RFR: 8354276: Strict HTTP header validation [v4]
Daniel Jeliński
djelinski at openjdk.org
Tue Apr 29 10:01:00 UTC 2025
On Mon, 28 Apr 2025 14:14:29 GMT, Jaikiran Pai <jpai at openjdk.org> wrote:
>> Daniel Jeliński has updated the pull request incrementally with two additional commits since the last revision:
>>
>> - Fix whitespace
>> - Use ProtocolException for malformed headers
>
> src/java.net.http/share/classes/jdk/internal/net/http/common/HeaderDecoder.java line 34:
>
>> 32:
>> 33: public HeaderDecoder() {
>> 34: super(Context.REQUEST);
>
> It feels a bit odd that a header "decoder" is being used in the context of a request. I then looked at the references of this class and I see that the only place this gets used/instantiated is in the `PushPromiseDecoder` and it then makes sense why the context used here is `REQUEST`.
>
> Do you think it would be better if we changed this `HeaderDecoder` constructor to accept a `Context` param and then have `PushPromiseDecoder` pass it the `Context.REQUEST`? That way it's a bit more clear at the use site, in PushPromiseDecoder, why `Context.REQUEST` gets used.
Right. The HeaderDecoder class is only used as a base class for PushPromiseDecoder, and I'm considering removing one of them in the future. For now I added the `context` parameter.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24569#discussion_r2065972267
More information about the net-dev
mailing list