharsets.ISO_8859_1);
> }
>
> + @Test(expected = IllegalStateException.class)
> + public void testBuildTraceWithEntity() {
> + final RequestBuilder requestBuilder =
> RequestBuilder.create("TRACE").setUri("/path");
> + requestBuilder.setEntity(new StringEntity("foo"));
> + requestBuilder.build();
> + }
> +
> private void assertBuild(final Charset charset) throws Exception {
> final RequestBuilder requestBuilder =
> RequestBuilder.create("GET").setCharset(charset);
> requestBuilder.setUri("https://somehost.com/stuff");
>
>
Re: [httpcomponents-client] 01/01: HTTPCLIENT-1981: disallow TRACE
requests with an enclosed entity
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2019-04-10 at 13:35 -0400, Gary Gregory wrote:
> Oleg,
>
> > StandardMethods.TRACE.name <http://standardmethods.trace.name/>() +
>
> "requests may not include an entity."
>
> I think you are missing a space before "request":
>
> StandardMethods.TRACE.name <http://standardmethods.trace.name/>() + "
> requests may not include an entity."
>
> Gary
>
Good catch. Thank you, Gary
Oleg
> On Wed, Apr 10, 2019 at 1:20 PM <ol...@apache.org> wrote:
>
> > This is an automated email from the ASF dual-hosted git repository.
> >
> > olegk pushed a commit to branch HTTPCLIENT-1981
> > in repository
> > https://gitbox.apache.org/repos/asf/httpcomponents-client.git
> >
> > commit 63a6bd760ec1ec1f8daa6faf5a669aee3da3a06e
> > Author: Jay Modi <jay at elastic dot com>
> > AuthorDate: Wed Apr 10 19:13:12 2019 +0200
> >
> > HTTPCLIENT-1981: disallow TRACE requests with an enclosed
> > entity
> > ---
> > .../http/async/methods/AsyncRequestBuilder.java | 5 +++
> > .../hc/client5/http/classic/methods/HttpTrace.java | 7 ++++
> > .../http/classic/methods/RequestBuilder.java | 5 +++
> > .../async/methods/TestAsyncRequestBuilder.java} | 39
> > +++++-----------------
> > .../http/classic/methods/TestHttpTrace.java} | 35
> > ++++---------------
> > .../http/classic/methods/TestRequestBuilder.java | 7 ++++
> > 6 files changed, 39 insertions(+), 59 deletions(-)
> >
> > diff --git
> > a/httpclient5/src/main/java/org/apache/hc/client5/http/async/method
> > s/AsyncRequestBuilder.java
> > b/httpclient5/src/main/java/org/apache/hc/client5/http/async/method
> > s/AsyncRequestBuilder.java
> > index 97c567b..59d332e 100644
> > ---
> > a/httpclient5/src/main/java/org/apache/hc/client5/http/async/method
> > s/AsyncRequestBuilder.java
> > +++
> > b/httpclient5/src/main/java/org/apache/hc/client5/http/async/method
> > s/AsyncRequestBuilder.java
> > @@ -430,6 +430,11 @@ public class AsyncRequestBuilder {
> > }
> > }
> > }
> > +
> > + if (entityProducerCopy != null &&
> > StandardMethods.TRACE.name().equalsIgnoreCase(method))
> > {
> > + throw new
> > IllegalStateException(StandardMethods.TRACE.name()
> > + "requests may not include an entity.");
> > + }
> > +
> > final ConfigurableHttpRequest request = host != null ?
> > new ConfigurableHttpRequest(method, host,
> > !TextUtils.isBlank(path) ? path : "/") :
> > new ConfigurableHttpRequest(method, uri != null ?
> > uri :
> > URI.create("/"));
> > diff --git
> > a/httpclient5/src/main/java/org/apache/hc/client5/http/classic/meth
> > ods/HttpTrace.java
> > b/httpclient5/src/main/java/org/apache/hc/client5/http/classic/meth
> > ods/HttpTrace.java
> > index 17092a1..a937ba2 100644
> > ---
> > a/httpclient5/src/main/java/org/apache/hc/client5/http/classic/meth
> > ods/HttpTrace.java
> > +++
> > b/httpclient5/src/main/java/org/apache/hc/client5/http/classic/meth
> > ods/HttpTrace.java
> > @@ -29,6 +29,8 @@ package
> > org.apache.hc.client5.http.classic.methods;
> >
> > import java.net.URI;
> >
> > +import org.apache.hc.core5.http.HttpEntity;
> > +
> > /**
> > * HTTP TRACE method.
