[
https://issues.apache.org/jira/browse/HTTPCLIENT-1803?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tyler Benson updated HTTPCLIENT-1803:
-------------------------------------
Description:
When using URIBuilder's constructor with a malformed url argument, host passed
in by {{setHost}} call not honored.
{quote}
String path = "@notexample.com/mypath"
URI uri = new URIBuilder(path).setHost("example.com").build();
org.junit.Assert.assertEquals("example.com", uri.getHost())
{quote}
This is caused by the original string being passed into the constructor being
treated as the path, but not verifying the presence of a leading {{/}}
character.
This can be seen with other arguments:
{{path = "example"}} -> {{//example.comexample}}
Fix: URIBuilder should ensure path starts with a leading {{/}}.
Reason priority is considered Major:
In our case, this caused a security vulnerability which was discovered by
researcher James Kettle (@albinowax on twitter). The user-provided path was
able to override our specified host, resulting in giving network access to a
sensitive environment. We worked around this in our code by ensuring the
leading {{/}}, but this seems like something better handled by the framework.
PS. If you agree this should be fixed, I'm happy to submit a pull request.
was:
When using URIBuilder's constructor with a malformed url argument, host passed
in by {{setHost}} call not honored.
{quote}
String path = "@notexample.com/mypath"
URI uri = new URIBuilder(path).setHost("example.com").build();
org.junit.Assert.assertEquals("example.com", uri.getHost())
{quote}
This is caused by the original string being passed into the constructor being
treated as the path, but not verifying the presence of a leading {{/}}
character.
This can be seen with other arguments:
{{path = "example"}} -> {{//example.comexample}}
Fix: URIBuilder should ensure path starts with a leading {{/}}.
Reason priority is considered Major:
In our case, this caused a security vulnerability because the user provided
path was able to override our specified host, resulting in giving network
access to a sensitive environment. We worked around this in our code by
ensuring the leading {{/}}, but this seems like something better handled by the
framework.
PS. If you agree this should be fixed, I'm happy to submit a pull request.
> Malformed path not handled well
> -------------------------------
>
> Key: HTTPCLIENT-1803
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1803
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (async), HttpClient (classic)
> Affects Versions: 4.5.1
> Reporter: Tyler Benson
>
> When using URIBuilder's constructor with a malformed url argument, host
> passed in by {{setHost}} call not honored.
> {quote}
> String path = "@notexample.com/mypath"
> URI uri = new URIBuilder(path).setHost("example.com").build();
> org.junit.Assert.assertEquals("example.com", uri.getHost())
> {quote}
> This is caused by the original string being passed into the constructor being
> treated as the path, but not verifying the presence of a leading {{/}}
> character.
> This can be seen with other arguments:
> {{path = "example"}} -> {{//example.comexample}}
> Fix: URIBuilder should ensure path starts with a leading {{/}}.
> Reason priority is considered Major:
> In our case, this caused a security vulnerability which was discovered by
> researcher James Kettle (@albinowax on twitter). The user-provided path was
> able to override our specified host, resulting in giving network access to a
> sensitive environment. We worked around this in our code by ensuring the
> leading {{/}}, but this seems like something better handled by the framework.
> PS. If you agree this should be fixed, I'm happy to submit a pull request.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
