-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IllegalArgumentException in Headers$Builder.checkNameAndValue() for content-disposition filename response header #1998
Comments
Definitely an issue for me right now -- in my case, its other servers sending us (EDIT: Reverted to 2.4 to avoid the issue for now.) |
any update on this? |
Nothing yet. Is it just redirects and cookies? |
Yeah, we definitely shouldn’t be throwing an unchecked exception here. One problem is that the spec wants us to not interpret header fields, but since we’re exposing a Java API we really want strings.
Handling ISO-8859-1 feels wrong, particularly since the upside of supporting additional characters has the downside of being locked out of UTF-8. Neither stripping non-ASCII characters nor stripping non-ASCII headers feels appropriate. |
Use URLEncoder encode headers before addHeader, it works well for me. |
@zewenwang that only works when you're in control of the headers. If you're sending requests to some site that you don't control and receiving troublesome response headers, it's a much less effective strategy. |
Same problem here. Just got this (anonymous) Google Play crash report:
So, an HTTP request execute call has thrown an I suggest to use checked exceptions instead – maybe subclasses of IOException? For instance, |
This doesn't completely support ISO-8859-1 headers; instead they will most likely be mangled when they are decoded as UTF-8. If we decide we absolutely must support ISO-8859-1 here we can do that in another change. (I'm not currently enthusiastic about this idea.) But this does prevent OkHttp from crashing when it encounters non-ASCII characters in headers for HTTP/2, SPDY, and cached responses. Closes: #1998
Don't know why but I am still getting the error for some Japanese characters in the release 3.3.1. Had the fix released in 3.3.1? |
This relaxes some validation logic newly introduced in the version of OkHttp used in N. This change leaves the character code validation stricter than it was in M by still preventing control codes like \n, \r, backspace and delete. It does allow developers to pass Java characters > 7F to addRequestProperty() and also receive headers from servers which contain characters > 7F. Android's HttpURLConnection does not follow the HTTP spec as it encodes request header values and interprets response headers as UTF-8 and not ISO-8859-1. If a server is expecting or sending ISO-8859-1 encoded characters >7F in headers then these will still be corrupted or misinterpreted by Android. However, this has been the behavior since L and is not changed here. The OkHttp change which caused characters >7F to generate an IllegalArgumentException and partially reverted here: square/okhttp#1785 See also: square/okhttp#1998 square/okhttp#2016 for recent upstream bugs. Bug: 28867041 Bug: https://code.google.com/p/android/issues/detail?id=210205 (cherry picked from commit 75687ca5ae54f417afb4c02ba04767da6786d829) Change-Id: Ib640b58addff4c0c4eac589c77eb74a6bd6b3ec2
This reapplies AOSP commit 3c28a13 There is a chance that we may want to revert this change in future. Previous commit message: This relaxes some validation logic newly introduced in the version of OkHttp used in N. This change leaves the character code validation stricter than it was in M by still preventing control codes like \n, \r, backspace and delete. It does allow developers to pass Java characters > 7F to addRequestProperty() and also receive headers from servers which contain characters > 7F. Android's HttpURLConnection does not follow the HTTP spec as it encodes request header values and interprets response headers as UTF-8 and not ISO-8859-1. If a server is expecting or sending ISO-8859-1 encoded characters >7F in headers then these will still be corrupted or misinterpreted by Android. However, this has been the behavior since L and is not changed here. The OkHttp change which caused characters >7F to generate an IllegalArgumentException and partially reverted here: square/okhttp#1785 See also: square/okhttp#1998 square/okhttp#2016 for recent upstream bugs. Bug: 28867041 Bug: https://code.google.com/p/android/issues/detail?id=210205 (cherry picked from commit 75687ca5ae54f417afb4c02ba04767da6786d829) Change-Id: Id683ec13142f1d7d8792143066f1dd2e5f62cf86
This relaxes some validation logic newly introduced in the version of OkHttp used in N. This change leaves the character code validation stricter than it was in M by still preventing control codes like \n, \r, backspace and delete. It does allow developers to pass Java characters > 7F to addRequestProperty() and also receive headers from servers which contain characters > 7F. Android's HttpURLConnection does not follow the HTTP spec as it encodes request header values and interprets response headers as UTF-8 and not ISO-8859-1. If a server is expecting or sending ISO-8859-1 encoded characters >7F in headers then these will still be corrupted or misinterpreted by Android. However, this has been the behavior since L and is not changed here. The OkHttp change which caused characters >7F to generate an IllegalArgumentException and partially reverted here: square/okhttp#1785 See also: square/okhttp#1998 square/okhttp#2016 for recent upstream bugs. Bug: 28867041 Bug: https://code.google.com/p/android/issues/detail?id=210205 Change-Id: Ibdf14d819411a12fcc78d012bfca97db048b7e6e
@JakeWharton The validation can easily bypassed:
|
I understand the current approach is to accept malformed header (with non-ascii characters), but to never allow generating them. |
Updated to the latest version of the lib and still getting same error with the following header:
Throwing this exception:
|
I am also facing same error. I have updated to latest version still issue persist. @swankjesse do we have any workaround or any fix for this ?. Thank you for help advance. |
@manjunath143 please open a pull request with an executable test case that demonstrates the failure. |
The fix for #891 is causing IllegalArgumentException to be thrown for non ASCII response headers. Most notably, content-disposition, and the filename part. This is basically causing filenames with all the best letters from all the best countries (ü,ä,î,â etc) to crash our app.
The failure mode for us is semi-rare for a variety of reasons, but I imagine this would be far worse for others.
The RFC on the "filename" parameter allows any ISO-8859-1 character: http://tools.ietf.org/html/rfc6266#page-5 so the current behaviour definitely seems to be incorrect.
It makes sense to check request headers. I'm not convinced that it's reasonable for response headers, given that there are plenty of occasions where you just don't control the full stack. Actually, even the unit test that was added in the commit a57aa43 (responseHeaderParsingIsLenient) seems to imply that this is what was intended - must just be a bug.
It would be great if OkHttp could be a little less strict in production situations, but that's sort of unrelated.
Possible fix would be addLenient at https://github.com/square/okhttp/blob/master/okhttp/src/main/java/com/squareup/okhttp/internal/http/FramedTransport.java#L192 but I don't know the ins and outs of this code with enough confidence to make those changes.
java.lang.IllegalArgumentException: Unexpected char 0xf6 at 21 in header value: inline;filename="Andy��IsSad.png"
at com.squareup.okhttp.Headers$Builder.checkNameAndValue(Headers.java:295)
at com.squareup.okhttp.Headers$Builder.add(Headers.java:245)
at com.squareup.okhttp.internal.http.FramedTransport.readNameValueBlock(FramedTransport.java:192)
at com.squareup.okhttp.internal.http.FramedTransport.readResponseHeaders(FramedTransport.java:104)
at com.squareup.okhttp.internal.http.HttpEngine.readNetworkResponse(HttpEngine.java:906)
at com.squareup.okhttp.internal.http.HttpEngine.access$300(HttpEngine.java:92)
at com.squareup.okhttp.internal.http.HttpEngine$NetworkInterceptorChain.proceed(HttpEngine.java:891)
at com.squareup.okhttp.internal.http.HttpEngine.readResponse(HttpEngine.java:749)
at com.squareup.okhttp.Call.getResponse(Call.java:268)
at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:224)
at com.squareup.okhttp.Call.getResponseWithInterceptorChain(Call.java:195)
at com.squareup.okhttp.Call.execute(Call.java:79)
The text was updated successfully, but these errors were encountered: