RFR: 8359709: java.net.HttpURLConnection sends unexpected "Host" request header in some cases after JDK-8344190
Jaikiran Pai
jpai at openjdk.org
Tue Jun 17 08:31:30 UTC 2025
On Tue, 17 Jun 2025 07:29:23 GMT, Volkan Yazici <vyazici at openjdk.org> wrote:
>> Can I please get a review for this change which addresses a regression that was introduced in `HttpURLConnection` in Java 24 when we cleaned up the code by removing the references to SecurityManager APIs.
>>
>> When a HTTP request is issued through `java.net.HttpURLConnection`, then the request URL is used to determine the `Host` header to set in the request. By default, the application cannot set a `Host` header to a different value. However the JDK allows a system property to be enabled to allow applications to explicitly set a `Host` request header when issuing the request.
>>
>> Due to an oversight in the change that was done in https://bugs.openjdk.org/browse/JDK-8344190, the `Host` header that is set by the application, may not get used for that request causing this regression. Turns out we don't have tests in this area to catch this issue.
>>
>> The commit in this PR fixes the regression and also introduces a new jtreg test which reproduces the issue and verifies the fix.
>>
>> I've also checked the original change which introduced this regression https://github.com/openjdk/jdk/pull/22232 to see if there's anything else that needs attention. I haven't stopped anything else.
>
> test/jdk/java/net/HttpURLConnection/HostHeaderTest.java line 68:
>
>> 66: final InetSocketAddress addr = new InetSocketAddress(InetAddress.getLoopbackAddress(), 0);
>> 67: server = HttpServer.create(addr, 0);
>> 68: server.createContext("/", new Handler());
>
> I think it might be a good idea to salt the handler path a bit (e.g., with the class name) to avoid unexpected connections from tests running in parallel.
Hello Volkan, the server handler in this test is implemented to allow more than one request during its lifetime. So any unexpected requests from other processes would still allow this test to be unaffected by those requests. Did I misunderstand your suggestion for registering the handler to a test specific context?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/25844#discussion_r2151656856
More information about the net-dev
mailing list