diff --git a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java index 6116faefb7f2d94ec3576e2845e210fef6b72563..4c5ec78fca25ec82bf0b93d2e8bcb7a86897e666 100644 --- a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java +++ b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1995, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -2686,6 +2686,8 @@ public class HttpURLConnection extends java.net.HttpURLConnection { // doesn't know about proxy. useProxyResponseCode = true; } else { + final URL prevURL = url; + // maintain previous headers, just change the name // of the file we're getting url = locUrl; @@ -2714,6 +2716,14 @@ public class HttpURLConnection extends java.net.HttpURLConnection { poster = null; if (!checkReuseConnection()) connect(); + + if (!sameDestination(prevURL, url)) { + // Ensures pre-redirect user-set cookie will not be reset. + // CookieHandler, if any, will be queried to determine + // cookies for redirected URL, if any. + userCookies = null; + userCookies2 = null; + } } else { if (!checkReuseConnection()) connect(); @@ -2736,11 +2746,52 @@ public class HttpURLConnection extends java.net.HttpURLConnection { } requests.set("Host", host); } + + if (!sameDestination(prevURL, url)) { + // Redirecting to a different destination will drop any + // security-sensitive headers, regardless of whether + // they are user-set or not. CookieHandler, if any, will be + // queried to determine cookies for redirected URL, if any. + userCookies = null; + userCookies2 = null; + requests.remove("Cookie"); + requests.remove("Cookie2"); + requests.remove("Authorization"); + + // check for preemptive authorization + AuthenticationInfo sauth = + AuthenticationInfo.getServerAuth(url); + if (sauth != null && sauth.supportsPreemptiveAuthorization() ) { + // Sets "Authorization" + requests.setIfNotSet(sauth.getHeaderName(), sauth.getHeaderValue(url,method)); + currentServerCredentials = sauth; + } + } } } return true; } + /* Returns true iff the given URLs have the same host and effective port. */ + private static boolean sameDestination(URL firstURL, URL secondURL) { + assert firstURL.getProtocol().equalsIgnoreCase(secondURL.getProtocol()): + "protocols not equal: " + firstURL + " - " + secondURL; + + if (!firstURL.getHost().equalsIgnoreCase(secondURL.getHost())) + return false; + + int firstPort = firstURL.getPort(); + if (firstPort == -1) + firstPort = firstURL.getDefaultPort(); + int secondPort = secondURL.getPort(); + if (secondPort == -1) + secondPort = secondURL.getDefaultPort(); + if (firstPort != secondPort) + return false; + + return true; + } + /* dummy byte buffer for reading off socket prior to closing */ byte[] cdata = new byte [128]; diff --git a/test/lib/testlibrary/jdk/testlibrary/testkeys b/test/lib/testlibrary/jdk/testlibrary/testkeys new file mode 100644 index 0000000000000000000000000000000000000000..4673898e0ae15936ac8b83357b802dc425f0c64c Binary files /dev/null and b/test/lib/testlibrary/jdk/testlibrary/testkeys differ