You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hc.apache.org by ol...@apache.org on 2020/04/06 15:43:11 UTC
[httpcomponents-client] 01/01: HTTPCLIENT-2074: disallow direct
execution of CONNECT methods by standard client implementations
This is an automated email from the ASF dual-hosted git repository.
olegk pushed a commit to branch HTTPCLIENT-2074
in repository https://gitbox.apache.org/repos/asf/httpcomponents-client.git
commit 5c230b951fa6b042a4bc987c54a8ec7db9c8a726
Author: Oleg Kalnichevski <ol...@apache.org>
AuthorDate: Mon Apr 6 17:42:36 2020 +0200
HTTPCLIENT-2074: disallow direct execution of CONNECT methods by standard client implementations
---
.../org/apache/hc/client5/http/impl/async/AsyncProtocolExec.java | 5 +++++
.../java/org/apache/hc/client5/http/impl/classic/ProtocolExec.java | 4 ++++
2 files changed, 9 insertions(+)
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/AsyncProtocolExec.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/AsyncProtocolExec.java
index 11fd40a..362d3f4 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/AsyncProtocolExec.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/AsyncProtocolExec.java
@@ -107,6 +107,11 @@ public final class AsyncProtocolExec implements AsyncExecChainHandler {
final AsyncExecChain.Scope scope,
final AsyncExecChain chain,
final AsyncExecCallback asyncExecCallback) throws HttpException, IOException {
+
+ if (Method.CONNECT.isSame(request.getMethod())) {
+ throw new ProtocolException("Direct execution of CONNECT is not allowed");
+ }
+
final HttpRoute route = scope.route;
final HttpClientContext clientContext = scope.clientContext;
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProtocolExec.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProtocolExec.java
index 50aee86..53da369 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProtocolExec.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProtocolExec.java
@@ -107,6 +107,10 @@ public final class ProtocolExec implements ExecChainHandler {
Args.notNull(request, "HTTP request");
Args.notNull(scope, "Scope");
+ if (Method.CONNECT.isSame(request.getMethod())) {
+ throw new ProtocolException("Direct execution of CONNECT is not allowed");
+ }
+
final String exchangeId = scope.exchangeId;
final HttpRoute route = scope.route;
final HttpClientContext context = scope.clientContext;