normalizing media URIs before sending the request

Joeri Sykora joeri.sykora at gluonhq.com
Tue Jun 9 11:41:25 UTC 2020 

Hi all,

JavaFX media has support for parsing HLS M3U media playlist files. Such a
m3u (or m3u8) file contains a list of URIs to the actual media files. These
URIs are currently not normalized before the HTTP request is made, which
can cause issues in case the URI contains .. segments. For example, try
loading the following playlist with the JavaFX media player:
https://bcovlive-a.akamaihd.net/r8ceb94e3229b4c0bb2dd461dacb3ab07/us-east-1/6057994532001/playlist.m3u8
It will ultimately try to request the following URL:
https://bcovlive-a.akamaihd.net/r8ceb94e3229b4c0bb2dd461dacb3ab07/us-east-1/6057994532001/../../us-east-1/us-east-1/6057994532001/profile_0/chunklist.m3u8
which fails because the HTTP server responds with a 403 response.

An easy fix is to normalize the URI (see
https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URI.html#normalize())
before making the request in the following sections
of HLSConnectionHolder.java:
https://github.com/openjdk/jfx/blob/master/modules/javafx.media/src/main/java/com/sun/media/jfxmedia/locator/HLSConnectionHolder.java#L174
https://github.com/openjdk/jfx/blob/master/modules/javafx.media/src/main/java/com/sun/media/jfxmedia/locator/HLSConnectionHolder.java#L370

This time, the request will succeed and the media can be played by JavaFX.
The only issue with this fix, is that it is a change in existing behaviour.
On the other hand, all browsers that I've tested, first normalize the URI
when loading it. The same is true when loading the URI with cURL or other
media players I've tested. You can simulate the failing behaviour with cURL
when providing the --path-as-is option:

curl -I --path-as-is
https://bcovlive-a.akamaihd.net/r8ceb94e3229b4c0bb2dd461dacb3ab07/us-east-1/6057994532001/../../us-east-1/us-east-1/6057994532001/profile_0/chunklist.m3u8

I have a strong preference of changing the default behaviour to normalize
URIs before making the request. What are your opinions?

-- 
Joeri Sykora

*Gluon*E: joeri.sykora at gluonhq.com

More information about the openjfx-dev mailing list