提交 e22562ff 编写于 作者: R robm

8196902: Better HTTP redirection support

Reviewed-by: michaelm
上级 a46cbbdb
/* /*
* Copyright (c) 1995, 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1995, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -2686,6 +2686,8 @@ public class HttpURLConnection extends java.net.HttpURLConnection { ...@@ -2686,6 +2686,8 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
// doesn't know about proxy. // doesn't know about proxy.
useProxyResponseCode = true; useProxyResponseCode = true;
} else { } else {
final URL prevURL = url;
// maintain previous headers, just change the name // maintain previous headers, just change the name
// of the file we're getting // of the file we're getting
url = locUrl; url = locUrl;
...@@ -2714,6 +2716,14 @@ public class HttpURLConnection extends java.net.HttpURLConnection { ...@@ -2714,6 +2716,14 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
poster = null; poster = null;
if (!checkReuseConnection()) if (!checkReuseConnection())
connect(); connect();
if (!sameDestination(prevURL, url)) {
// Ensures pre-redirect user-set cookie will not be reset.
// CookieHandler, if any, will be queried to determine
// cookies for redirected URL, if any.
userCookies = null;
userCookies2 = null;
}
} else { } else {
if (!checkReuseConnection()) if (!checkReuseConnection())
connect(); connect();
...@@ -2736,11 +2746,52 @@ public class HttpURLConnection extends java.net.HttpURLConnection { ...@@ -2736,11 +2746,52 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
} }
requests.set("Host", host); requests.set("Host", host);
} }
if (!sameDestination(prevURL, url)) {
// Redirecting to a different destination will drop any
// security-sensitive headers, regardless of whether
// they are user-set or not. CookieHandler, if any, will be
// queried to determine cookies for redirected URL, if any.
userCookies = null;
userCookies2 = null;
requests.remove("Cookie");
requests.remove("Cookie2");
requests.remove("Authorization");
// check for preemptive authorization
AuthenticationInfo sauth =
AuthenticationInfo.getServerAuth(url);
if (sauth != null && sauth.supportsPreemptiveAuthorization() ) {
// Sets "Authorization"
requests.setIfNotSet(sauth.getHeaderName(), sauth.getHeaderValue(url,method));
currentServerCredentials = sauth;
}
}
} }
} }
return true; return true;
} }
/* Returns true iff the given URLs have the same host and effective port. */
private static boolean sameDestination(URL firstURL, URL secondURL) {
assert firstURL.getProtocol().equalsIgnoreCase(secondURL.getProtocol()):
"protocols not equal: " + firstURL + " - " + secondURL;
if (!firstURL.getHost().equalsIgnoreCase(secondURL.getHost()))
return false;
int firstPort = firstURL.getPort();
if (firstPort == -1)
firstPort = firstURL.getDefaultPort();
int secondPort = secondURL.getPort();
if (secondPort == -1)
secondPort = secondURL.getDefaultPort();
if (firstPort != secondPort)
return false;
return true;
}
/* dummy byte buffer for reading off socket prior to closing */ /* dummy byte buffer for reading off socket prior to closing */
byte[] cdata = new byte [128]; byte[] cdata = new byte [128];
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册