[ https://issues.apache.org/jira/browse/HTTPCLIENT-2197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17477933#comment-17477933 ]
Oleg Kalnichevski commented on HTTPCLIENT-2197: ----------------------------------------------- [~nilsR] Feel free to raise a PR with the changes you would like to propose. Oleg > HTTP client should not accept to send requests nor receive responses with > illegal header names > ---------------------------------------------------------------------------------------------- > > Key: HTTPCLIENT-2197 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2197 > Project: HttpComponents HttpClient > Issue Type: Wish > Affects Versions: 4.5.13, 5.1.2 > Reporter: Nils Renaud > Priority: Minor > > h1. Description > Currently the HTTP client (both 1.1 and 2.0) permits to : > - send an HTTP request with an illegal header name > - receive an HTTP response with an illegal header name > h1. Expected behaviour > - The HttpClient should reject such request either during request creation or > request sending. > - The HttpClient should not accept HTTP responses containing illegal HTTP > headers. > h1. The HTTP specification > The [HTTP 1.1 RFC|https://datatracker.ietf.org/doc/html/rfc7230#appendix-B] > says (reordered) : > {noformat} > header-field = field-name ":" OWS field-value OWS > field-name = token > token = 1*tchar > tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / > "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA > {noformat} > And also in [section > 3|https://datatracker.ietf.org/doc/html/rfc7230#section-3] : > {noformat} > A recipient MUST parse an HTTP message as a sequence of octets in an > encoding that is a superset of US-ASCII [USASCII]. > {noformat} > And then [HTTP/2.0 > RFC|https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2] says : > {noformat} > Just as in HTTP/1.x, header field names are strings of ASCII > characters that are compared in a case-insensitive fashion. However, > header field names MUST be converted to lowercase prior to their > encoding in HTTP/2. > {noformat} > h1. Reproducer > I've created an HTTP Client and server both sending this illegal header name > : 😱 (coded as "\uD83D\uDE31" in Java convention) > Here is the Client part I used to reproduce the issue : > {code:java} > try (CloseableHttpClient httpclient = HttpClients.createDefault()) { > HttpGet httpGet = new HttpGet("http://localhost:8282/"); > httpGet.addHeader("\uD83D\uDE31", "aa"); > try (CloseableHttpResponse response1 = httpclient.execute(httpGet)) { > // Sends header "??: aa" > for (final Header header : response1.getHeaders()) { > System.out.println(header.getName() + ": " + header.getValue()); > // print header : "😱: aaa" > } > System.out.println(response1.getCode() + " " + > response1.getReasonPhrase()); > } > } > {code} > And the server code : > {code:java} > ServerSocket server = new ServerSocket(8282, 1, InetAddress.getLocalHost()); > while (true) { > System.out.println("WAITING"); > Socket client = server.accept(); > System.out.println("RECEIVED"); > String content = "HTTP/1.1 200 OK\r\n" > + "\uD83D\uDE31: aaa\r\n" > + "Content-Length: 2\r\n" > + "\r\n" > + "OK"; > client.getOutputStream().write(content.getBytes(StandardCharsets.UTF_8)); > client.getOutputStream().flush(); > client.close(); > } > {code} -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org