HttpServer API input validation issue

Daniel Fuchs daniel.fuchs at
Tue Oct 19 18:14:22 UTC 2021

Hi Attila,

Right - thanks. If realm contains a double quote that quote
should probably be quoted. This is a functional bug.
BasicAuthenticator has been in the JDK since JDK 6.

I have logged

best regards,

-- daniel

On 19/10/2021 18:26, Attila Kelemen wrote:
> Hi,
> I was looking at the code of the new HttpServer API, and stumbled across
> the BasicAuthenticator class. As is currently, the "realm" field is neither
> validated, nor escaped before being put into the http header. I know that
> the risk that this will end up as a security problem is low (especially
> since this API is not supposed to be used in production), but I believe it
> would be best if this is addressed before release.
> Regards,
> Attila Kelemen

More information about the jdk-dev mailing list