RFR: 8275534: com.sun.net.httpserver.BasicAuthenticator should check whether "realm" is a quoted string

Daniel Fuchs dfuchs at openjdk.java.net
Fri Oct 29 09:33:19 UTC 2021 

On Tue, 26 Oct 2021 12:46:31 GMT, Julia Boes <jboes at openjdk.org> wrote:

> This change ensures that the realm string passed to the BasicAuthenticator constructor is a quoted-string, as per RFC7230 [1]. A Utils class is added to jdk.httpserver/sun.net.httpserver that holds the new isQuotedString() method and the pre-existing isValidName() method (previously in ServerImpl.) 
> Two tests are included:
> - BasicAuthenticatorRealm.java to check that Latin-1 chars in the realm string are transported correctly,
> - BasicAuthenticatorExceptionCheck.java to check realm strings with escaped quotes.
> 
> Testing: tier 1-3.
> 
> [1] https://datatracker.ietf.org/doc/html/rfc7230

src/jdk.httpserver/share/classes/com/sun/net/httpserver/BasicAuthenticator.java line 77:

> 75:      * <p>Where a backslash ("\") is used as quoting mechanism within the realm
> 76:      * string, it must be escaped by two preceding backslashes, for example
> 77:      * {@code "foo\\\"bar\\\""} will be embedded as {@code "foo\"bar\""}.

I would drop this sentence as I find it confusing - even though I understand what you are trying to say.

I would replace it with something like:


The value of the {@code realm} parameter will be embedded in a quoted string. Any quote it contains must be escaped by the caller.

src/jdk.httpserver/share/classes/com/sun/net/httpserver/BasicAuthenticator.java line 90:

> 88:         if (realm.isEmpty()) // implicit NPE check
> 89:             throw new IllegalArgumentException("realm must not be empty");
> 90:         if (!isQuotedString(realm))

A better name for the method would be `isQuotedStringContent()`?

src/jdk.httpserver/share/classes/sun/net/httpserver/Utils.java line 76:

> 74:      * Validates an RFC 7230 quoted-string.
> 75:      */
> 76:     public static boolean isQuotedString(String token) {

See my comment about the method name above

src/jdk.httpserver/share/classes/sun/net/httpserver/Utils.java line 78:

> 76:     public static boolean isQuotedString(String token) {
> 77:         for (int i = 0; i < token.length(); i++) {
> 78:             char c = token.charAt(i);

For the value it would probably be more correct to work with the bytes returned by `getBytes(StandardCharsets.ISO_8859_1)` rather than with Java UTF-16 chars - I don't think UTF-16 is a super set of ISO-8859-1

-------------

PR: https://git.openjdk.java.net/jdk/pull/6117

More information about the net-dev mailing list