From 11ce5ceabac935674a95da3ee56cd94a70c626a3 Mon Sep 17 00:00:00 2001 From: Oleg Kalnichevski Date: Tue, 29 Sep 2020 09:37:38 +0200 Subject: [PATCH 2/2] Incorrect handling of malformed authority component by URIUtils#extractHost --- .../apache/http/client/utils/URIUtils.java | 69 ++++++++----------- .../http/client/utils/TestURIUtils.java | 6 +- 2 files changed, 32 insertions(+), 43 deletions(-) diff --git a/httpclient/src/main/java/org/apache/http/client/utils/URIUtils.java b/httpclient/src/main/java/org/apache/http/client/utils/URIUtils.java index 02f8c1ae9..7cbad777c 100644 --- a/httpclient/src/main/java/org/apache/http/client/utils/URIUtils.java +++ b/httpclient/src/main/java/org/apache/http/client/utils/URIUtils.java @@ -334,56 +334,43 @@ public class URIUtils { if (uri == null) { return null; } - HttpHost target = null; if (uri.isAbsolute()) { - int port = uri.getPort(); // may be overridden later - String host = uri.getHost(); - if (host == null) { // normal parse failed; let's do it ourselves + if (uri.getHost() == null) { // normal parse failed; let's do it ourselves // authority does not seem to care about the valid character-set for host names - host = uri.getAuthority(); - if (host != null) { + if (uri.getAuthority() != null) { + String content = uri.getAuthority(); // Strip off any leading user credentials - final int at = host.indexOf('@'); - if (at >= 0) { - if (host.length() > at+1 ) { - host = host.substring(at+1); - } else { - host = null; // @ on its own - } + int at = content.indexOf('@'); + if (at != -1) { + content = content.substring(at + 1); } - // Extract the port suffix, if present - if (host != null) { - final int colon = host.indexOf(':'); - if (colon >= 0) { - final int pos = colon + 1; - int len = 0; - for (int i = pos; i < host.length(); i++) { - if (Character.isDigit(host.charAt(i))) { - len++; - } else { - break; - } - } - if (len > 0) { - try { - port = Integer.parseInt(host.substring(pos, pos + len)); - } catch (final NumberFormatException ex) { - } - } - host = host.substring(0, colon); + final String scheme = uri.getScheme(); + final String hostname; + final int port; + at = content.indexOf(":"); + if (at != -1) { + hostname = content.substring(0, at); + try { + final String portText = content.substring(at + 1); + port = !TextUtils.isEmpty(portText) ? Integer.parseInt(portText) : -1; + } catch (final NumberFormatException ex) { + return null; } + } else { + hostname = content; + port = -1; + } + try { + return new HttpHost(hostname, port, scheme); + } catch (final IllegalArgumentException ex) { + return null; } } - } - final String scheme = uri.getScheme(); - if (!TextUtils.isBlank(host)) { - try { - target = new HttpHost(host, port, scheme); - } catch (final IllegalArgumentException ignore) { - } + } else { + return new HttpHost(uri.getHost(), uri.getPort(), uri.getScheme()); } } - return target; + return null; } /** diff --git a/httpclient/src/test/java/org/apache/http/client/utils/TestURIUtils.java b/httpclient/src/test/java/org/apache/http/client/utils/TestURIUtils.java index e33477fce..8da6a26b2 100644 --- a/httpclient/src/test/java/org/apache/http/client/utils/TestURIUtils.java +++ b/httpclient/src/test/java/org/apache/http/client/utils/TestURIUtils.java @@ -256,14 +256,16 @@ public class TestURIUtils { Assert.assertEquals(new HttpHost("localhost",8080), URIUtils.extractHost(new URI("http://localhost:8080/;sessionid=stuff/abcd"))); - Assert.assertEquals(new HttpHost("localhost",8080), + Assert.assertEquals(null, URIUtils.extractHost(new URI("http://localhost:8080;sessionid=stuff/abcd"))); - Assert.assertEquals(new HttpHost("localhost",-1), + Assert.assertEquals(null, URIUtils.extractHost(new URI("http://localhost:;sessionid=stuff/abcd"))); Assert.assertEquals(null, URIUtils.extractHost(new URI("http://:80/robots.txt"))); Assert.assertEquals(null, URIUtils.extractHost(new URI("http://some%20domain:80/robots.txt"))); + Assert.assertEquals(null, + URIUtils.extractHost(new URI("http://blah@goggle.com:80@google.com/"))); } @Test -- 2.31.1