-
Notifications
You must be signed in to change notification settings - Fork 349
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add HTTP/1.1 TE header interceptor and strict client/server option
Implemented a new RequestTE interceptor for validating the TE header in HTTP/1.1 requests, ensuring proper protocol handling. Introduced strict client and server options that allow users to enable additional protocol validation checks, such as the validation of TE headers for HTTP/2 and HTTP/1.1.
- Loading branch information
1 parent
7c59295
commit 925c1f6
Showing
5 changed files
with
486 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
184 changes: 184 additions & 0 deletions
184
httpcore5/src/main/java/org/apache/hc/core5/http/protocol/RequestTE.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,184 @@ | ||
| /* | ||
| * ==================================================================== | ||
| * Licensed to the Apache Software Foundation (ASF) under one | ||
| * or more contributor license agreements. See the NOTICE file | ||
| * distributed with this work for additional information | ||
| * regarding copyright ownership. The ASF licenses this file | ||
| * to you under the Apache License, Version 2.0 (the | ||
| * "License"); you may not use this file except in compliance | ||
| * with the License. You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| * ==================================================================== | ||
| * | ||
| * This software consists of voluntary contributions made by many | ||
| * individuals on behalf of the Apache Software Foundation. For more | ||
| * information on the Apache Software Foundation, please see | ||
| * <http://www.apache.org/>. | ||
| * | ||
| */ | ||
|
|
||
| package org.apache.hc.core5.http.protocol; | ||
|
|
||
| import java.io.IOException; | ||
| import java.util.concurrent.atomic.AtomicBoolean; | ||
|
|
||
| import org.apache.hc.core5.annotation.Contract; | ||
| import org.apache.hc.core5.annotation.ThreadingBehavior; | ||
| import org.apache.hc.core5.http.EntityDetails; | ||
| import org.apache.hc.core5.http.Header; | ||
| import org.apache.hc.core5.http.HeaderElements; | ||
| import org.apache.hc.core5.http.HttpException; | ||
| import org.apache.hc.core5.http.HttpHeaders; | ||
| import org.apache.hc.core5.http.HttpRequest; | ||
| import org.apache.hc.core5.http.HttpRequestInterceptor; | ||
| import org.apache.hc.core5.http.ProtocolException; | ||
| import org.apache.hc.core5.http.message.MessageSupport; | ||
| import org.apache.hc.core5.util.Args; | ||
| import org.apache.hc.core5.util.Tokenizer; | ||
|
|
||
| /** | ||
| * HTTP protocol interceptor responsible for validating and processing the {@link HttpHeaders#TE} header field in HTTP/1.1 requests. | ||
| * <p> | ||
| * The {@link HttpHeaders#TE} header is used to indicate transfer codings the client is willing to accept and, in some cases, whether | ||
| * the client is willing to accept trailer fields. This interceptor ensures that the {@link HttpHeaders#TE} header does not include | ||
| * the {@code chunked} transfer coding and validates the presence of the {@code Connection: TE} header. | ||
| * <p> | ||
| * For HTTP/1.1 requests, the {@link HttpHeaders#TE} header can contain multiple values separated by commas and may include quality | ||
| * values (denoted by {@code q=}) separated by semicolons. | ||
| * <p> | ||
| * In case of HTTP/2, this validation is skipped, and another layer of logic handles the specifics of HTTP/2 compliance. | ||
| * | ||
| * @since 5.4 | ||
| */ | ||
| @Contract(threading = ThreadingBehavior.IMMUTABLE) | ||
| public class RequestTE implements HttpRequestInterceptor { | ||
|
|
||
| /** | ||
| * Singleton instance of the {@code RequestTE} interceptor. | ||
| */ | ||
| public static final HttpRequestInterceptor INSTANCE = new RequestTE(); | ||
|
|
||
| /** | ||
| * Delimiter used to parse the {@code TE} header, recognizing both commas (',') and semicolons (';') as delimiters. | ||
| */ | ||
| public static final Tokenizer.Delimiter DELIMITER = Tokenizer.delimiters(',', ';'); | ||
|
|
||
| /** | ||
| * Default constructor. | ||
| */ | ||
| public RequestTE() { | ||
| super(); | ||
| } | ||
|
|
||
| /** | ||
| * Processes the {@code TE} header of the given HTTP request and ensures compliance with HTTP/1.1 requirements. | ||
| * <p> | ||
