You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@hc.apache.org by ol...@apache.org on 2019/04/06 14:51:55 UTC

[httpcomponents-core] branch HTTPCLIENT-1981 updated (cf7ef3a -> a0ddcd1)

This is an automated email from the ASF dual-hosted git repository.

olegk pushed a change to branch HTTPCLIENT-1981
in repository https://gitbox.apache.org/repos/asf/httpcomponents-core.git.


 discard cf7ef3a  HTTPCLIENT-1981: disallow TRACE requests with an enclosed entity
     new a0ddcd1  HTTPCLIENT-1981: disallow TRACE requests with an enclosed entity

This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version.  This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:

 * -- * -- B -- O -- O -- O   (cf7ef3a)
            \
             N -- N -- N   refs/heads/HTTPCLIENT-1981 (a0ddcd1)

You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.

Any revisions marked "omit" are not gone; other references still
refer to them.  Any revisions marked "discard" are gone forever.

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 .../hc/core5/http2/protocol/H2RequestConnControl.java  |  7 -------
 .../hc/core5/http2/protocol/H2RequestContent.java      |  6 ++++++
 .../hc/core5/http/protocol/RequestConnControl.java     |  4 ----
 .../apache/hc/core5/http/protocol/RequestContent.java  |  5 +++++
 .../core5/http/protocol/TestStandardInterceptors.java  | 18 +++++++++---------
 5 files changed, 20 insertions(+), 20 deletions(-)

[httpcomponents-core] 01/01: HTTPCLIENT-1981: disallow TRACE requests with an enclosed entity

Posted by ol...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

olegk pushed a commit to branch HTTPCLIENT-1981
in repository https://gitbox.apache.org/repos/asf/httpcomponents-core.git

commit a0ddcd1aad55c9bcf4735c829470c07e1e9944d8
Author: Oleg Kalnichevski <ol...@apache.org>
AuthorDate: Sat Apr 6 14:58:19 2019 +0200

    HTTPCLIENT-1981: disallow TRACE requests with an enclosed entity
---
 .../org/apache/hc/core5/http2/protocol/H2RequestContent.java     | 6 ++++++
 .../org/apache/hc/core5/http/protocol/RequestConnControl.java    | 1 -
 .../java/org/apache/hc/core5/http/protocol/RequestContent.java   | 5 +++++
 .../apache/hc/core5/http/protocol/TestStandardInterceptors.java  | 9 +++++++++
 4 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/httpcore5-h2/src/main/java/org/apache/hc/core5/http2/protocol/H2RequestContent.java b/httpcore5-h2/src/main/java/org/apache/hc/core5/http2/protocol/H2RequestContent.java
index 086b7e1..b8fe9ff 100644
--- a/httpcore5-h2/src/main/java/org/apache/hc/core5/http2/protocol/H2RequestContent.java
+++ b/httpcore5-h2/src/main/java/org/apache/hc/core5/http2/protocol/H2RequestContent.java
@@ -34,6 +34,8 @@ import org.apache.hc.core5.annotation.ThreadingBehavior;
 import org.apache.hc.core5.http.EntityDetails;
 import org.apache.hc.core5.http.HttpException;
 import org.apache.hc.core5.http.HttpRequest;
+import org.apache.hc.core5.http.Methods;
+import org.apache.hc.core5.http.ProtocolException;
 import org.apache.hc.core5.http.ProtocolVersion;
 import org.apache.hc.core5.http.message.MessageSupport;
 import org.apache.hc.core5.http.protocol.HttpContext;
@@ -66,6 +68,10 @@ public class H2RequestContent extends RequestContent {
         if (ver.getMajor() < 2) {
             super.process(request, entity, context);
         } else if (entity != null) {
+            final String method = request.getMethod();
+            if (Methods.TRACE.isSame(method)) {
+                throw new ProtocolException("TRACE request may not enclose an entity");
+            }
             MessageSupport.addContentTypeHeader(request, entity);
             MessageSupport.addContentEncodingHeader(request, entity);
             MessageSupport.addTrailerHeader(request, entity);
diff --git a/httpcore5/src/main/java/org/apache/hc/core5/http/protocol/RequestConnControl.java b/httpcore5/src/main/java/org/apache/hc/core5/http/protocol/RequestConnControl.java
index 5340f55..722caad 100644
--- a/httpcore5/src/main/java/org/apache/hc/core5/http/protocol/RequestConnControl.java
+++ b/httpcore5/src/main/java/org/apache/hc/core5/http/protocol/RequestConnControl.java
@@ -64,7 +64,6 @@ public class RequestConnControl implements HttpRequestInterceptor {
         if (Methods.CONNECT.isSame(method)) {
             return;
         }
-
         if (!request.containsHeader(HttpHeaders.CONNECTION)) {
             // Default policy is to keep connection alive
             // whenever possible
diff --git a/httpcore5/src/main/java/org/apache/hc/core5/http/protocol/RequestContent.java b/httpcore5/src/main/java/org/apache/hc/core5/http/protocol/RequestContent.java
index a7f0ba9..fe033b4 100644
--- a/httpcore5/src/main/java/org/apache/hc/core5/http/protocol/RequestContent.java
+++ b/httpcore5/src/main/java/org/apache/hc/core5/http/protocol/RequestContent.java
@@ -38,6 +38,7 @@ import org.apache.hc.core5.http.HttpHeaders;
 import org.apache.hc.core5.http.HttpRequest;
 import org.apache.hc.core5.http.HttpRequestInterceptor;
 import org.apache.hc.core5.http.HttpVersion;
+import org.apache.hc.core5.http.Methods;
 import org.apache.hc.core5.http.ProtocolException;
 import org.apache.hc.core5.http.ProtocolVersion;
 import org.apache.hc.core5.http.message.MessageSupport;
@@ -87,6 +88,10 @@ public class RequestContent implements HttpRequestInterceptor {
     public void process(final HttpRequest request, final EntityDetails entity, final HttpContext context)
             throws HttpException, IOException {
         Args.notNull(request, "HTTP request");
+        final String method = request.getMethod();
+        if (Methods.TRACE.isSame(method) && entity != null) {
+            throw new ProtocolException("TRACE request may not enclose an entity");
+        }
         if (this.overwrite) {
             request.removeHeaders(HttpHeaders.TRANSFER_ENCODING);
             request.removeHeaders(HttpHeaders.CONTENT_LENGTH);
diff --git a/httpcore5/src/test/java/org/apache/hc/core5/http/protocol/TestStandardInterceptors.java b/httpcore5/src/test/java/org/apache/hc/core5/http/protocol/TestStandardInterceptors.java
index d44f003..b8bce7b 100644
--- a/httpcore5/src/test/java/org/apache/hc/core5/http/protocol/TestStandardInterceptors.java
+++ b/httpcore5/src/test/java/org/apache/hc/core5/http/protocol/TestStandardInterceptors.java
@@ -311,6 +311,15 @@ public class TestStandardInterceptors {
         Assert.assertEquals("h1, h2", header2.getValue());
     }
 
+    @Test(expected = ProtocolException.class)
+    public void testRequestContentTraceWithEntity() throws Exception {
+        final HttpContext context = new BasicHttpContext(null);
+        final BasicClassicHttpRequest request = new BasicClassicHttpRequest(Methods.TRACE, "/");
+        request.setEntity(new StringEntity("stuff"));
+        final RequestContent interceptor = new RequestContent();
+        interceptor.process(request, request.getEntity(), context);
+    }
+
     @Test
     public void testRequestExpectContinueGenerated() throws Exception {
         final HttpCoreContext context = HttpCoreContext.create();