-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added a UriCompliance.Violation.USER_INFO
to deprecate user info in HttpURI
#12012
Added a UriCompliance.Violation.USER_INFO
to deprecate user info in HttpURI
#12012
Conversation
As per [RFC9110](https://datatracker.ietf.org/doc/html/rfc9110#name-deprecation-of-userinfo-in-) user info is deprecated in server implementations. The new violation for USER_DATA is included by default in 12.0.x, but will be removed in 12.1.x
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The RequestTest could use a minor improvement.
Arguments.of(UriCompliance.DEFAULT, "https://local/", 200, "local"), | ||
Arguments.of(UriCompliance.DEFAULT, "https://other/", 400, "Authority!=Host"), | ||
Arguments.of(UriCompliance.DEFAULT, "https://user@local/", 400, "Deprecated User Info"), | ||
Arguments.of(UriCompliance.LEGACY, "https://user@local/", 200, "local"), | ||
Arguments.of(UriCompliance.DEFAULT, "/%2F/", 400, "Ambiguous URI path separator"), | ||
Arguments.of(UriCompliance.UNSAFE, "/%2F/", 200, "local") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we split the good and bad tests apart.
Also, can we use a hostname in the URI that is different than the one used in the Host: local
header to make sure understand which host it is using?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we split the good and bad tests apart.
I did that, but it only saves a couple of lines and requires 40 lines to be duplicated, so a net loss. It also makes it hard to see the difference between the 200 and 400 tests, which is good to see exactly what we are testing. So I prefer it as a single test.
Also, can we use a hostname in the URI that is different than the one used in the
Host: local
header to make sure understand which host it is using?
I added a bunch more tests, including ones that allow HttpCompliance with different authorities.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Will be good to have it bake for a while too.
This change causes unencoded [ and ] to be rejected too (400 Illegal Path Character). Not sure if that is intended? |
@d2a-pnagel what does the raw (on the network) HTTP request look like that triggers this issue for you? |
Not sure about "on the network", but this is output from curl. Is that sufficient? Jetty 12.0.11 returns a 404 Not Found for the same request.
|
Yes, that is sufficient. The Those two characters are reserved for IPv6 or IPvLiteral authority sections on the URI. The change from parsing the whole URI to just parsing the pathQuery is tripping up the gen-delims vs sub-delims nuance of the path parsing. I'll open a new Issue about this. |
Opened Issue #12259 |
As per RFC9110 user info is deprecated in server implementations. The new violation for USER_DATA is included by default in 12.0.x, but will be removed in 12.1.x