6890349: Fix #6870935 in jdk7/pit/b74 caused HttpClinet's check for "proxy capture" attack by-passed

Pass exception up stack Reviewed-by: chegar
2009-10-20 15:35:55 +01:00 · 2009-10-20 15:35:55 +01:00 · 562fb9a67f
commit 562fb9a67f
parent c225292004
3 changed files with 76 additions and 10 deletions
--- a/jdk/src/share/classes/sun/net/www/protocol/http/DigestAuthentication.java
+++ b/jdk/src/share/classes/sun/net/www/protocol/http/DigestAuthentication.java
@ -284,14 +284,16 @@ class DigestAuthentication extends AuthenticationInfo {
        params.setOpaque (p.findValue("opaque"));
        params.setQop (p.findValue("qop"));

-        String uri;
+        String uri="";
        String method;
        if (type == PROXY_AUTHENTICATION &&
                conn.tunnelState() == HttpURLConnection.TunnelState.SETUP) {
            uri = HttpURLConnection.connectRequestURI(conn.getURL());
            method = HTTP_CONNECT;
        } else {
-            uri = conn.getRequestURI();
+            try {
+                uri = conn.getRequestURI();
+            } catch (IOException e) {}
            method = conn.getMethod();
        }

--- a/jdk/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
+++ b/jdk/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
@ -1543,7 +1543,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
     * because ntlm does not support this feature.
     */
    private AuthenticationInfo
-        resetProxyAuthentication(AuthenticationInfo proxyAuthentication, AuthenticationHeader auth) {
+        resetProxyAuthentication(AuthenticationInfo proxyAuthentication, AuthenticationHeader auth) throws IOException {
        if ((proxyAuthentication != null )&&
             proxyAuthentication.getAuthScheme() != NTLM) {
            String raw = auth.raw();
@ -1767,7 +1767,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
    /**
     * Sets pre-emptive proxy authentication in header
     */
-    private void setPreemptiveProxyAuthentication(MessageHeader requests) {
+    private void setPreemptiveProxyAuthentication(MessageHeader requests) throws IOException {
        AuthenticationInfo pauth
            = AuthenticationInfo.getProxyAuth(http.getProxyHostUsed(),
                                              http.getProxyPortUsed());
@ -2123,13 +2123,9 @@ public class HttpURLConnection extends java.net.HttpURLConnection {

    String requestURI = null;

-    String getRequestURI() {
+    String getRequestURI() throws IOException {
        if (requestURI == null) {
-            try {
-                requestURI = http.getURLFile();
-            } catch (IOException e) {
-                requestURI = "";
-            }
+            requestURI = http.getURLFile();
        }
        return requestURI;
    }
--- a/jdk/test/sun/net/www/protocol/http/B6890349.java
+++ b/jdk/test/sun/net/www/protocol/http/B6890349.java
@ -0,0 +1,68 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+/**
+ * @test
+ * @bug 6890349
+ * @run main/othervm B6890349
+ * @summary  Light weight HTTP server
+ */
+
+import java.net.*;
+import java.io.*;
+
+public class B6890349 extends Thread {
+    public static final void main(String[] args) throws Exception {
+
+        try {
+            ServerSocket server = new ServerSocket (0);
+            int port = server.getLocalPort();
+            System.out.println ("listening on "  + port);
+            B6890349 t = new B6890349 (server);
+            t.start();
+            URL u = new URL ("http://127.0.0.1:"+port+"/foo\nbar");
+            HttpURLConnection urlc = (HttpURLConnection)u.openConnection ();
+            InputStream is = urlc.getInputStream();
+            throw new RuntimeException ("Test failed");
+        } catch (IOException e) {
+            System.out.println ("OK");
+        }
+    }
+
+    ServerSocket server;
+
+    B6890349 (ServerSocket server) {
+        this.server = server;
+    }
+
+    String resp = "HTTP/1.1 200 Ok\r\nContent-length: 0\r\n\r\n";
+
+    public void run () {
+        try {
+            Socket s = server.accept ();
+            OutputStream os = s.getOutputStream();
+            os.write (resp.getBytes());
+        } catch (IOException e) {
+            System.out.println (e);
+        }
+    }
+}