Jetty 12 HTTP SPI does not preserve double-quotes on valid request headers #10500
Comments
|
Incidentally, your The
See:
Jetty fails to parse this header fully, and this failure is one of the root causes for this issue. |
|
Opened PR #10503 to address this |
joakime
changed the title
joakime
changed the title
|
I have checked your PR. new QuotedCSV(true, field.getValue()).getValues() in a debugger evaluation would indeed contain the header value with all " intact. I do not know why this "violates" the http1/1 spec. Also I am not entirely sure I 100% copied the header value from the debugger properly (in regards to the backslash and " situation) I am pretty sure i forogt a trailing " in my original comment so i have appended it. I do not think it matters that much. I did not check with wireshark what was actually sent via the TCP socket. I would prefer to not have to do that... |
The prior
Surely you meant 11.0.16, not 11.0.6. (you don't want to downgrade to something vulnerable). The errors from QuotedCSV were pointing to the invalid
This missing end quote causes the media-type parameter to be seen as a This is outlined in the following spec sections.
Without that end quote, the parameter parsing flags the If you notice the test cases in the PR, the proper quoting is used to satisfy the In short, leave off that end double quote and double quote parsing rules for |
|
I went ahead and modified the test cases to also test behavior of the RFC defined |
|
Yeah you are correct. I meant 11.0.16. If there is any further regression in jetty that prevents com.sun.xml.ws:jaxws-rt.2.3.2 SOAP Endpoints from working properly Thanks for your help |
…`JettyHttpExchangeDelegate` (#10503) * Issue #10500 - preserve request header quoting when accessed through JettyHttpExchangeDelegate * improve test cases with quoted-pair feature in RFC * add skip of value lists on specific headers known to not have value lists * Remove URL usage * Changes from review
|
works with 12.0.2 thanks! |
Jetty version(s)
12.01
Jetty Environment
ee10 and org.eclipse.jetty.http.spi
Java version/vendor
(use: java -version)Java 17, reproducable with any Java 17 version.
OS type/version
Windows 11
Description
A Soap request sets the following header value:
Content-Type: multipart/related;start="<rootpart*[email protected]>";type="application/xop+xml";boundary="uuid:dcb36243-479b-418e-868e-9681dcbedd73";start-info="application/soap+xml;action=\"urn:ihe:iti:2007:ProvideAndRegisterDocumentSet-b\""It is of paramount importance that this header value is preserved AS-IS otherwise the soap request will fail.
Jetty will remove all " chars in this header value.
org.eclipse.jetty.http.spi.JettyHttpExchangeDelegate will do this in the getRequestHeaders() method.
Debugging yielded the following:
field.getValue() does return the correct header value with all quotes.
field.getValues() does returns a Collection with 1 element.
The one element is my header but without all my very important " marks.
Upon further inspection it appears that
QuotedCSV list = new QuotedCSV(false, value);
in org.eclipse.jetty.http.HttpField#getValueList removes my " marks.
This behavior did not occur in jetty 11.0.15 and breaks all my soap servers.
My Soap Endpoints are registered via normal Endpoint.publish means and that works with Both Jetty 11 and Jetty 12.
The Issue of removal of " only occurs in Jetty 12.
The entire getRequestHeaders() method is called by
com.sun.xml.ws.transport.http.server.ServerConnectionImpl#getRequestHeader
of com.sun.xml.ws:jaxws-rt.2.3.2
The code that calls JettyHttpExchangeDelegate looks like this:
return httpExchange.getRequestHeaders().getFirst(headerName);
headerName is as mentioned before "Content-Type"
How to reproduce?
Do anything involving org.eclipse.jetty.http.spi.JettyHttpExchangeDelegate and set the
Content-Typeheader tomultipart/related;start="<rootpart*[email protected]>";type="application/xop+xml";boundary="uuid:dcb36243-479b-418e-868e-9681dcbedd73";start-info="application/soap+xml;action=\"urn:ihe:iti:2007:ProvideAndRegisterDocumentSet-b\""The text was updated successfully, but these errors were encountered: