[cxf] branch main updated: HttpClient will throw an exception for various restricted headers

Thu, 25 May 2023 09:18:53 -0700 

This is an automated email from the ASF dual-hosted git repository.

dkulp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/main by this push:
     new 333e8b0b1c HttpClient will throw an exception for various restricted 
headers
333e8b0b1c is described below

commit 333e8b0b1c0ae2081392c2872595d15d9c86c5e2
Author: Daniel Kulp <d...@kulp.com>
AuthorDate: Thu May 25 12:17:11 2023 -0400

    HttpClient will throw an exception for various restricted headers
---
 .../apache/cxf/transport/http/HttpClientHTTPConduit.java  | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git 
a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HttpClientHTTPConduit.java
 
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HttpClientHTTPConduit.java
index 01fd631afc..2546e24bac 100644
--- 
a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HttpClientHTTPConduit.java
+++ 
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HttpClientHTTPConduit.java
@@ -55,6 +55,8 @@ import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
+import java.util.TreeSet;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.Flow;
@@ -83,7 +85,7 @@ import org.apache.cxf.ws.addressing.EndpointReferenceType;
 
 
 public class HttpClientHTTPConduit extends URLConnectionHTTPConduit {
-
+    private static final Set<String> RESTRICTED_HEADERS = 
getRestrictedHeaders();
     volatile HttpClient client;
     volatile int lastTlsHash = -1;
     volatile URI sslURL;
@@ -96,7 +98,12 @@ public class HttpClientHTTPConduit extends 
URLConnectionHTTPConduit {
         super(b, ei, t);
     }
     
-    
+    private static Set<String> getRestrictedHeaders() {
+        Set<String> headers = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
+        headers.addAll(Set.of("Connection", "Content-Length", "Expect", 
"Host", "Upgrade"));
+        return headers;
+    }
+
     private boolean isSslTargetDifferent(URI lastURL, URI url) {
         return !lastURL.getScheme().equals(url.getScheme())
                 || !lastURL.getHost().equals(url.getHost())
@@ -313,8 +320,8 @@ public class HttpClientHTTPConduit extends 
URLConnectionHTTPConduit {
             for (Map.Entry<String, List<String>>  head : 
h.headerMap().entrySet()) {
                 List<String> headerList = head.getValue();
                 String header = head.getKey();
-                if ("Connection".equals(header)) {
-                    //HttpClient does not allow the Connection header
+                if (RESTRICTED_HEADERS.contains(header)) {
+                    //HttpClient does not allow some restricted headers
                     continue;
                 }
                 if (HttpHeaderHelper.CONTENT_TYPE.equalsIgnoreCase(header)) {

Reply via email to