-
Notifications
You must be signed in to change notification settings - Fork 38.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encode IPV6 Zone IDs (%) in ReactorServerHttpRequest #30188
Comments
Hi @ls-urs-keller, Thanks for reporting the issue. I converted your example to a test and have confirmed that it fails as you pointed out. We will investigate our options. Related Resources |
@sbrannen Thank you for the quick reply. Our current workaround is to bind to the ipv4 loopback address through |
RFC 6874, Section 2 shows us that
and
I believe Passing Passing an encoded URI seems to work fine: UriComponentsBuilder
.fromUri(URI.create("http://[0:0:0:0:0:0:0:1%250]:8082/graphql"))
.build(true); as does passing UriComponentsBuilder
.fromUri(URI.create("http://[0:0:0:0:0:0:0:1%0]:8082/graphql"))
.build(false); // or build() @ls-urs-keller Where does the URI that triggers this behavior come from? Can you provide a stack trace? I am guessing it is from Reactor Netty, but I'd like to be sure. In any case, the code that creates that URI should be fixed to properly encode the I also think that a bug should be reported to OpenJDK, as |
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed. |
This is a bit of a tricky topic. Section 3, Web Browsers in RFC-6874 states the following (emphasis mine).
Thus, it would appear that the JDK team took the same approach in // Special case of server authority that represents an IPv6 address
// In this case, a % does not signify an escape sequence
private static final long L_SERVER_PERCENT
// 2) The only place where a percent can be followed by anything
// other than hexadecimal digits is in the authority component
// (for a IPv6 scope) and the whole authority component is case
// insensitive.
percentNormalizedComparison(String, String, boolean)
// Exception: any "%" found between "[]" is left alone. It is an IPv6 literal
// with a scope_id
//
decode(String) However, Section 3 of RFC-6874 goes on to say:
So, I suppose it's a question of context. In any case, I'm wondering if @rstoyanchev, @poutsma, @jhoeller: thoughts? |
I think you're right, I'll see what I can do about relaxing that check. However, there's two parts to the Robustness principe, not just "be liberal with what you accept", but also "be conservative in what you produce". So you could argue that @ls-urs-keller Even though we're going to fix this, I'd still like to know the source of that URI. If it is coming from Spring or Reactor, we should fix the code that produces the URI that as well. |
Should this be backported to |
I am not sure why, considering it's not a bug. My initial though was to assign it to 6.1 even. |
Good point: it's not a bug. So 6.0.x or 6.1 sounds good. |
After discussion with @bclozel, we have come to the conclusion that this is a regression, most likely caused by 9624ea3. This commit removed the encoding performed by the multi argument Reading back at the arguments for making The fact that Finally, there are plenty of places where Considering all that, I think the way to proceed is to fix the regression in |
Fixed by adding custom encoding logic for the hostname. I could not similar logic use Since I also moved all URI-creation logic into a separate helper class, as it was getting quite significant. |
A fix has been applied in ReactorServerHttpRequest for 5.3.x as well in #30314, simply undoing the optimization. |
@poutsma the problem was present in spring boot 3.0.3 and disappeared in 3.0.4. Here is a reproducer project, instructions in the Readme.md: Stacktrace:
|
Thank you for providing that sample, @ls-urs-keller, it helped us verify that the current Framework branches are not affected by this bug. The culprit seems to have been the fix for #28601, which was introduced in 6.0.5, but revised in 6.0.6. |
|
Affects: 6.0.7 (spring-web)
Fails with
The code doesn't handle the ipv6 address zone id / scope id correctly.
The text was updated successfully, but these errors were encountered: