RFR: 8303965: java.net.http.HttpClient should reset the stream if response headers contain malformed header fields [v2]

Daniel Fuchs dfuchs at openjdk.org
Mon Mar 13 11:09:21 UTC 2023


On Fri, 10 Mar 2023 14:27:21 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:

>> According to RFC 9113:
>> 
>> A malformed request or response is one that is an otherwise valid sequence of HTTP/2 frames but is invalid due to the presence of extraneous frames, prohibited fields or pseudo-header fields, the absence of mandatory pseudo-header fields, the inclusion of uppercase field names, or invalid field names and/or values (in certain circumstances; see [Section 8.2](https://www.rfc-editor.org/rfc/rfc9113#HttpHeaders)).
>> [...]
>> Malformed requests or responses that are detected MUST be treated as a [stream error](https://www.rfc-editor.org/rfc/rfc9113#StreamErrorHandler) ([Section 5.4.2](https://www.rfc-editor.org/rfc/rfc9113#StreamErrorHandler)) of type [PROTOCOL_ERROR](https://www.rfc-editor.org/rfc/rfc9113#PROTOCOL_ERROR).
>> 
>> The current behavior is to close the connection with protocol error. This change makes it reset the stream instead.
>
> Daniel Fuchs has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:
> 
>  - add bug id to test
>  - Merge branch 'master' into MalformedResponse-8303965
>  - 8303965

src/java.net.http/share/classes/jdk/internal/net/http/Stream.java line 1607:

> 1605:                 // treated as a stream error (Section 5.4.2) of type
> 1606:                 // PROTOCOL_ERROR.
> 1607:                 onProtocolError(uio.getCause());

Suggestion:

                // reset stream: From RFC 9113, section 8.1
                // Malformed requests or responses that are detected MUST be
                // treated as a stream error (Section 5.4.2) of type
                // PROTOCOL_ERROR.
                onProtocolError(uio.getCause());

src/java.net.http/share/classes/jdk/internal/net/http/common/ValidatingHeadersConsumer.java line 32:

> 30: 
> 31: /*
> 32:  * Checks RFC 7540 rules (relaxed) compliance regarding pseudo-headers.

Suggestion:

 * Checks RFC 9113 rules (relaxed) compliance regarding pseudo-headers.

-------------

PR: https://git.openjdk.org/jdk/pull/12976


More information about the net-dev mailing list