Merge pull request #6411 from eclipse/jetty-10.0.x-6407-ClientUpgrade…

…RequestUri Issue #6407 - Fix URI validation for WebSocket ClientUpgradeRequest
jetty · Jun 23, 2021 · 1cd0093 · 1cd0093
2 parents 291218b + 402d79f
commit 1cd0093
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 38 deletions.
diff --git a/...lient/src/main/java/org/eclipse/jetty/websocket/core/client/CoreClientUpgradeRequest.java b/...lient/src/main/java/org/eclipse/jetty/websocket/core/client/CoreClientUpgradeRequest.java
@@ -88,25 +88,17 @@ public CoreClientUpgradeRequest(WebSocketCoreClient webSocketClient, URI request
 
         // Validate websocket URI
         if (!requestURI.isAbsolute())
-        {
             throw new IllegalArgumentException("WebSocket URI must be absolute");
-        }
 
         if (StringUtil.isBlank(requestURI.getScheme()))
-        {
             throw new IllegalArgumentException("WebSocket URI must include a scheme");
-        }
 
         String scheme = requestURI.getScheme();
         if (!HttpScheme.WS.is(scheme) && !HttpScheme.WSS.is(scheme))
-        {
             throw new IllegalArgumentException("WebSocket URI scheme only supports [ws] and [wss], not [" + scheme + "]");
-        }
 
         if (requestURI.getHost() == null)
-        {
             throw new IllegalArgumentException("Invalid WebSocket URI: host not present");
-        }
 
         this.wsClient = webSocketClient;
         this.futureCoreSession = new CompletableFuture<>();
@@ -437,7 +429,7 @@ else if (values.length == 1)
         Negotiated negotiated = new Negotiated(
             request.getURI(),
             negotiatedSubProtocol,
-            HttpScheme.HTTPS.is(request.getScheme()), // TODO better than this?
+            HttpClient.isSchemeSecure(request.getScheme()),
             extensionStack,
             WebSocketConstants.SPEC_VERSION_STRING);
 

diff --git a/...ocket-core-common/src/main/java/org/eclipse/jetty/websocket/core/internal/Negotiated.java b/...ocket-core-common/src/main/java/org/eclipse/jetty/websocket/core/internal/Negotiated.java
@@ -22,6 +22,7 @@
 import java.util.Objects;
 import java.util.stream.Collectors;
 
+import org.eclipse.jetty.http.HttpScheme;
 import org.eclipse.jetty.util.MultiMap;
 import org.eclipse.jetty.util.StringUtil;
 import org.eclipse.jetty.util.UrlEncoded;
@@ -134,24 +135,14 @@ public static URI toWebsocket(final URI uri)
             String httpScheme = uri.getScheme();
             if (httpScheme == null)
                 return uri;
-
-            if ("ws".equalsIgnoreCase(httpScheme) || "wss".equalsIgnoreCase(httpScheme))
-            {
-                // keep as-is
+            if (HttpScheme.WS.is(httpScheme) || HttpScheme.WSS.is(httpScheme))
                 return uri;
-            }
-
-            if ("http".equalsIgnoreCase(httpScheme))
-            {
-                // convert to ws
-                return new URI("ws" + uri.toString().substring(httpScheme.length()));
-            }
 
-            if ("https".equalsIgnoreCase(httpScheme))
-            {
-                // convert to wss
-                return new URI("wss" + uri.toString().substring(httpScheme.length()));
-            }
+            String afterScheme = uri.toString().substring(httpScheme.length());
+            if (HttpScheme.HTTP.is(httpScheme))
+                return new URI("ws" + afterScheme);
+            if (HttpScheme.HTTPS.is(httpScheme))
+                return new URI("wss" + afterScheme);
 
             throw new URISyntaxException(uri.toString(), "Unrecognized HTTP scheme");
         }

diff --git a/...bsocket/websocket-jetty-api/src/main/java/org/eclipse/jetty/websocket/api/util/WSURI.java b/...bsocket/websocket-jetty-api/src/main/java/org/eclipse/jetty/websocket/api/util/WSURI.java
@@ -103,23 +103,17 @@ public static URI toWebsocket(final URI inputUri) throws URISyntaxException
     {
         Objects.requireNonNull(inputUri, "Input URI must not be null");
         String httpScheme = inputUri.getScheme();
+        if (httpScheme == null)
+            throw new URISyntaxException(inputUri.toString(), "Undefined HTTP scheme");
+
         if ("ws".equalsIgnoreCase(httpScheme) || "wss".equalsIgnoreCase(httpScheme))
-        {
-            // keep as-is
             return inputUri;
-        }
 
+        String afterScheme = inputUri.toString().substring(httpScheme.length());
         if ("http".equalsIgnoreCase(httpScheme))
-        {
-            // convert to ws
-            return new URI("ws" + inputUri.toString().substring(httpScheme.length()));
-        }
-
+            return new URI("ws" + afterScheme);
         if ("https".equalsIgnoreCase(httpScheme))
-        {
-            // convert to wss
-            return new URI("wss" + inputUri.toString().substring(httpScheme.length()));
-        }
+            return new URI("wss" + afterScheme);
 
         throw new URISyntaxException(inputUri.toString(), "Unrecognized HTTP scheme");
     }

diff --git a/...t-jetty-client/src/main/java/org/eclipse/jetty/websocket/client/ClientUpgradeRequest.java b/...t-jetty-client/src/main/java/org/eclipse/jetty/websocket/client/ClientUpgradeRequest.java
@@ -50,11 +50,15 @@ public ClientUpgradeRequest()
         this.host = null;
     }
 
+    /**
+     * @deprecated use {@link #ClientUpgradeRequest()} instead.
+     */
+    @Deprecated
     public ClientUpgradeRequest(URI uri)
     {
         this.requestURI = uri;
         String scheme = uri.getScheme();
-        if (!HttpScheme.WS.is(scheme) || !HttpScheme.WSS.is(scheme))
+        if (!HttpScheme.WS.is(scheme) && !HttpScheme.WSS.is(scheme))
             throw new IllegalArgumentException("URI scheme must be 'ws' or 'wss'");
         this.host = this.requestURI.getHost();
     }