spring-framework
spring-framework copied to clipboard
spring-projects
Reparse URI when host is missing
When a hostname contains an underscore, it is valid in RFC 3986, but only part of a registry-based authority under RFC 2396. Due to the fact, that URI only supports RFC 2396, we cannot simply use getHost() in these cases. Instead we need to parse the URI ourselves.
Only parsing the authority part seems too much effort, given the custom UrlParser we are using.
Closes https://github.com/spring-projects/spring-framework/issues/27774 Closes https://github.com/spring-projects/spring-security/issues/15852
I think this is duplicating #33608, but I missed the comments in #27774. We will discuss this as a team, but my comment on #33608 my still stand.
Thanks for taking this into consideration.
My main goal is to get https://github.com/spring-projects/spring-security/issues/15852 fixed, so simply not using URI with UriComponentsBuilder would also achieve that goal as suggested here: https://github.com/spring-projects/spring-security/pull/15853 Unfortunately I wasn't yet able to provide proper tests there...
In the other PR you mention https://github.com/spring-projects/spring-framework/issues/33542, but afaict it is concerned with the differences between RFC 3986 and the WhatWG living spec, not with the difference between RFC 3986 and RFC 2396.
I also found https://cr.openjdk.org/~dfuchs/writeups/updating-uri/, but I couldn't find any updates on further progress.
I agree with Brian this could lead to surprises, and we should not quietly re-parse from within fromUri(URI). Spring Security can do that in fallback mode as I commented under https://github.com/spring-projects/spring-security/pull/15853.
