From e22562ff83c2f92ca37e88c0760449e0fee9a0e9 Mon Sep 17 00:00:00 2001 From: robm Date: Wed, 18 Jul 2018 16:37:45 -0700 Subject: [PATCH] 8196902: Better HTTP redirection support Reviewed-by: michaelm --- .../www/protocol/http/HttpURLConnection.java | 53 +++++++++++++++++- test/lib/testlibrary/jdk/testlibrary/testkeys | Bin 0 -> 4217 bytes 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 test/lib/testlibrary/jdk/testlibrary/testkeys diff --git a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java index 6116faefb..4c5ec78fc 100644 --- a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java +++ b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1995, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -2686,6 +2686,8 @@ public class HttpURLConnection extends java.net.HttpURLConnection { // doesn't know about proxy. useProxyResponseCode = true; } else { + final URL prevURL = url; + // maintain previous headers, just change the name // of the file we're getting url = locUrl; @@ -2714,6 +2716,14 @@ public class HttpURLConnection extends java.net.HttpURLConnection { poster = null; if (!checkReuseConnection()) connect(); + + if (!sameDestination(prevURL, url)) { + // Ensures pre-redirect user-set cookie will not be reset. + // CookieHandler, if any, will be queried to determine + // cookies for redirected URL, if any. + userCookies = null; + userCookies2 = null; + } } else { if (!checkReuseConnection()) connect(); @@ -2736,11 +2746,52 @@ public class HttpURLConnection extends java.net.HttpURLConnection { } requests.set("Host", host); } + + if (!sameDestination(prevURL, url)) { + // Redirecting to a different destination will drop any + // security-sensitive headers, regardless of whether + // they are user-set or not. CookieHandler, if any, will be + // queried to determine cookies for redirected URL, if any. + userCookies = null; + userCookies2 = null; + requests.remove("Cookie"); + requests.remove("Cookie2"); + requests.remove("Authorization"); + + // check for preemptive authorization + AuthenticationInfo sauth = + AuthenticationInfo.getServerAuth(url); + if (sauth != null && sauth.supportsPreemptiveAuthorization() ) { + // Sets "Authorization" + requests.setIfNotSet(sauth.getHeaderName(), sauth.getHeaderValue(url,method)); + currentServerCredentials = sauth; + } + } } } return true; } + /* Returns true iff the given URLs have the same