hc-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ol...@apache.org
Subject svn commit: r411100 - in /jakarta/httpcomponents/httpcore/trunk/src: java/org/apache/http/impl/ java/org/apache/http/impl/io/ java/org/apache/http/params/ java/org/apache/http/util/ test/org/apache/http/util/
Date Fri, 02 Jun 2006 09:12:05 GMT
Author: olegk
Date: Fri Jun  2 02:12:04 2006
New Revision: 411100

URL: http://svn.apache.org/viewvc?rev=411100&view=rev
Log:
Fix for bug HTTPCORE-4: optional header limits to contain OOME risks

Added max header count check

Contributed by Oleg Kalnichevski

Modified:
    jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/impl/DefaultHttpClientConnection.java
    jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/impl/DefaultHttpServerConnection.java
    jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/impl/io/AbstractHttpDataReceiver.java
    jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/params/HttpConnectionParams.java
    jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/util/HeaderUtils.java
    jakarta/httpcomponents/httpcore/trunk/src/test/org/apache/http/util/TestHeaderUtils.java

Modified: jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/impl/DefaultHttpClientConnection.java
URL: http://svn.apache.org/viewvc/jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/impl/DefaultHttpClientConnection.java?rev=411100&r1=411099&r2=411100&view=diff
==============================================================================
--- jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/impl/DefaultHttpClientConnection.java
(original)
+++ jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/impl/DefaultHttpClientConnection.java
Fri Jun  2 02:12:04 2006
@@ -52,6 +52,7 @@
 import org.apache.http.impl.entity.DefaultEntityDeserializer;
 import org.apache.http.io.CharArrayBuffer;
 import org.apache.http.io.SocketFactory;
+import org.apache.http.params.HttpConnectionParams;
 import org.apache.http.params.HttpParams;
 import org.apache.http.params.HttpProtocolParams;
 import org.apache.http.protocol.HTTP;
@@ -71,6 +72,7 @@
 
     private HttpHost targethost = null;
     private InetAddress localAddress = null;
+    private int maxHeaderCount = -1;
 
     private final CharArrayBuffer buffer; 
     
@@ -134,6 +136,7 @@
                 this.localAddress, 0, 
                 params);
         bind(socket, params);
+        this.maxHeaderCount = params.getIntParameter(HttpConnectionParams.MAX_HEADER_COUNT,
-1);
     }
     
     public HttpHost getTargetHost() {
@@ -286,7 +289,7 @@
 
     protected void readResponseHeaders(final HttpResponse response) 
             throws HttpException, IOException {
-        Header[] headers = HeaderUtils.parseHeaders(this.datareceiver);
+        Header[] headers = HeaderUtils.parseHeaders(this.datareceiver, this.maxHeaderCount);
         for (int i = 0; i < headers.length; i++) {
             response.addHeader(headers[i]);
         }

Modified: jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/impl/DefaultHttpServerConnection.java
URL: http://svn.apache.org/viewvc/jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/impl/DefaultHttpServerConnection.java?rev=411100&r1=411099&r2=411100&view=diff
==============================================================================
--- jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/impl/DefaultHttpServerConnection.java
(original)
+++ jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/impl/DefaultHttpServerConnection.java
Fri Jun  2 02:12:04 2006
@@ -48,6 +48,7 @@
 import org.apache.http.impl.entity.DefaultEntityDeserializer;
 import org.apache.http.impl.entity.DefaultEntitySerializer;
 import org.apache.http.io.CharArrayBuffer;
+import org.apache.http.params.HttpConnectionParams;
 import org.apache.http.params.HttpParams;
 import org.apache.http.util.HeaderUtils;
 
@@ -63,6 +64,8 @@
 public class DefaultHttpServerConnection 
         extends AbstractHttpConnection implements HttpServerConnection {
 
+    private int maxHeaderCount = -1;
+    
     private final CharArrayBuffer buffer; 
     
     /*
@@ -103,6 +106,7 @@
 
     public void bind(final Socket socket, final HttpParams params) throws IOException {
         super.bind(socket, params);
+        this.maxHeaderCount = params.getIntParameter(HttpConnectionParams.MAX_HEADER_COUNT,
-1);
     }
 
     public HttpRequest receiveRequestHeader(final HttpParams params) 
@@ -141,7 +145,7 @@
     
     protected void receiveRequestHeaders(final HttpRequest request) 
             throws HttpException, IOException {
-        Header[] headers = HeaderUtils.parseHeaders(this.datareceiver);
+        Header[] headers = HeaderUtils.parseHeaders(this.datareceiver, this.maxHeaderCount);
         for (int i = 0; i < headers.length; i++) {
             request.addHeader(headers[i]);
         }

Modified: jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/impl/io/AbstractHttpDataReceiver.java
URL: http://svn.apache.org/viewvc/jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/impl/io/AbstractHttpDataReceiver.java?rev=411100&r1=411099&r2=411100&view=diff
==============================================================================
--- jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/impl/io/AbstractHttpDataReceiver.java
(original)
+++ jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/impl/io/AbstractHttpDataReceiver.java
Fri Jun  2 02:12:04 2006
@@ -57,7 +57,7 @@
     
     private String charset = HTTP.US_ASCII;
     private boolean ascii = true;
-    private int maxLineLen = 0;
+    private int maxLineLen = -1;
     
     protected void init(final InputStream instream, int buffersize) {
         if (instream == null) {
@@ -257,7 +257,7 @@
         this.charset = HttpProtocolParams.getHttpElementCharset(params);
         this.ascii = this.charset.equalsIgnoreCase(HTTP.US_ASCII)
                      || this.charset.equalsIgnoreCase(HTTP.ASCII);
-        this.maxLineLen = params.getIntParameter(HttpConnectionParams.MAX_LINE_LENGTH, 0);
+        this.maxLineLen = params.getIntParameter(HttpConnectionParams.MAX_LINE_LENGTH, -1);
     }
     
