Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #6302 - Treat empty path segments as ambiguous. #6304

Merged
merged 13 commits into from Jun 10, 2021
Merged

Issue #6302 - Treat empty path segments as ambiguous. #6304

merged 13 commits into from Jun 10, 2021

Conversation

lachlan-roberts
Copy link
Contributor

Signed-off-by: Lachlan Roberts lachlan@webtide.com

@lachlan-roberts
Issue #6302 - Treat empty path segments are ambiguous.
36332ab 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@gregw
Copy link
Contributor

gregw commented May 21, 2021

I think we also need to add something in the documentation regarding ambiguous URIs, how to configure and alternatives if they are not exactly correct. @lachlan-roberts do you want to have a go at the doco, or should I push an attempt to this branch?

@lachlan-roberts
Copy link
Contributor Author

@gregw you can push an attempt to this branch if you want.

@lachlan-roberts
Fix false empty segments being reported + changes from review.
c30875e 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@gregw
Copy link
Contributor

gregw commented May 21, 2021

I have moved the doco work to #6312 , so this PR can proceed without waiting for it.

@gregw gregw added this to In progress in Jetty 10.0.4/11.0.4 FROZEN via automation May 21, 2021
@lachlan-roberts
Fix broken test + improve comments.
3206dab 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts lachlan-roberts marked this pull request as ready for review May 24, 2021 00:01
@lachlan-roberts lachlan-roberts changed the title Issue #6302 - Treat empty path segments are ambiguous. Issue #6302 - Treat empty path segments as ambiguous. May 24, 2021
Jetty 10.0.4/11.0.4 FROZEN automation moved this from In progress to Review in progress May 24, 2021
@lachlan-roberts
Add HttpUriTests for the empty segment as ambiguous
3aec963 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts
Issue #63002 - Only call checkSegment() for real empty segments.
0cae7bf 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts
Issue #63002 - Empty segments are only ambiguous if followed by a '#'…
2649182 
…, '?' or end of string

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts
Copy link
Contributor Author

@gregw DefaultServletTest.testListingWithSession() is failing because it is trying a request to /context/;JSESSIONID=1234567890 which is now classified as having an ambiguous segment.

What do you think about this, should I fix this test to remove the ; from the URI?

@gregw
Copy link
Contributor

gregw commented May 26, 2021

@lachlan-roberts Ouch! that's a tough one. There definitely is an empty segment there, but we don't care because it is the last segment and we are happy to ignore empty segments when they are the last ones.... but at the time we check it, we don't know if it is the last one or not.

So how do we make /foo/;param/bar ambiguous, but /foo/;param not ? ideas???
Perhaps an empty segment is only ambiguous if we have see another segment after it?
So the first time checkSegment is called with an empty segment, we just remember we have seen an empty segment, then if checkSegment is ever called again we say we are ambiguous. That might be better than checking for the termination character???

@lachlan-roberts
If only the last segment is empty it is not ambiguous.
2792217 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
gregw
gregw reviewed May 27, 2021
View reviewed changes
Copy link
Contributor

@gregw gregw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've had enough input into this PR that it needs another reviewer.
However, other than some niggles, it LGTM

jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java Outdated Show resolved Hide resolved
jetty-server/src/main/java/org/eclipse/jetty/server/Request.java Show resolved Hide resolved
jetty-http/src/test/java/org/eclipse/jetty/http/HttpURITest.java Outdated Show resolved Hide resolved
@lachlan-roberts
improve testing for path HttpUri pathQuery()
3dd5460 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts
Add javadoc for HttpURI.Ambiguous
93eaffd 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@gregw gregw dismissed their stale review May 31, 2021 04:56

I've contributed too much to this. We need another reviewer

@lachlan-roberts
Add decodedPath to testPathQuery() expectations.
918f377 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts
Copy link
Contributor Author

@sbordet / @joakime can you please review this PR

@sbordet sbordet removed this from Review in progress in Jetty 10.0.4/11.0.4 FROZEN Jun 4, 2021
@sbordet sbordet added this to In progress in Jetty 10.0.5/11.0.5 FROZEN via automation Jun 4, 2021
@sbordet sbordet linked an issue Jun 4, 2021 that may be closed by this pull request
Treat empty path segments are ambiguous. #6302
Closed
sbordet
sbordet requested changes Jun 7, 2021
View reviewed changes
jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java Outdated Show resolved Hide resolved
jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java Outdated Show resolved Hide resolved
jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java Show resolved Hide resolved
jetty-server/src/test/java/org/eclipse/jetty/server/RequestTest.java
_connector.getBean(HttpConnectionFactory.class).getHttpConfiguration().setUriCompliance(UriCompliance.RFC3986);
assertThat(_connector.getResponse(request), startsWith("HTTP/1.1 200"));
_connector.getBean(HttpConnectionFactory.class).getHttpConfiguration().setUriCompliance(UriCompliance.UNSAFE);
assertThat(_connector.getResponse(request), startsWith("HTTP/1.1 200"));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please add other combinations?

//ambiguous/initial
/ambiguous//middle
/double//ambiguous//
//triple//ambiguous//

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this would be the right place for these extra tests. This is just testing how the compliance modes handle and empty segment.

What combinations cause an empty segment is tested by HttpUriTest. We already cover these cases, but I have also added these ones exactly to be sure.

Jetty 10.0.5/11.0.5 FROZEN automation moved this from In progress to Review in progress Jun 7, 2021
gregw
gregw requested changes Jun 8, 2021
View reviewed changes
Copy link
Contributor

@gregw gregw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is at least one negation error in the comments.
Also here are some suggested improvements to the wording of them

jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java Outdated Show resolved Hide resolved
jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java Outdated Show resolved Hide resolved
jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java Outdated Show resolved Hide resolved
jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java Outdated Show resolved Hide resolved
@lachlan-roberts
Change comments, add some extra tests.
339e245 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
gregw
gregw previously approved these changes Jun 10, 2021
View reviewed changes
@sbordet sbordet self-requested a review June 10, 2021 10:32
Jetty 10.0.5/11.0.5 FROZEN automation moved this from Review in progress to Reviewer approved Jun 10, 2021
@lachlan-roberts lachlan-roberts mentioned this pull request Jun 10, 2021
Closed
@sbordet sbordet merged commit b4d7e51 into jetty-10.0.x Jun 10, 2021
Jetty 10.0.5/11.0.5 FROZEN automation moved this from Reviewer approved to Done Jun 10, 2021
@sbordet sbordet deleted the jetty-10.0.x-6302-EmptyPathSegments branch June 10, 2021 13:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gregw gregw gregw left review comments

@sbordet sbordet sbordet approved these changes

@joakime joakime Awaiting requested review from joakime

Assignees
No one assigned
Labels
None yet
Projects
No open projects
Jetty 10.0.5/11.0.5 FROZEN
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Treat empty path segments are ambiguous.
4 participants
@lachlan-roberts @gregw @joakime @sbordet