You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@hc.apache.org by ol...@apache.org on 2020/04/06 15:43:11 UTC

[httpcomponents-client] 01/01: HTTPCLIENT-2074: disallow direct execution of CONNECT methods by standard client implementations

This is an automated email from the ASF dual-hosted git repository.

olegk pushed a commit to branch HTTPCLIENT-2074
in repository https://gitbox.apache.org/repos/asf/httpcomponents-client.git

commit 5c230b951fa6b042a4bc987c54a8ec7db9c8a726
Author: Oleg Kalnichevski <ol...@apache.org>
AuthorDate: Mon Apr 6 17:42:36 2020 +0200

    HTTPCLIENT-2074: disallow direct execution of CONNECT methods by standard client implementations
---
 .../org/apache/hc/client5/http/impl/async/AsyncProtocolExec.java     | 5 +++++
 .../java/org/apache/hc/client5/http/impl/classic/ProtocolExec.java   | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/AsyncProtocolExec.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/AsyncProtocolExec.java
index 11fd40a..362d3f4 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/AsyncProtocolExec.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/AsyncProtocolExec.java
@@ -107,6 +107,11 @@ public final class AsyncProtocolExec implements AsyncExecChainHandler {
             final AsyncExecChain.Scope scope,
             final AsyncExecChain chain,
             final AsyncExecCallback asyncExecCallback) throws HttpException, IOException {
+
+        if (Method.CONNECT.isSame(request.getMethod())) {
+            throw new ProtocolException("Direct execution of CONNECT is not allowed");
+        }
+
         final HttpRoute route = scope.route;
         final HttpClientContext clientContext = scope.clientContext;
 
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProtocolExec.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProtocolExec.java
index 50aee86..53da369 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProtocolExec.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProtocolExec.java
@@ -107,6 +107,10 @@ public final class ProtocolExec implements ExecChainHandler {
         Args.notNull(request, "HTTP request");
         Args.notNull(scope, "Scope");
 
+        if (Method.CONNECT.isSame(request.getMethod())) {
+            throw new ProtocolException("Direct execution of CONNECT is not allowed");
+        }
+
         final String exchangeId = scope.exchangeId;
         final HttpRoute route = scope.route;
         final HttpClientContext context = scope.clientContext;