Bug in HttpClient

Chris Hegarty chris.hegarty at oracle.com
Mon Jul 23 11:02:30 UTC 2018 

The following issue has been filed in JIRA to track the problem with 
an HTTP/1.0 response without a Content-Length header:
  
  https://bugs.openjdk.java.net/browse/JDK-8207966

-Chris.

> On 20 Jul 2018, at 08:38, Severin Gehwolf <sgehwolf at redhat.com> wrote:
> 
> Adding net-dev
> 
> On Fri, 2018-07-20 at 08:52 +0200, Thomas Lußnig wrote:
>> Hi,
>> i found an bug in JDK 10 with the new HttpClient. It does not handle
>> responses wihtout contentlength correctly.
>> Normally i would expect that the content is returned even without
>> content length. Since i can not open an JDK bug
>> i hope some person from the list can do it. Below is an example that
>> show the problem.
>> 
>> Gruß Thomas Lußnig
>> import java.io.InputStream;
>> import java.io.OutputStream;
>> import java.net.InetSocketAddress;
>> import java.net.ServerSocket;
>> import java.net.Socket;
>> import java.net.URI;
>> import java.time.Duration; 
>> import javax.net.ServerSocketFactory;
>> import jdk.incubator.http.HttpClient;
>> import jdk.incubator.http.HttpRequest;
>> import jdk.incubator.http.HttpResponse; 
>> public class Client1 {
>>       static void server(final boolean withContentLength) {
>>             try(ServerSocket ss =
>> ServerSocketFactory.getDefault().createServerSocket()) {
>>                    ss.setReuseAddress(true);
>>                    ss.bind(new InetSocketAddress("127.0.0.1",80));
>>                    final byte[] buf = new byte[120400];
>>                    try(Socket s = ss.accept()) {
>>                          System.out.println("Accepted:
>> "+s.getRemoteSocketAddress());
>>                          try(  OutputStream os =
>> s.getOutputStream(); InputStream is = s.getInputStream()) {
>>                                 is.read(buf);
>>                                 is.read(buf);
>>                                 os.write("HTTP/1.0 200
>> OK\r\nConnection: close\r\nContent-Type: text/xml; charset=UTF-
>> 8\r\n".getBytes());
>>                                 if(withContentLength)
>> os.write("Content-Length: 4\r\n".getBytes());
>>                                 os.write("\r\n".getBytes());
>>                                 os.write("<x/>".getBytes());
>>                                 os.flush();
>>                          }
>>                    }
>>             } catch(final Throwable t) { t.printStackTrace(); }
>>      }
>>       static void client() {
>>             try {
>>                    final HttpClient client =
>> HttpClient.newBuilder().version(HttpClient.Version.HTTP_2).build();
>>                    final HttpResponse<String> response = client
>>                            .send(HttpRequest.newBuilder(new URI("htt
>> p://127.0.0.1/test")).timeout(Duration.ofMillis(120_000))
>> 
>> .POST(HttpRequest.BodyPublisher.fromString("body")).build(),
>> HttpResponse.BodyHandler.asString());
>>                    System.out.println("Received reply: " +
>> response.statusCode());
>>                    System.out.println("Received body: " +
>> response.body());
>>             } catch(final Throwable t) { t.printStackTrace(); }
>>      }
>>        public static void main(final String[] args) throws Exception
>> {
>>             new Thread(()->server(true)).start();
>>             client();
>>             new Thread(()->server(false)).start();
>>             client();
>>       }
>> }

More information about the security-dev mailing list