[
https://issues.apache.org/jira/browse/HTTPCLIENT-1860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16068078#comment-16068078
]
Artem Nakonechnyy commented on HTTPCLIENT-1860:
-----------------------------------------------
I'd say that parameter would be useful for anybody dealing with potentially
malicious resources. Currently such use case is supported via header section
limits (length and count settings of MessageConstraints), and body limit
(InputStream limiting). What's missing is pre-status-line (pre-headers) limit:
you're not protected unless you set it up, right?
The header and body limits are easy to setup, while the pre-status-line limit
is hard to setup.
Another argument: conceptually, MessageConstraints allows for full header
section limiting, but allows only partial limiting for pre-headers: it only
allows to limit the line length (MessageConstraints.maxLineLength applies to
pre-headers), not allowing to limit the number of lines, while it's also a part
of the message.
> Simplify pre-status-line garbage rejection config
> -------------------------------------------------
>
> Key: HTTPCLIENT-1860
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1860
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Reporter: Artem Nakonechnyy
> Attachments: LeadingGarbageLimiter.java
>
>
> I'm building HttpClient via HttpClientBuilder, version is
> httpclient-4.5.3.jar.
> By default there is no limit on the amount of garbage before status line (see
> DefaultHttpResponseParser#reject). I'd like to set one: no more than X lines.
> The documentation tells I'm to provide custom DefaultHttpResponseParser. So
> far so good: I'm just to override one method. But to plug my
> DefaultHttpResponseParser in I have to do a lot of things. I have to
> instantiate/configure/provide (hereinafter "deal with") a handful of other
> objects. Specifically:
> - I have to implement my HttpMessageParserFactory that returns my
> DefaultHttpResponseParser, for that I also have to provide LineParser and
> HttpResponseFactory.
> - then I create ManagedHttpClientConnectionFactory that returns my
> HttpMessageParserFactory
> - then I create PoolingHttpClientConnectionManager where I put
> ManagedHttpClientConnectionFactory. And for that I also have to deal with
> Registry<ConnectionSocketFactory>, PublicSuffixMatcher, HostnameVerifier,
> SSLConnectionSocketFactory, SchemePortResolver, DnsResolver; plus timeToLive
> config property
> - also I have not to forget to set the same publicSuffixMatcher to
> HttpClientBuilder, as it's used not only for ConnectionManager configuration
> The full required code is attached (LeadingGarbageLimiter.java).
> Not only that's hard, but having to deal with so much of stuff my code
> becomes more fragile to potential API changes.
> As an API client I'd very much appreciate some single-line config for such
> simple tweak as the limit we're talking about.
> I'd propose to add {{int maxGarbageBeforeStatusLine}} to MessageConstraints,
> it naturally fits there along to the existing {{maxLineLength}} and
> {{maxHeaderCount}} settings.
> And then use the new setting in DefaultHttpResponseParser.
> Then all a client would have to do is
> {{HttpClientBuilder.create().setMaxGarbageBeforeStatusLine(X)}}.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