> > *
> > @@ -60,4 +62,9 @@ public class HttpTrace extends HttpUriRequestBase
> > {
> > this(URI.create(uri));
> > }
> >
> > + @Override
> > + public void setEntity(final HttpEntity entity) {
> > + throw new IllegalStateException(METHOD_NAME + " requests
> > may not
> > include an entity.");
> > + }
> > +
> > }
> > diff --git
> > a/httpclient5/src/main/java/org/apache/hc/client5/http/classic/meth
> > ods/RequestBuilder.java
> > b/httpclient5/src/main/java/org/apache/hc/client5/http/classic/meth
> > ods/RequestBuilder.java
> > index 4a3572a..6a70bc6 100644
> > ---
> > a/httpclient5/src/main/java/org/apache/hc/client5/http/classic/meth
> > ods/RequestBuilder.java
> > +++
> > b/httpclient5/src/main/java/org/apache/hc/client5/http/classic/meth
> > ods/RequestBuilder.java
> > @@ -482,6 +482,11 @@ public class RequestBuilder {
> > }
> > }
> > }
> > +
> > + if (entityCopy != null &&
> > StandardMethods.TRACE.name().equalsIgnoreCase(method))
> > {
> > + throw new
> > IllegalStateException(StandardMethods.TRACE.name()
> > + "requests may not include an entity.");
> > + }
> > +
> > final HttpUriRequestBase result = new
> > HttpUriRequestBase(method,
> > uriNotNull);
> > result.setVersion(this.version != null ? this.version :
> > HttpVersion.HTTP_1_1);
> > if (this.headerGroup != null) {
> > diff --git
> > a/httpclient5/src/main/java/org/apache/hc/client5/http/classic/meth
> > ods/HttpTrace.java
> > b/httpclient5/src/test/java/org/apache/hc/client5/http/async/method
> > s/TestAsyncRequestBuilder.java
> > similarity index 59%
> > copy from
> > httpclient5/src/main/java/org/apache/hc/client5/http/classic/method
> > s/HttpTrace.java
> > copy to
> > httpclient5/src/test/java/org/apache/hc/client5/http/async/methods/
> > TestAsyncRequestBuilder.java
> > index 17092a1..cb1e5e9 100644
> > ---
> > a/httpclient5/src/main/java/org/apache/hc/client5/http/classic/meth
> > ods/HttpTrace.java
> > +++
> > b/httpclient5/src/test/java/org/apache/hc/client5/http/async/method
> > s/TestAsyncRequestBuilder.java
> > @@ -25,39 +25,18 @@
> > *
> > */
> >
> > -package org.apache.hc.client5.http.classic.methods;
> > +package org.apache.hc.client5.http.async.methods;
> >
> > -import java.net.URI;
> > +import
> > org.apache.hc.core5.http.nio.entity.BasicAsyncEntityProducer;
> > +import org.junit.Test;
> >
> > -/**
> > - * HTTP TRACE method.
> > - *
> > - * @since 4.0
> > - */
> > -public class HttpTrace extends HttpUriRequestBase {
> > -
> > - private static final long serialVersionUID = 1L;
> > -
> > - public final static String METHOD_NAME = "TRACE";
> > -
> > - /**
> > - * Creates a new instance initialized with the given URI.
> > - *
> > - * @param uri a non-null request URI.
> > - * @throws IllegalArgumentException if the uri is null.
> > - */
> > - public HttpTrace(final URI uri) {
> > - super(METHOD_NAME, uri);
> > - }
> > +public class TestAsyncRequestBuilder {
> >
> > - /**
> > - * Creates a new instance initialized with the given URI.
> > - *
> > - * @param uri a non-null request URI.
