[jdk11u-dev] RFR: 8245245: WebSocket can lose the URL encoding of URI query parameters

Daniel Fuchs dfuchs at openjdk.org
Tue Dec 6 13:51:03 UTC 2022 

On Wed, 30 Nov 2022 01:52:47 GMT, Michal Karm Babacek <duke at openjdk.org> wrote:

> Proposes to backport [JDK-8245245](https://bugs.openjdk.org/browse/JDK-8245245).
> 
> The backport is clean as far as the actual `OpeningHandshake.java` goes. The test needed a little tweak so as to compile with `SimpleSSLContext` and also to handle the fact that the erroneous response does not bring a response body.
> 
> The test passes with the patch, fails without it.
> 
> 
> $ make clean run-test TEST="jtreg:test/jdk/java/net/httpclient/websocket/HandshakeUrlEncodingTest.java"
> ...
> ==============================
> Test summary
> ==============================
>    TEST                                              TOTAL  PASS  FAIL ERROR   
>    jtreg:test/jdk/java/net/httpclient/websocket/HandshakeUrlEncodingTest.java
>                                                          1     1     0     0   
> ==============================
> TEST SUCCESS
> 
> Stopping sjavac server
> Finished building targets 'clean run-test' in configuration 'linux-x86_64-normal-server-release'
> 
> In addition to that, I compiled and executed the original `WebSocketTest.java` reproducer found on  [JDK-8245245](https://bugs.openjdk.org/browse/JDK-8245245) JIRA.
> 
> 
> ## Unpatched Temurin-11.0.17+8  ❌ 
> 
> $ java WebSocketTest 
> Http Request
> http://localhost:8000/?raw=abc+def/ghi=xyz&encoded=abc%2Bdef%2Fghi%3Dxyz
> Server RequestURI: /?raw=abc+def/ghi=xyz&encoded=abc%2Bdef%2Fghi%3Dxyz
> WebSocket Request
> ws://localhost:8000/?&raw=abc+def/ghi=xyz&encoded=abc%2Bdef%2Fghi%3Dxyz
> Server RequestURI: /?&raw=abc+def/ghi=xyz&encoded=abc+def/ghi=xyz
> 
> 
> ## Patched jdk11u ✔ 
> 
> $ java WebSocketTest 
> Http Request
> http://localhost:8000/?raw=abc+def/ghi=xyz&encoded=abc%2Bdef%2Fghi%3Dxyz
> Server RequestURI: /?raw=abc+def/ghi=xyz&encoded=abc%2Bdef%2Fghi%3Dxyz
> WebSocket Request
> ws://localhost:8000/?&raw=abc+def/ghi=xyz&encoded=abc%2Bdef%2Fghi%3Dxyz
> Server RequestURI: /?&raw=abc+def/ghi=xyz&encoded=abc%2Bdef%2Fghi%3Dxyz
> 
> The patched version correctly leaves the latter part of the query param encoded.

It is important that the test checks the URI received by the server, and that's probably why the body was used here. The server writes the URI it receives in the response body. This provides an end-to-end check that what was received is what we expected to send. Note that the server doesn't actually supports WebSocket and that's why it always replies with 400.

-------------

PR: https://git.openjdk.org/jdk11u-dev/pull/1558

More information about the jdk-updates-dev mailing list