Mercurial Mercurial > jdk-sandbox / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6890349: Fix #6870935 in jdk7/pit/b74 caused HttpClinet's check for "proxy capture" attack by-passed.
authormichaelm
Tue, 20 Oct 2009 15:35:55 +0100
changeset 4150 74dfe4a968c6
parent 4061 35a627ad2443
child 4151 db7d59c0b0e6
6890349: Fix #6870935 in jdk7/pit/b74 caused HttpClinet's check for "proxy capture" attack by-passed. Summary: pass exception up stack Reviewed-by: chegar
jdk/src/share/classes/sun/net/www/protocol/http/DigestAuthentication.java file | annotate | diff | comparison | revisions
jdk/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java file | annotate | diff | comparison | revisions
jdk/test/sun/net/www/protocol/http/B6890349.java file | annotate | diff | comparison | revisions 
--- a/jdk/src/share/classes/sun/net/www/protocol/http/DigestAuthentication.java	Mon Oct 19 16:31:48 2009 -0700
+++ b/jdk/src/share/classes/sun/net/www/protocol/http/DigestAuthentication.java	Tue Oct 20 15:35:55 2009 +0100
@@ -284,14 +284,16 @@
         params.setOpaque (p.findValue("opaque"));
         params.setQop (p.findValue("qop"));
 
-        String uri;
+        String uri="";
         String method;
         if (type == PROXY_AUTHENTICATION &&
                 conn.tunnelState() == HttpURLConnection.TunnelState.SETUP) {
             uri = HttpURLConnection.connectRequestURI(conn.getURL());
             method = HTTP_CONNECT;
         } else {
-            uri = conn.getRequestURI();
+            try {
+                uri = conn.getRequestURI();
+            } catch (IOException e) {}
             method = conn.getMethod();
         }
 
--- a/jdk/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java	Mon Oct 19 16:31:48 2009 -0700
+++ b/jdk/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java	Tue Oct 20 15:35:55 2009 +0100
@@ -1543,7 +1543,7 @@
      * because ntlm does not support this feature.
      */
     private AuthenticationInfo
-        resetProxyAuthentication(AuthenticationInfo proxyAuthentication, AuthenticationHeader auth) {
+        resetProxyAuthentication(AuthenticationInfo proxyAuthentication, AuthenticationHeader auth) throws IOException {
         if ((proxyAuthentication != null )&&
              proxyAuthentication.getAuthScheme() != NTLM) {
             String raw = auth.raw();
@@ -1767,7 +1767,7 @@
     /**
      * Sets pre-emptive proxy authentication in header
      */
-    private void setPreemptiveProxyAuthentication(MessageHeader requests) {
+    private void setPreemptiveProxyAuthentication(MessageHeader requests) throws IOException {
         AuthenticationInfo pauth
             = AuthenticationInfo.getProxyAuth(http.getProxyHostUsed(),
                                               http.getProxyPortUsed());
@@ -2123,13 +2123,9 @@
 
     String requestURI = null;
 
-    String getRequestURI() {
+    String getRequestURI() throws IOException {
         if (requestURI == null) {
-            try {
-                requestURI = http.getURLFile();
-            } catch (IOException e) {
-                requestURI = "";
-            }
+            requestURI = http.getURLFile();
         }
         return requestURI;
     }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/net/www/protocol/http/B6890349.java	Tue Oct 20 15:35:55 2009 +0100
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+/**
+ * @test
+ * @bug 6890349
+ * @run main/othervm B6890349
+ * @summary  Light weight HTTP server
+ */
+
+import java.net.*;
+import java.io.*;
+
+public class B6890349 extends Thread {
+    public static final void main(String[] args) throws Exception {
+
+        try {
+            ServerSocket server = new ServerSocket (0);
+            int port = server.getLocalPort();
+            System.out.println ("listening on "  + port);
+            B6890349 t = new B6890349 (server);
+            t.start();
+            URL u = new URL ("http://127.0.0.1:"+port+"/foo\nbar");
+            HttpURLConnection urlc = (HttpURLConnection)u.openConnection ();
+            InputStream is = urlc.getInputStream();
+            throw new RuntimeException ("Test failed");
+        } catch (IOException e) {
+            System.out.println ("OK");
+        }
+    }
+
+    ServerSocket server;
+
+    B6890349 (ServerSocket server) {
+        this.server = server;
+    }
+
+    String resp = "HTTP/1.1 200 Ok\r\nContent-length: 0\r\n\r\n";
+
+    public void run () {
+        try {
+            Socket s = server.accept ();
+            OutputStream os = s.getOutputStream();
+            os.write (resp.getBytes());
+        } catch (IOException e) {
+            System.out.println (e);
+        }
+    }
+}
jdk-sandbox