| * If the {@code TE} header is present, this method validates that: | ||
| * <ul> | ||
| * <li>The {@code TE} header does not include the {@code chunked} transfer coding, which is implicitly supported for HTTP/1.1.</li> | ||
| * <li>The {@code Connection} header includes the {@code TE} directive, as required by the protocol.</li> | ||
| * </ul> | ||
| * | ||
| * @param request the HTTP request containing the headers to validate | ||
| * @param entity the entity associated with the request (may be {@code null}) | ||
| * @param context the execution context for the request | ||
| * @throws HttpException if the {@code TE} header contains invalid values or the {@code Connection} header is missing | ||
| * @throws IOException in case of an I/O error | ||
| */ | ||
| @Override | ||
| public void process(final HttpRequest request, final EntityDetails entity, final HttpContext context) | ||
| throws HttpException, IOException { | ||
| Args.notNull(request, "HTTP request"); | ||
|
|
||
| // Fetch the TE header | ||
| final Header teHeader = request.getFirstHeader(HttpHeaders.TE); | ||
|
|
||
| if (teHeader == null) { | ||
| return; // No further validation needed | ||
| } | ||
|
|
||
| final String teValue = teHeader.getValue(); | ||
| validateTEField(teValue); | ||
| validateConnectionHeaders(request); | ||
| } | ||
|
|
||
| /** | ||
| * Validates the {@link HttpHeaders#TE} header values for compliance with HTTP/1.1. | ||
| * <p> | ||
| * Specifically, this method ensures that: | ||
| * <ul> | ||
| * <li>The {@link HttpHeaders#TE} header does not contain the {@code chunked} transfer coding.</li> | ||
| * <li>The {@code trailers} directive is allowed and treated as valid.</li> | ||
| * </ul> | ||
| * | ||
| * @param teValue the value of the {@code TE} header | ||
| * @throws HttpException if the {@code TE} header contains invalid values | ||
| */ | ||
| private void validateTEField(final String teValue) throws HttpException { | ||
| final Tokenizer.Cursor cursor = new Tokenizer.Cursor(0, teValue.length()); | ||
|
|
||
| while (!cursor.atEnd()) { | ||
| Tokenizer.INSTANCE.skipWhiteSpace(teValue, cursor); | ||
|
|
||
| final String member = Tokenizer.INSTANCE.parseToken(teValue, cursor, DELIMITER); | ||
|
|
||
| if (member.isEmpty()) { | ||
| if (!cursor.atEnd()) { | ||
| Tokenizer.INSTANCE.skipWhiteSpace(teValue, cursor); | ||
| cursor.updatePos(cursor.getPos() + 1); | ||
| } | ||
| continue; | ||
| } | ||
|
|
||
| if ("trailers".equalsIgnoreCase(member)) { | ||
| continue; | ||
| } | ||
|
|
||
| if (HeaderElements.CHUNKED_ENCODING.equalsIgnoreCase(member)) { | ||
| throw new ProtocolException("'chunked' transfer coding must not be listed in the TE header for HTTP/1.1."); | ||
| } | ||
|
|
||
| if (!cursor.atEnd()) { | ||
| Tokenizer.INSTANCE.skipWhiteSpace(teValue, cursor); | ||
| cursor.updatePos(cursor.getPos() + 1); | ||
| } | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * Validates the presence of the {@code Connection: TE} header when the {@link HttpHeaders#TE} header is present. | ||
| * <p> | ||
| * If the {@link HttpHeaders#TE} header is used, the HTTP/1.1 protocol requires that the {@link HttpHeaders#CONNECTION} header includes the {@code TE} directive to prevent forwarding by intermediaries. | ||
| * This method now properly handles multiple {@link HttpHeaders#CONNECTION} headers. | ||
| * | ||
| * @param request the HTTP request to validate | ||
| * @throws HttpException if the {@code Connection: TE} header is missing | ||
| */ | ||
| private void validateConnectionHeaders(final HttpRequest request) throws HttpException { | ||
| final Header[] connectionHeaders = request.getHeaders(HttpHeaders.CONNECTION); | ||
| if (connectionHeaders == null || connectionHeaders.length == 0) { | ||
| throw new ProtocolException("The 'TE' header is present, but the 'Connection' header is missing."); | ||
| } | ||
|
|
||
| final AtomicBoolean hasTE = new AtomicBoolean(false); | ||
| for (final Header connectionHeader : connectionHeaders) { | ||
| MessageSupport.parseTokens(connectionHeader, token -> { | ||
| if ("TE".equalsIgnoreCase(token)) { | ||
| hasTE.set(true); | ||
| } | ||
| }); | ||
| } | ||
|
|
||
| if (!hasTE.get()) { | ||
| throw new ProtocolException("The 'Connection' header must include the 'TE' directive when the 'TE' header is present."); | ||
| } | ||
| } | ||
| } |
Oops, something went wrong.