Skip to content

Commit

Permalink
Fix #4275 fail URIs with ambiguous segments (#5954)
Browse files Browse the repository at this point in the history
Handle URIs by first resolving relative paths and then decoding.
Added compliance mode to return 400 if there are ambiguous path segments.

Signed-off-by: Greg Wilkins <gregw@webtide.com>
  • Loading branch information
gregw authored Feb 16, 2021
1 parent 5dd9877 commit 20ef71f
Show file tree
Hide file tree
Showing 14 changed files with 456 additions and 160 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -56,23 +56,26 @@ public enum HttpCompliance // TODO in Jetty-10 convert this enum to a class so t
LEGACY(sectionsBySpec("0,METHOD_CASE_SENSITIVE")),

/**
* The legacy RFC2616 support, which incorrectly excludes
* The legacy RFC2616 support, which excludes
* {@link HttpComplianceSection#METHOD_CASE_SENSITIVE},
* {@link HttpComplianceSection#FIELD_COLON},
* {@link HttpComplianceSection#TRANSFER_ENCODING_WITH_CONTENT_LENGTH},
* {@link HttpComplianceSection#MULTIPLE_CONTENT_LENGTHS},
* {@link HttpComplianceSection#MULTIPLE_CONTENT_LENGTHS} and
* {@link HttpComplianceSection#NO_AMBIGUOUS_PATH_SEGMENTS}.
*/
RFC2616_LEGACY(sectionsBySpec("RFC2616,-FIELD_COLON,-METHOD_CASE_SENSITIVE,-TRANSFER_ENCODING_WITH_CONTENT_LENGTH,-MULTIPLE_CONTENT_LENGTHS")),
RFC2616_LEGACY(sectionsBySpec("RFC2616,-FIELD_COLON,-METHOD_CASE_SENSITIVE,-TRANSFER_ENCODING_WITH_CONTENT_LENGTH,-MULTIPLE_CONTENT_LENGTHS,-NO_AMBIGUOUS_PATH_SEGMENTS")),

/**
* The strict RFC2616 support mode
*/
RFC2616(sectionsBySpec("RFC2616")),

/**
* Jetty's current RFC7230 support, which incorrectly excludes {@link HttpComplianceSection#METHOD_CASE_SENSITIVE}
* Jetty's current RFC7230 support, which excludes
* {@link HttpComplianceSection#METHOD_CASE_SENSITIVE} and
* {@link HttpComplianceSection#NO_AMBIGUOUS_PATH_SEGMENTS}.
*/
RFC7230_LEGACY(sectionsBySpec("RFC7230,-METHOD_CASE_SENSITIVE")),
RFC7230_LEGACY(sectionsBySpec("RFC7230,-METHOD_CASE_SENSITIVE,-NO_AMBIGUOUS_PATH_SEGMENTS")),

/**
* The RFC7230 support mode
Expand Down Expand Up @@ -123,18 +126,14 @@ static EnumSet<HttpComplianceSection> sectionsBySpec(String spec)
i++;
break;

case "*":
i++;
sections = EnumSet.allOf(HttpComplianceSection.class);
break;

case "RFC2616":
sections = EnumSet.complementOf(EnumSet.of(
HttpComplianceSection.NO_FIELD_FOLDING,
HttpComplianceSection.NO_HTTP_0_9));
i++;
break;

case "*":
case "RFC7230":
i++;
sections = EnumSet.allOf(HttpComplianceSection.class);
Expand All @@ -152,11 +151,6 @@ static EnumSet<HttpComplianceSection> sectionsBySpec(String spec)
if (exclude)
element = element.substring(1);
HttpComplianceSection section = HttpComplianceSection.valueOf(element);
if (section == null)
{
LOG.warn("Unknown section '" + element + "' in HttpCompliance spec: " + spec);
continue;
}
if (exclude)
sections.remove(section);
else
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,8 @@ public enum HttpComplianceSection
NO_FIELD_FOLDING("https://tools.ietf.org/html/rfc7230#section-3.2.4", "No line Folding"),
NO_HTTP_0_9("https://tools.ietf.org/html/rfc7230#appendix-A.2", "No HTTP/0.9"),
TRANSFER_ENCODING_WITH_CONTENT_LENGTH("https://tools.ietf.org/html/rfc7230#section-3.3.1", "Transfer-Encoding and Content-Length"),
MULTIPLE_CONTENT_LENGTHS("https://tools.ietf.org/html/rfc7230#section-3.3.1", "Multiple Content-Lengths");
MULTIPLE_CONTENT_LENGTHS("https://tools.ietf.org/html/rfc7230#section-3.3.1", "Multiple Content-Lengths"),
NO_AMBIGUOUS_PATH_SEGMENTS("https://tools.ietf.org/html/rfc3986#section-3.3", "No ambiguous URI path segments");

final String url;
final String description;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -311,6 +311,11 @@ public HttpHandler getHandler()
return _handler;
}

public HttpCompliance getHttpCompliance()
{
return _compliance;
}

/**
* Check RFC compliance violation
*
Expand Down
Loading

0 comments on commit 20ef71f

Please sign in to comment.