From 29f61b3b0a5b2dcfef125363da3b5338dcc7de94 Mon Sep 17 00:00:00 2001 From: Patrick Concannon Date: Wed, 14 Jul 2021 13:41:38 +0000 Subject: [PATCH] 8269944: Better HTTP transport redux Reviewed-by: dfuchs, chegar, rhalade, ahgross --- .../classes/sun/net/httpserver/FixedLengthInputStream.java | 3 +++ .../classes/sun/net/httpserver/FixedLengthOutputStream.java | 3 +++ .../share/classes/sun/net/httpserver/Request.java | 6 ++++-- .../share/classes/sun/net/httpserver/ServerImpl.java | 5 +++++ 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/src/jdk.httpserver/share/classes/sun/net/httpserver/FixedLengthInputStream.java b/src/jdk.httpserver/share/classes/sun/net/httpserver/FixedLengthInputStream.java index c875a1ab9b4..ac6fb7be005 100644 --- a/src/jdk.httpserver/share/classes/sun/net/httpserver/FixedLengthInputStream.java +++ b/src/jdk.httpserver/share/classes/sun/net/httpserver/FixedLengthInputStream.java @@ -41,6 +41,9 @@ class FixedLengthInputStream extends LeftOverInputStream { FixedLengthInputStream (ExchangeImpl t, InputStream src, long len) { super (t, src); + if (len < 0) { + throw new IllegalArgumentException("Content-Length: " + len); + } this.remaining = len; } diff --git a/src/jdk.httpserver/share/classes/sun/net/httpserver/FixedLengthOutputStream.java b/src/jdk.httpserver/share/classes/sun/net/httpserver/FixedLengthOutputStream.java index 8b431645ceb..4935214c2e1 100644 --- a/src/jdk.httpserver/share/classes/sun/net/httpserver/FixedLengthOutputStream.java +++ b/src/jdk.httpserver/share/classes/sun/net/httpserver/FixedLengthOutputStream.java @@ -47,6 +47,9 @@ class FixedLengthOutputStream extends FilterOutputStream FixedLengthOutputStream (ExchangeImpl t, OutputStream src, long len) { super (src); + if (len < 0) { + throw new IllegalArgumentException("Content-Length: " + len); + } this.t = t; this.remaining = len; } diff --git a/src/jdk.httpserver/share/classes/sun/net/httpserver/Request.java b/src/jdk.httpserver/share/classes/sun/net/httpserver/Request.java index 265b5c82718..92b2f709c34 100644 --- a/src/jdk.httpserver/share/classes/sun/net/httpserver/Request.java +++ b/src/jdk.httpserver/share/classes/sun/net/httpserver/Request.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -208,7 +208,9 @@ class Request { "sun.net.httpserver.maxReqHeaders) exceeded, " + ServerConfig.getMaxReqHeaders() + "."); } - + if (k == null) { // Headers disallows null keys, use empty string + k = ""; // instead to represent invalid key + } hdrs.add (k,v); len = 0; } diff --git a/src/jdk.httpserver/share/classes/sun/net/httpserver/ServerImpl.java b/src/jdk.httpserver/share/classes/sun/net/httpserver/ServerImpl.java index ec6b99ab8be..d5bd8025788 100644 --- a/src/jdk.httpserver/share/classes/sun/net/httpserver/ServerImpl.java +++ b/src/jdk.httpserver/share/classes/sun/net/httpserver/ServerImpl.java @@ -618,6 +618,11 @@ class ServerImpl implements TimeSource { headerValue = headers.getFirst("Content-Length"); if (headerValue != null) { clen = Long.parseLong(headerValue); + if (clen < 0) { + reject(Code.HTTP_BAD_REQUEST, requestLine, + "Illegal Content-Length value"); + return; + } } if (clen == 0) { requestCompleted(connection);