Bug in HttpClient

Severin Gehwolf sgehwolf at redhat.com
Fri Jul 20 07:38:26 UTC 2018 

Adding net-dev

On Fri, 2018-07-20 at 08:52 +0200, Thomas Lußnig wrote:
> Hi,
> i found an bug in JDK 10 with the new HttpClient. It does not handle
> responses wihtout contentlength correctly.
> Normally i would expect that the content is returned even without
> content length. Since i can not open an JDK bug
> i hope some person from the list can do it. Below is an example that
> show the problem.
> 
> Gruß Thomas Lußnig
> import java.io.InputStream;
> import java.io.OutputStream;
> import java.net.InetSocketAddress;
> import java.net.ServerSocket;
> import java.net.Socket;
> import java.net.URI;
> import java.time.Duration; 
> import javax.net.ServerSocketFactory;
> import jdk.incubator.http.HttpClient;
> import jdk.incubator.http.HttpRequest;
> import jdk.incubator.http.HttpResponse; 
> public class Client1 {
>        static void server(final boolean withContentLength) {
>              try(ServerSocket ss =
> ServerSocketFactory.getDefault().createServerSocket()) {
>                     ss.setReuseAddress(true);
>                     ss.bind(new InetSocketAddress("127.0.0.1",80));
>                     final byte[] buf = new byte[120400];
>                     try(Socket s = ss.accept()) {
>                           System.out.println("Accepted:
> "+s.getRemoteSocketAddress());
>                           try(  OutputStream os =
> s.getOutputStream(); InputStream is = s.getInputStream()) {
>                                  is.read(buf);
>                                  is.read(buf);
>                                  os.write("HTTP/1.0 200
> OK\r\nConnection: close\r\nContent-Type: text/xml; charset=UTF-
> 8\r\n".getBytes());
>                                  if(withContentLength)
> os.write("Content-Length: 4\r\n".getBytes());
>                                  os.write("\r\n".getBytes());
>                                  os.write("<x/>".getBytes());
>                                  os.flush();
>                           }
>                     }
>              } catch(final Throwable t) { t.printStackTrace(); }
>       }
>        static void client() {
>              try {
>                     final HttpClient client =
> HttpClient.newBuilder().version(HttpClient.Version.HTTP_2).build();
>                     final HttpResponse<String> response = client
>                             .send(HttpRequest.newBuilder(new URI("htt
> p://127.0.0.1/test")).timeout(Duration.ofMillis(120_000))
>                                 
> .POST(HttpRequest.BodyPublisher.fromString("body")).build(),
> HttpResponse.BodyHandler.asString());
>                     System.out.println("Received reply: " +
> response.statusCode());
>                     System.out.println("Received body: " +
> response.body());
>              } catch(final Throwable t) { t.printStackTrace(); }
>       }
>         public static void main(final String[] args) throws Exception
> {
>              new Thread(()->server(true)).start();
>              client();
>              new Thread(()->server(false)).start();
>              client();
>        }
> }

More information about the security-dev mailing list