host and effective port. */ + private static boolean sameDestination(URL firstURL, URL secondURL) { + assert firstURL.getProtocol().equalsIgnoreCase(secondURL.getProtocol()): + "protocols not equal: " + firstURL + " - " + secondURL; + + if (!firstURL.getHost().equalsIgnoreCase(secondURL.getHost())) + return false; + + int firstPort = firstURL.getPort(); + if (firstPort == -1) + firstPort = firstURL.getDefaultPort(); + int secondPort = secondURL.getPort(); + if (secondPort == -1) + secondPort = secondURL.getDefaultPort(); + if (firstPort != secondPort) + return false; + + return true; + } + /* dummy byte buffer for reading off socket prior to closing */ byte[] cdata = new byte [128]; diff --git a/test/lib/testlibrary/jdk/testlibrary/testkeys b/test/lib/testlibrary/jdk/testlibrary/testkeys new file mode 100644 index 0000000000000000000000000000000000000000..4673898e0ae15936ac8b83357b802dc425f0c64c GIT binary patch literal 4217 zcmY+GcQ71|w#QdnvC)H#8l7m_RhI-o5YdU=dv6KROE&82C3-ABB_dcPI*Sm!Z4hmV z)d{OauQ%__d-u+rIcLty=X=ig&of^LoZ63&fCvJo76Fn8L_d!{r63?BD1=i#Acj*j z|HWVkob301Nn}`JIN8i!Jo&fBfp`D!iX22hSO_Nz{tNvf4}qZn$A8V4iRtpA6qk>J z;_pM5K8VxJxS^DK5NCu$fNq_?Ue8s@jFju8m9`u=$(OB$?^Cqh`!d!ah_Em4hEud} zHxPkbCgc?R21$@X8AA=N{%0E_i4@89vaY*9!j4FNXDJ>h+s&XOoYBGU#o?t8g1{q& z_R+`>qOsi);eGN1B?+9UK}d@wcc$&Nj}o`+JDS%;HP=6N3FPJEl*#VBkx3Hx9pHc* z?|L(yeR=*=mc*2Sn!0_=L!U=SxmF#$T>k5e}EQ*waOVLLjUV0thbl#h z++_J*Gd{cL!lW@a{#__ZxbgB@{U7$V9>B<*#k6UUFz%JWdOBn27FYadtOsC%B+0XG zQlYw%H2Gq)(ex}50cD|ZUs8Pt^3zemb7$RA(-2>O-6<`S^JT~AGb?RZt;at(uBZd? zC0Sn`Bw zjwcxUC1%l1QqmlISnIEw^XADL0sD>xToLVeF! z-(^n=o;Bcb*^Zhd`y1GFp)c#-9ws%IDio>{v~%Rj$2Q%n>VaXVh-? zuQ*4^yf5O~o={i)9xbvxbNgA@9vgC^Be0d=IGwyKXM9_sZ? z?S7eq-_@lL{d2EfLy$pLP!%n&JKO12V|-G4Xn?~AGQ{LdgD8W!>DSAGAPeTXJA_}# zP7ve7d~3FEnS$C3xcM$Dmj=N6dI^QCH4qI=Xxq1V+Bc6V0AHCghdjEfjj01%3dKv? zwvMR0z^^XViVh$R9eh${nD7&m=doZYl||W@DpcGp|GczqQ>&)$7Q!UfHG~{n;?*3i zAd>GAibPuS7hpL#D_(I#uc`ce_1jl!oo-VJ@`Fct$8l=`y^jSNKN9$G-hf;XhV3cpSRgx!S*XTIWvpn!S{?6c{=GY3 z+|Di%2#mizQ7 z)fCLahk=`}dJ~e`?|(D70X9p?Z~X8e{R40ye&fa3J0v!HC23lxsrEAD#;0{JjuAwr zqMY$s7#zn>UW?;KG6Xq^;pZ;yuf zP%L#&r=^y3_#zPPo|@x^4=|x>-m3fp>&npm@hZP24W+|S2+bSD5od#-{td6g{lr@g z6YlU2w-y%6)T*P`t9;A2JI6ecH`uPBrKvGNmv+Y`wQJ*w{FM?@wK z7tV3wWe+HB&l&oH9?&l5R{v3~wTNgI;e&Ro;e$de_08l`&%Xzs}ZM0rUNfRSvyfNG*Q-;o6^*uN>S5%}P_phyPOx zJhHJ^W(!bG3z@L}?ozYRl~+x19yLGyRahZeVDa&dM?