[jira] [Updated] (OLINGO-1422) Incorrect URL Parsing in ODataHttpHandlerImpl when given ContextPath/ServletPath

Mon, 20 Jan 2020 08:27:23 -0800 


     [ 
https://issues.apache.org/jira/browse/OLINGO-1422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jan Speckamp updated OLINGO-1422:
---------------------------------
    Description: 
In some cases the ODataHttpHandlerImpl in server-core tries to determine the 
start of the ODataPath (seperating the protocol/host from the odata part) by 
String matching a given ContextPath/ServletPath against the raw URI.

If the hostname contains the same String used by the ServletPath as a 
substring, the used *indexOf()* function returns a wrong index (first match 
wins) and the URL is split up (and consequently parsed) wrong. A part of the 
hostname is mistaken for the start of the ODataPath.

The offending lines are:
 *org.apache.olingo.server.core.ODataHttpHandlerImpl:278 ([github 
link|https://github.com/apache/olingo-odata4/blob/a1dfb5596b4266f30ae503d3d3e116f269561640/lib/server-core/src/main/java/org/apache/olingo/server/core/ODataHttpHandlerImpl.java#L277])*
{code:java}

{code}
*}else if(!"".equals(httpRequest.getServletPath())) {
    int beginIndex = rawRequestUri.indexOf(httpRequest.getServletPath()) + 
httpRequest.getServletPath().length();
    rawODataPath = rawRequestUri.substring(beginIndex);*
*}*

 

*org.apache.olingo.server.core.ODataHttpHandlerImpl:281 ([github 
link|https://github.com/apache/olingo-odata4/blob/a1dfb5596b4266f30ae503d3d3e116f269561640/lib/server-core/src/main/java/org/apache/olingo/server/core/ODataHttpHandlerImpl.java#L281])*
{code:java}
}else if(!"".equals(httpRequest.getContextPath())) { int beginIndex = 
rawRequestUri.indexOf(httpRequest.getContextPath()) + 
httpRequest.getContextPath().length(); rawODataPath = 
rawRequestUri.substring(beginIndex);
}
{code}
This is relevant as it prevents URLs such as "test.demo.org:8080/test/" from 
being used when a ContextPath/ServletPath is set (e.g. in Spring environments). 
OLingo will always throw anUriParserSyntaxException("Unexpected start of 
resource-path segment.") for every request. In Docker environments the host ist 
also often given as plaintext, e.g. "demoservice:8081/demo" for a container 
named demoservice, which also breaks du to wrong matching

Suggested Fixes:
  - Do not rely upon simple String matching with indexOf() for seperating 
protocol/host/ContextPath/ServletPath from ODataPath.

  was:
In some cases the ODataHttpHandlerImpl in server-core tries to determine the 
start of the ODataPath (seperating the protocol/host from the odata part) by 
String matching a given ContextPath/ServletPath against the raw URI.

If the hostname contains the same String used by the ServletPath as a 
substring, the used indexOf() function returns a wrong index (first match wins) 
and the URL is split up (and consequently parsed) wrong. A part of the hostname 
is mistaken for the start of the ODataPath.

The offending lines are:
 *org.apache.olingo.server.core.ODataHttpHandlerImpl:278 ([github 
link|https://github.com/apache/olingo-odata4/blob/a1dfb5596b4266f30ae503d3d3e116f269561640/lib/server-core/src/main/java/org/apache/olingo/server/core/ODataHttpHandlerImpl.java#L277])*

 *org.apache.olingo.server.core.ODataHttpHandlerImpl:281 ([github 
link|https://github.com/apache/olingo-odata4/blob/a1dfb5596b4266f30ae503d3d3e116f269561640/lib/server-core/src/main/java/org/apache/olingo/server/core/ODataHttpHandlerImpl.java#L281])*

This is relevant as it prevents URLs such as "test.demo.org:8080/test/" from 
being used when a ContextPath/ServletPath is set (e.g. in Spring environments). 
OLingo will always throw anUriParserSyntaxException("Unexpected start of 
resource-path segment.") for every request. In Docker environments the host ist 
also often given as plaintext, e.g. "demoservice:8081/demo" for a container 
named demoservice, which also breaks du to wrong matching

Suggested Fixes:
  - Do not rely upon simple String matching with indexOf() for seperating 
protocol/host/ContextPath/ServletPath from ODataPath.


> Incorrect URL Parsing in ODataHttpHandlerImpl when given 
> ContextPath/ServletPath
> --------------------------------------------------------------------------------
>
>                 Key: OLINGO-1422
>                 URL: https://issues.apache.org/jira/browse/OLINGO-1422
>             Project: Olingo
>          Issue Type: Bug
>          Components: odata4-server
>    Affects Versions: (Java) V4 4.6.0, (Java) V4 4.7.0, (Java) V4 4.8.0
>            Reporter: Jan Speckamp
>            Priority: Minor
>
> In some cases the ODataHttpHandlerImpl in server-core tries to determine the 
> start of the ODataPath (seperating the protocol/host from the odata part) by 
> String matching a given ContextPath/ServletPath against the raw URI.
> If the hostname contains the same String used by the ServletPath as a 
> substring, the used *indexOf()* function returns a wrong index (first match 
> wins) and the URL is split up (and consequently parsed) wrong. A part of the 
> hostname is mistaken for the start of the ODataPath.
> The offending lines are:
>  *org.apache.olingo.server.core.ODataHttpHandlerImpl:278 ([github 
> link|https://github.com/apache/olingo-odata4/blob/a1dfb5596b4266f30ae503d3d3e116f269561640/lib/server-core/src/main/java/org/apache/olingo/server/core/ODataHttpHandlerImpl.java#L277])*
> {code:java}
> {code}
> *}else if(!"".equals(httpRequest.getServletPath())) {
>     int beginIndex = rawRequestUri.indexOf(httpRequest.getServletPath()) + 
> httpRequest.getServletPath().length();
>     rawODataPath = rawRequestUri.substring(beginIndex);*
> *}*
>  
> *org.apache.olingo.server.core.ODataHttpHandlerImpl:281 ([github 
> link|https://github.com/apache/olingo-odata4/blob/a1dfb5596b4266f30ae503d3d3e116f269561640/lib/server-core/src/main/java/org/apache/olingo/server/core/ODataHttpHandlerImpl.java#L281])*
> {code:java}
> }else if(!"".equals(httpRequest.getContextPath())) { int beginIndex = 
> rawRequestUri.indexOf(httpRequest.getContextPath()) + 
> httpRequest.getContextPath().length(); rawODataPath = 
> rawRequestUri.substring(beginIndex);
> }
> {code}
> This is relevant as it prevents URLs such as "test.demo.org:8080/test/" from 
> being used when a ContextPath/ServletPath is set (e.g. in Spring 
> environments). OLingo will always throw 
> anUriParserSyntaxException("Unexpected start of resource-path segment.") for 
> every request. In Docker environments the host ist also often given as 
> plaintext, e.g. "demoservice:8081/demo" for a container named demoservice, 
> which also breaks du to wrong matching
> Suggested Fixes:
>   - Do not rely upon simple String matching with indexOf() for seperating 
> protocol/host/ContextPath/ServletPath from ODataPath.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to