Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce UriCompliance.Violation.FRAGMENT to reject HTTP Request Line that includes fragment section. #11579

Open
joakime opened this issue Mar 27, 2024 · 3 comments · May be fixed by #11580
Open

Introduce UriCompliance.Violation.FRAGMENT to reject HTTP Request Line that includes fragment section. #11579

joakime opened this issue Mar 27, 2024 · 3 comments · May be fixed by #11580
Assignees
@joakime
Labels
Bug For general bugs on Jetty side Specification For all industry Specifications (IETF / Servlet / etc)

Comments

@joakime
Copy link
Contributor

joakime commented Mar 27, 2024
edited

Jetty version(s)
12.0.7

Jetty Environment
All

Java version/vendor (use: java -version)
All

OS type/version
All

Description
While working PR #11496 the idea of not allowing FRAGMENT section in a Request Line was introduced.

It is good idea that seems to follow the HTTP spec.

If we do this, we should be careful how we do it, and allow a configurable UriCompliance mode to configure the behavior.

See original commit (reverted in PR #11496):
fed10f7
@joakime joakime added Bug For general bugs on Jetty side Specification For all industry Specifications (IETF / Servlet / etc) labels Mar 27, 2024
joakime added a commit that referenced this issue Mar 27, 2024
@joakime
Issue #11579 - Reject Query in HttpURI
3f06eb3
@joakime joakime self-assigned this Mar 27, 2024
@joakime joakime linked a pull request Mar 27, 2024 that will close this issue
Issue #11579 - Reject Target in Request Path #11580
Draft
@joakime
Copy link
Contributor Author

joakime commented Mar 27, 2024

Opened PR #11580 to start this issue.
Currently just a cherry-pick of commit fed10f7 along with some testcase updates

@sbordet
Copy link
Contributor

sbordet commented Mar 27, 2024

@joakime can you please reword everywhere you wrote "query" meaning "fragment"?

@joakime joakime changed the title Introduce UriCompliance.Violation.FRAGMENT to reject HTTP Request Line that includes Query section. Introduce UriCompliance.Violation.FRAGMENT to reject HTTP Request Line that includes fragment section. Mar 27, 2024
@joakime
Copy link
Contributor Author

joakime commented Mar 27, 2024

Yeah, sorry, my mind was stuck on the exception message from the old PR ...

jetty.project/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java

Lines 1460 to 1461 in fed10f7

if (last != null && state.ordinal() > last.ordinal())
throw new IllegalArgumentException("uri cannot go beyond " + last);

The exception messages from that commit showed up as ...

HTTP/1.1 400 Bad Request
Server: Jetty(12.0.8-SNAPSHOT)
Date: Wed, 27 Mar 2024 08:30:11 GMT
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 621
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 400 Bad Request</title>
</head>
<body>
<h2>HTTP ERROR 400 Bad Request</h2>
<table>
<tr><th>URI:</th><td>/badMessage</td></tr>
<tr><th>STATUS:</th><td>400</td></tr>
<tr><th>MESSAGE:</th><td>Bad Request</td></tr>
<tr><th>CAUSED BY:</th><td>org.eclipse.jetty.http.BadMessageException: 400: Bad Request</td></tr>
<tr><th>CAUSED BY:</th><td>java.lang.IllegalArgumentException: uri cannot go beyond QUERY</td></tr>
</table>
<hr/><a href="https://eclipse.org/jetty">Powered by Jetty:// 12.0.8-SNAPSHOT</a><hr/>
</body>
</html>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joakime joakime

Labels
Bug For general bugs on Jetty side Specification For all industry Specifications (IETF / Servlet / etc)
Projects
Jetty 12.0.10
Status: 🏗 In progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue #11579 - Reject Target in Request Path jetty/jetty.project
2 participants
@joakime @sbordet