%KDXqY4blO3-Y9KBlk@$u_y z108Im(Fa}$p$Vw4B`=GxMSc&_wq>LdW`XH}&D)|d`RS~t5BwG;(InNnzJ6chY`HLW zs-+XH6;m*V%;0&vT!_*q7LA0_7GohxF1K6`wwKVA%@CGyKZfA=%%0I+2sj z96Ay>Wl+xe*}r1&$ZO_TVOfw7IN8?q$|GEAT?R#ZQJ;UI%}>oV#9?&rMmWo~q6PMp zmH@#olE(JLR&Qn0m*z+74=J6>t$?3GGHDhQ`!0H8@B7r%zzVE&Q?D)_8)d^|WD1$6 z^EAwAWSi*6&+dE=h0l-kJFIVl8AZq(byLU3OTB>{@I%pC<^b6xA$@?Ejz!w)L8N}f z#{o_S{Tv2q(fogbdGvVt6d4 zl)_O#p-VzU!!vKTR1v%86fqk2(a%SVw&tr|4s)fs3(>Qpa;phTU|7}LH1N)=C^5y6 z_&nch1n4d^MB?|bU0qb^fe_}NKe8OOD%7d7@aw@7$^%)vGDh~1O?c7U$G5`t$?vz% zqF3G}ca_#w7=?o}(|?>l%&`0_(Im^l0);>}*L1{!b7J=FDSZfI4|2Ec-h&oBEocsu z%s>@^Wc>UZT1uA|9Y)58@D#%Cz_`;;aRx5!iPWqgrz=zqoQcMh=#~XuWA&p6qcAE~ z8r{d?XuZS@mgULFu5>YR4rAqWJ{?XB$=Kev356~t!rm!ZpvcG#ZL0M*ZHgCR&A;~I zDCu3HiV)U+M>R4!C^Z`;z#rfOum?B+900z6*AR~X$n;P;V%nE39uDkK2~kN2Nl7tr zvA+d@1G)dbL<%f~1L^-F8bSiV-vRoMLhxT15BNVB@8g?F4fNgMUE66JoeZBld=*Id zjQ`De5pa_6kTpK`shyvJsqrH6D+!OVuMB$XD+H|?5#?z9@QeUdax3|@jRN_zqmozW z-8?_%tm9=vc?3SD1|fq~IfB3P;D;|n);^$$(~nQJHCuwT#$h_9L)%q4z1hy;1$d#c z9Dj{V#9-gXrXiE7)jwanHbz^E$WmOoY(sv(n5e#i7EiL`6s!&J zxW)+ZHf1K(I#ixY*jLDqQWai0$fYJ3f-Ej2?I~+>e|f!1>P}UAP!mzX(K(aoO%Pkn8xek(=PlzH^$6tPe$9my z_xN)?^l@-X#dOft{nL(B-{Ivg{E{eIm*T0DS>BSc;)&|P%fZ_#+#MK{k4V9coA1iM zS|&~-av+V5l#h;CidU4?l$#ysxlHyc6d65ieUaqH?M#6&Q0oH>K83|pz)sxn(mkbn z^Z=z{P)c%-A-F=GbT(@aix0BdD=clHx{JL!=ksb_-aj5FbJ#V+_aHoeTLZ8<*JWJ& z3F|f7Vv`>lp~qUfmjcN0q0&>%wT}<95eyVwzi0bW;`ceFUWmL~@!pRsN9%Xj(S5BK zuz%p_l^STRkP^jvwN#fZR?KkXZCT_0+QO_c=e$$Bx>pgWbn{efhZB}a)$)8~5h>?0 z)0UvyBcLWs6tk-aq>)P0j88f<5pv?^THA&5F1^(v85x{lL^XbtA}u#%lKA6q6;d=Y zWKqZ%43VLC)l4>w+rYz01~PFSVLf~_0#R3l1sHDcz@@&KG}4ix+4;kUYwFc-ynR_| z`lSyH6cHKrMA?=$as&~8tJ>h45?;l=(=h3=zLS1s6dV!sE3Ok|f)s4xXx|x}R-@6E z`smxGl1NU$#~aV*-fvNu8;La2j$^<$vY5^pnXK&o35~_^4V^RwdyR5|`x|H`(^BYj z?wC%(I5`Q9$ICv?hfr`c`f&YpU%_N^o9RC6{Ui{>nPQ_yf}Kjt7r?^aD+?xBYe}i{ zPurWmt<2XXe~H?glU&1AA>{nec+_-bZ#l2L zO6DB3wsA)hr2N{gylH!`M6vPD+6= z_r#T3>3+RS#ySN@Bi}oK>O~ zG-&zk;uD%cGHgX+kCKYR=3?d~H7w)MFR;GFCj`M$CZ6r@`edH55x0uqSZa5i?b34qp&o*!-%Tee zN1Q6l;iD_jUhVn$=nlPk?vq;E0s{Z%Zq0$}TZ)x)s--z4`iy6e$qH&IG5XpZ1&@@e zM3>#(T?aiu5O~igDCR65Z!DN^@KKhGdl|7<*io<4+7t*HZx;UEWqNLlk{n7NLCQDy zjLF{V5E577xbQSH53US`m}KkHR8bZ%T#!|C&~(#Lqy zg}D#LPR!1a1KPGt`YcAWEJqK&k+*l7YHyY^eBO#zb796Q_N-x8 z4o6*a=;7%DKjc;i&1p?TvpL1fy0-@8T}4<+Jwf^9jQcc#@4-Vn(dR5Rd0^pgk95k{OeMJeyyL%+?a! zz$eyiKP{+c8X}#;FC}Dk95szWMoAZIj~qiqfmLjQ53t7gcp7XPWnY;VkTM?C~;CRvBQncG%pt9QwFG(7~LF6DD5HcW%ASDqY z6A9q&_n+G`FRufuk*JSWF0m^P(6t7X6Vo{exhVxxS$Lfw{Wmaq_S8=YiMa@g2%-!B E1