> > - * @throws IllegalArgumentException if the uri is invalid.
> > - */
> > - public HttpTrace(final String uri) {
> > - this(URI.create(uri));
> > + @Test(expected = IllegalStateException.class)
> > + public void testBuildTraceWithEntity() {
> > + final AsyncRequestBuilder builder =
> > AsyncRequestBuilder.create("TRACE").setUri("/path");
> > + builder.setEntity(new BasicAsyncEntityProducer("stuff"));
> > + builder.build();
> > }
> >
> > }
> > diff --git
> > a/httpclient5/src/main/java/org/apache/hc/client5/http/classic/meth
> > ods/HttpTrace.java
> > b/httpclient5/src/test/java/org/apache/hc/client5/http/classic/meth
> > ods/TestHttpTrace.java
> > similarity index 62%
> > copy from
> > httpclient5/src/main/java/org/apache/hc/client5/http/classic/method
> > s/HttpTrace.java
> > copy to
> > httpclient5/src/test/java/org/apache/hc/client5/http/classic/method
> > s/TestHttpTrace.java
> > index 17092a1..27089d2 100644
> > ---
> > a/httpclient5/src/main/java/org/apache/hc/client5/http/classic/meth
> > ods/HttpTrace.java
> > +++
> > b/httpclient5/src/test/java/org/apache/hc/client5/http/classic/meth
> > ods/TestHttpTrace.java
> > @@ -27,37 +27,14 @@
> >
> > package org.apache.hc.client5.http.classic.methods;
> >
> > -import java.net.URI;
> > +import org.junit.Test;
> >
> > -/**
> > - * HTTP TRACE method.
> > - *
> > - * @since 4.0
> > - */
> > -public class HttpTrace extends HttpUriRequestBase {
> > -
> > - private static final long serialVersionUID = 1L;
> > -
> > - public final static String METHOD_NAME = "TRACE";
> > -
> > - /**
> > - * Creates a new instance initialized with the given URI.
> > - *
> > - * @param uri a non-null request URI.
> > - * @throws IllegalArgumentException if the uri is null.
> > - */
> > - public HttpTrace(final URI uri) {
> > - super(METHOD_NAME, uri);
> > - }
> > +public class TestHttpTrace {
> >
> > - /**
> > - * Creates a new instance initialized with the given URI.
> > - *
> > - * @param uri a non-null request URI.
> > - * @throws IllegalArgumentException if the uri is invalid.
> > - */
> > - public HttpTrace(final String uri) {
> > - this(URI.create(uri));
> > + @Test(expected = IllegalStateException.class)
> > + public void testHttpTraceSetEntity() {
> > + final HttpTrace httpTrace = new HttpTrace("/path");
> > + httpTrace.setEntity(null);
> > }
> >
> > }
> > diff --git
> > a/httpclient5/src/test/java/org/apache/hc/client5/http/classic/meth
> > ods/TestRequestBuilder.java
> > b/httpclient5/src/test/java/org/apache/hc/client5/http/classic/meth
> > ods/TestRequestBuilder.java
> > index f121933..b6789c2 100644
> > ---
> > a/httpclient5/src/test/java/org/apache/hc/client5/http/classic/meth
> > ods/TestRequestBuilder.java
> > +++
> > b/httpclient5/src/test/java/org/apache/hc/client5/http/classic/meth
> > ods/TestRequestBuilder.java
> > @@ -264,6 +264,13 @@ public class TestRequestBuilder {
> > assertBuild(StandardCharsets.ISO_8859_1);
> > }
> >
> > + @Test(expected = IllegalStateException.class)
> > + public void testBuildTraceWithEntity() {
> > + final RequestBuilder requestBuilder =
> > RequestBuilder.create("TRACE").setUri("/path");
> > + requestBuilder.setEntity(new StringEntity("foo"));
> > + requestBuilder.build();
> > + }
> > +
> > private void assertBuild(final Charset charset) throws
> > Exception {
> > final RequestBuilder requestBuilder =
> > RequestBuilder.create("GET").setCharset(charset);
> > requestBuilder.setUri("https://somehost.com/stuff");
> >
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org