 }

Modified: jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/params/HttpConnectionParams.java
URL: http://svn.apache.org/viewvc/jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/params/HttpConnectionParams.java?rev=411100&r1=411099&r2=411100&view=diff
==============================================================================
--- jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/params/HttpConnectionParams.java
(original)
+++ jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/params/HttpConnectionParams.java
Fri Jun  2 02:12:04 2006
@@ -108,13 +108,23 @@
     public static final String STALE_CONNECTION_CHECK = "http.connection.stalecheck"; 
 
     /**
-     * Determines the maximum line length limit. if set, any HTTP line exceeding this
+     * Determines the maximum line length limit. If set, any HTTP line exceeding this
      * limit will cause an IOException
      * <p>
      * This parameter expects a value of type {@link Integer}.
      * </p>
      */
     public static final String MAX_LINE_LENGTH = "http.connection.max-line-length";
+    
+    /**
+     * Determines the maximum HTTP header count allowed. If set, the number of HTTP 
+     * headers received from the data stream exceeding this limit will cause an 
+     * IOException 
+     * <p>
+     * This parameter expects a value of type {@link Integer}.
+     * </p>
+     */
+    public static final String MAX_HEADER_COUNT = "http.connection.max-header-count";
     
     /**
      */

Modified: jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/util/HeaderUtils.java
URL: http://svn.apache.org/viewvc/jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/util/HeaderUtils.java?rev=411100&r1=411099&r2=411100&view=diff
==============================================================================
--- jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/util/HeaderUtils.java (original)
+++ jakarta/httpcomponents/httpcore/trunk/src/java/org/apache/http/util/HeaderUtils.java Fri
Jun  2 02:12:04 2006
@@ -84,12 +84,16 @@
      * format as given in Section 3.1 of RFC 822, RFC-2616 Section 4 and 19.3.
      *  
      * @param datareceiver HTTP data receiver
+     * @param maxCount maximum number of headers allowed. If the number of headers 
+     *        received from the data stream exceeds maxCount value, an IOException 
+     *        will be thrown. Setting this parameter to a negative value or zero 
+     *        will disable the check.   
      * @return array of HTTP headers
      * 
      * @throws HttpException
      * @throws IOException
      */
-    public static Header[] parseHeaders(final HttpDataReceiver datareceiver) 
+    public static Header[] parseHeaders(final HttpDataReceiver datareceiver, int maxCount)

             throws HttpException, IOException {
         if (datareceiver == null) {
             throw new IllegalArgumentException("HTTP data receiver may not be null");
@@ -130,6 +134,9 @@
                 previous = current;
                 current = null;
             }
+            if (maxCount > 0 && headerLines.size() >= maxCount) {
+                throw new IOException("Maximum header count exceeded");
+            }
         }
         Header[] headers = new Header[headerLines.size()];
         for (int i = 0; i < headerLines.size(); i++) {
@@ -145,6 +152,11 @@
             headers[i] = new BufferedHeader(s, buffer, colon + 1);
         }
         return headers;
+    }
+
+    public static Header[] parseHeaders(final HttpDataReceiver datareceiver) 
+        throws HttpException, IOException {
+        return parseHeaders(datareceiver, -1);
     }
     
 }

Modified: jakarta/httpcomponents/httpcore/trunk/src/test/org/apache/http/util/TestHeaderUtils.java
URL: http://svn.apache.org/viewvc/jakarta/httpcomponents/httpcore/trunk/src/test/org/apache/http/util/TestHeaderUtils.java?rev=411100&r1=411099&r2=411100&view=diff
==============================================================================
--- jakarta/httpcomponents/httpcore/trunk/src/test/org/apache/http/util/TestHeaderUtils.java
(original)
+++ jakarta/httpcomponents/httpcore/trunk/src/test/org/apache/http/util/TestHeaderUtils.java
Fri Jun  2 02:12:04 2006
@@ -29,6 +29,8 @@
 
 package org.apache.http.util;
 
+import java.io.IOException;
+
 import org.apache.http.Header;
 import org.apache.http.HeaderElement;
 import org.apache.http.NameValuePair;
@@ -158,5 +160,20 @@
         assertEquals(0, headers.length);
     }
 
+    public void testMaxHeaderCount() throws Exception {
+        String s = 
+            "header1: stuff\r\n" + 
+            "header2: stuff \r\n" + 
+            "header3: stuff\r\n" + 
+            "\r\n"; 
+        HttpDataReceiver receiver = new HttpDataReceiverMockup(s, "US-ASCII");
+        try {
+            HeaderUtils.parseHeaders(receiver, 2);
+            fail("IOException should have been thrown");
+        } catch (IOException ex) {
+            // expected
+        }
+    }
+        
 }
 



Mime
View raw message