[
https://issues.apache.org/jira/browse/HTTPCLIENT-2197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17477933#comment-17477933
]
Oleg Kalnichevski commented on HTTPCLIENT-2197:
-----------------------------------------------
[~nilsR] Feel free to raise a PR with the changes you would like to propose.
Oleg
> HTTP client should not accept to send requests nor receive responses with
> illegal header names
> ----------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-2197
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2197
> Project: HttpComponents HttpClient
> Issue Type: Wish
> Affects Versions: 4.5.13, 5.1.2
> Reporter: Nils Renaud
> Priority: Minor
>
> h1. Description
> Currently the HTTP client (both 1.1 and 2.0) permits to :
> - send an HTTP request with an illegal header name
> - receive an HTTP response with an illegal header name
> h1. Expected behaviour
> - The HttpClient should reject such request either during request creation or
> request sending.
> - The HttpClient should not accept HTTP responses containing illegal HTTP
> headers.
> h1. The HTTP specification
> The [HTTP 1.1 RFC|https://datatracker.ietf.org/doc/html/rfc7230#appendix-B]
> says (reordered) :
> {noformat}
> header-field = field-name ":" OWS field-value OWS
> field-name = token
> token = 1*tchar
> tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." /
> "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
> {noformat}
> And also in [section
> 3|https://datatracker.ietf.org/doc/html/rfc7230#section-3] :
> {noformat}
> A recipient MUST parse an HTTP message as a sequence of octets in an
> encoding that is a superset of US-ASCII [USASCII].
> {noformat}
> And then [HTTP/2.0
> RFC|https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2] says :
> {noformat}
> Just as in HTTP/1.x, header field names are strings of ASCII
> characters that are compared in a case-insensitive fashion. However,
> header field names MUST be converted to lowercase prior to their
> encoding in HTTP/2.
> {noformat}
> h1. Reproducer
> I've created an HTTP Client and server both sending this illegal header name
> : 😱 (coded as "\uD83D\uDE31" in Java convention)
> Here is the Client part I used to reproduce the issue :
> {code:java}
> try (CloseableHttpClient httpclient = HttpClients.createDefault()) {
> HttpGet httpGet = new HttpGet("http://localhost:8282/";);
> httpGet.addHeader("\uD83D\uDE31", "aa");
> try (CloseableHttpResponse response1 = httpclient.execute(httpGet)) {
> // Sends header "??: aa"
> for (final Header header : response1.getHeaders()) {
> System.out.println(header.getName() + ": " + header.getValue());
> // print header : "😱: aaa"
> }
> System.out.println(response1.getCode() + " " +
> response1.getReasonPhrase());
> }
> }
> {code}
> And the server code :
> {code:java}
> ServerSocket server = new ServerSocket(8282, 1, InetAddress.getLocalHost());
> while (true) {
> System.out.println("WAITING");
> Socket client = server.accept();
> System.out.println("RECEIVED");
> String content = "HTTP/1.1 200 OK\r\n"
> + "\uD83D\uDE31: aaa\r\n"
> + "Content-Length: 2\r\n"
> + "\r\n"
> + "OK";
> client.getOutputStream().write(content.getBytes(StandardCharsets.UTF_8));
> client.getOutputStream().flush();
> client.close();
> }
> {code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
