RFR: 8275534: com.sun.net.httpserver.BasicAuthenticator should check whether "realm" is a quoted string
Julia Boes
jboes at openjdk.java.net
Fri Oct 29 12:51:23 UTC 2021
On Tue, 26 Oct 2021 13:56:25 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:
>> This change ensures that the realm string passed to the BasicAuthenticator constructor is a quoted-string, as per RFC7230 [1]. A Utils class is added to jdk.httpserver/sun.net.httpserver that holds the new isQuotedString() method and the pre-existing isValidName() method (previously in ServerImpl.)
>> Two tests are included:
>> - BasicAuthenticatorRealm.java to check that Latin-1 chars in the realm string are transported correctly,
>> - BasicAuthenticatorExceptionCheck.java to check realm strings with escaped quotes.
>>
>> Testing: tier 1-3.
>>
>> [1] https://datatracker.ietf.org/doc/html/rfc7230
>
> src/jdk.httpserver/share/classes/sun/net/httpserver/Utils.java line 78:
>
>> 76: public static boolean isQuotedString(String token) {
>> 77: for (int i = 0; i < token.length(); i++) {
>> 78: char c = token.charAt(i);
>
> For the value it would probably be more correct to work with the bytes returned by `getBytes(StandardCharsets.ISO_8859_1)` rather than with Java UTF-16 chars - I don't think UTF-16 is a super set of ISO-8859-1
As discussed offline, the string representations are identical < 256 so no need to transliterate.
for (int i=0; i<256; i++) {
var s16 = new String(new byte[] {(byte)0, (byte)i}, "UTF-16");
var s88 = new String(new byte[] {(byte)i}, "ISO-8859-1");
if (!s16.equals(s88)) throw new RuntimeException(""%s" != "%s"".formatted(s16, s88));
}
-------------
PR: https://git.openjdk.java.net/jdk/pull/6117
More information about the net-dev
mailing list