jetty.project icon indicating copy to clipboard operation
jetty.project copied to clipboard

Published 20 hours ago verified publisher icon jetty

Introduce `UriCompliance.Violation.FRAGMENT` to reject HTTP Request Line that includes fragment section.

Open joakime opened this issue 1 year ago • 3 comments

Jetty version(s) 12.0.7

Jetty Environment All

Java version/vendor (use: java -version) All

OS type/version All

Description While working PR #11496 the idea of not allowing FRAGMENT section in a Request Line was introduced.

It is good idea that seems to follow the HTTP spec.

  • https://datatracker.ietf.org/doc/html/rfc9110#section-4.1 - indicates that the relative URI shouldn't have the fragment component
  • https://datatracker.ietf.org/doc/html/rfc9110#section-4.2.5 - says that the fragment component is not part of the ABNF for http or https URIs
  • https://datatracker.ietf.org/doc/html/rfc9110#section-7.1 - says that the server should ignore/drop the fragment component, as the fragment component is reserved for client-side processing
  • https://datatracker.ietf.org/doc/html/rfc9110#section-10.2.2 - points out that a redirect Location response header can contain a fragment indicator
  • https://datatracker.ietf.org/doc/html/rfc9110#section-17.11 - there is a security concern as well with exposure of fragment after redirect

If we do this, we should be careful how we do it, and allow a configurable UriCompliance mode to configure the behavior.

See original commit (reverted in PR #11496): https://github.com/jetty/jetty.project/pull/11496/commits/fed10f79aacecfcb4118bcbe39fcb21d98666f25

joakime avatar Mar 27 '24 12:03 joakime

Opened PR #11580 to start this issue. Currently just a cherry-pick of commit fed10f79aacecfcb4118bcbe39fcb21d98666f25 along with some testcase updates

joakime avatar Mar 27 '24 14:03 joakime

@joakime can you please reword everywhere you wrote "query" meaning "fragment"?

sbordet avatar Mar 27 '24 18:03 sbordet

Yeah, sorry, my mind was stuck on the exception message from the old PR ...

https://github.com/jetty/jetty.project/blob/fed10f79aacecfcb4118bcbe39fcb21d98666f25/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java#L1460-L1461

The exception messages from that commit showed up as ...

HTTP/1.1 400 Bad Request
Server: Jetty(12.0.8-SNAPSHOT)
Date: Wed, 27 Mar 2024 08:30:11 GMT
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 621
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 400 Bad Request</title>
</head>
<body>
<h2>HTTP ERROR 400 Bad Request</h2>
<table>
<tr><th>URI:</th><td>/badMessage</td></tr>
<tr><th>STATUS:</th><td>400</td></tr>
<tr><th>MESSAGE:</th><td>Bad Request</td></tr>
<tr><th>CAUSED BY:</th><td>org.eclipse.jetty.http.BadMessageException: 400: Bad Request</td></tr>
<tr><th>CAUSED BY:</th><td>java.lang.IllegalArgumentException: uri cannot go beyond QUERY</td></tr>
</table>
<hr/><a href="https://eclipse.org/jetty">Powered by Jetty:// 12.0.8-SNAPSHOT</a><hr/>
</body>
</html>

joakime avatar Mar 27 '24 18:03 joakime