6890349: Fix #6870935 in jdk7/pit/b74 caused HttpClinet's check for "proxy capture" attack by-passed

Pass exception up stack

Reviewed-by: chegar
This commit is contained in:
Michael McMahon 2009-10-20 15:35:55 +01:00
parent c225292004
commit 562fb9a67f
3 changed files with 76 additions and 10 deletions

View File

@ -284,14 +284,16 @@ class DigestAuthentication extends AuthenticationInfo {
params.setOpaque (p.findValue("opaque"));
params.setQop (p.findValue("qop"));
String uri;
String uri="";
String method;
if (type == PROXY_AUTHENTICATION &&
conn.tunnelState() == HttpURLConnection.TunnelState.SETUP) {
uri = HttpURLConnection.connectRequestURI(conn.getURL());
method = HTTP_CONNECT;
} else {
uri = conn.getRequestURI();
try {
uri = conn.getRequestURI();
} catch (IOException e) {}
method = conn.getMethod();
}

View File

@ -1543,7 +1543,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
* because ntlm does not support this feature.
*/
private AuthenticationInfo
resetProxyAuthentication(AuthenticationInfo proxyAuthentication, AuthenticationHeader auth) {
resetProxyAuthentication(AuthenticationInfo proxyAuthentication, AuthenticationHeader auth) throws IOException {
if ((proxyAuthentication != null )&&
proxyAuthentication.getAuthScheme() != NTLM) {
String raw = auth.raw();
@ -1767,7 +1767,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
/**
* Sets pre-emptive proxy authentication in header
*/
private void setPreemptiveProxyAuthentication(MessageHeader requests) {
private void setPreemptiveProxyAuthentication(MessageHeader requests) throws IOException {
AuthenticationInfo pauth
= AuthenticationInfo.getProxyAuth(http.getProxyHostUsed(),
http.getProxyPortUsed());
@ -2123,13 +2123,9 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
String requestURI = null;
String getRequestURI() {
String getRequestURI() throws IOException {
if (requestURI == null) {
try {
requestURI = http.getURLFile();
} catch (IOException e) {
requestURI = "";
}
requestURI = http.getURLFile();
}
return requestURI;
}

View File

@ -0,0 +1,68 @@
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/**
* @test
* @bug 6890349
* @run main/othervm B6890349
* @summary Light weight HTTP server
*/
import java.net.*;
import java.io.*;
public class B6890349 extends Thread {
public static final void main(String[] args) throws Exception {
try {
ServerSocket server = new ServerSocket (0);
int port = server.getLocalPort();
System.out.println ("listening on " + port);
B6890349 t = new B6890349 (server);
t.start();
URL u = new URL ("http://127.0.0.1:"+port+"/foo\nbar");
HttpURLConnection urlc = (HttpURLConnection)u.openConnection ();
InputStream is = urlc.getInputStream();
throw new RuntimeException ("Test failed");
} catch (IOException e) {
System.out.println ("OK");
}
}
ServerSocket server;
B6890349 (ServerSocket server) {
this.server = server;
}
String resp = "HTTP/1.1 200 Ok\r\nContent-length: 0\r\n\r\n";
public void run () {
try {
Socket s = server.accept ();
OutputStream os = s.getOutputStream();
os.write (resp.getBytes());
} catch (IOException e) {
System.out.println (e);
}
}
}