diff options
Diffstat (limited to 'src/share/classes/sun/net/www')
4 files changed, 50 insertions, 5 deletions
diff --git a/src/share/classes/sun/net/www/protocol/ftp/FtpURLConnection.java b/src/share/classes/sun/net/www/protocol/ftp/FtpURLConnection.java index e560abf9c2..582687ba46 100644 --- a/src/share/classes/sun/net/www/protocol/ftp/FtpURLConnection.java +++ b/src/share/classes/sun/net/www/protocol/ftp/FtpURLConnection.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1994, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1994, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -36,6 +36,7 @@ import java.io.BufferedInputStream; import java.io.FilterInputStream; import java.io.FilterOutputStream; import java.io.FileNotFoundException; +import java.net.MalformedURLException; import java.net.URL; import java.net.SocketPermission; import java.net.UnknownHostException; @@ -47,6 +48,7 @@ import java.util.StringTokenizer; import java.util.Iterator; import java.security.Permission; import sun.net.NetworkClient; +import sun.net.util.IPAddressUtil; import sun.net.www.MessageHeader; import sun.net.www.MeteredStream; import sun.net.www.URLConnection; @@ -155,6 +157,21 @@ public class FtpURLConnection extends URLConnection { } } + static URL checkURL(URL u) throws IllegalArgumentException { + if (u != null) { + if (u.toExternalForm().indexOf('\n') > -1) { + Exception mfue = new MalformedURLException("Illegal character in URL"); + throw new IllegalArgumentException(mfue.getMessage(), mfue); + } + } + String s = IPAddressUtil.checkAuthority(u); + if (s != null) { + Exception mfue = new MalformedURLException(s); + throw new IllegalArgumentException(mfue.getMessage(), mfue); + } + return u; + } + /** * Creates an FtpURLConnection from a URL. * @@ -168,7 +185,7 @@ public class FtpURLConnection extends URLConnection { * Same as FtpURLconnection(URL) with a per connection proxy specified */ FtpURLConnection(URL url, Proxy p) { - super(url); + super(checkURL(url)); instProxy = p; host = url.getHost(); port = url.getPort(); diff --git a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java index 4c5ec78fca..f00060effa 100644 --- a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java +++ b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1995, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -66,6 +66,7 @@ import java.util.HashSet; import java.util.HashMap; import java.util.Set; import sun.net.*; +import sun.net.util.IPAddressUtil; import sun.net.www.*; import sun.net.www.http.HttpClient; import sun.net.www.http.PosterOutputStream; @@ -850,8 +851,13 @@ public class HttpURLConnection extends java.net.HttpURLConnection { throw new MalformedURLException("Illegal character in URL"); } } + String s = IPAddressUtil.checkAuthority(u); + if (s != null) { + throw new MalformedURLException(s); + } return u; } + protected HttpURLConnection(URL u, Proxy p, Handler handler) throws IOException { super(checkURL(u)); @@ -2139,6 +2145,10 @@ public class HttpURLConnection extends java.net.HttpURLConnection { } while (retryTunnel < maxRedirects); if (retryTunnel >= maxRedirects || (respCode != HTTP_OK)) { + if (respCode != HTTP_PROXY_AUTH) { + // remove all but authenticate responses + responses.reset(); + } throw new IOException("Unable to tunnel through proxy."+ " Proxy returns \"" + statusLine + "\""); diff --git a/src/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java b/src/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java index e43a36310a..0186e24725 100644 --- a/src/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java +++ b/src/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java @@ -45,6 +45,7 @@ import java.security.Permission; import java.security.Principal; import java.util.Map; import java.util.List; +import sun.net.util.IPAddressUtil; import sun.net.www.http.HttpClient; /** @@ -86,6 +87,10 @@ public class HttpsURLConnectionImpl throw new MalformedURLException("Illegal character in URL"); } } + String s = IPAddressUtil.checkAuthority(u); + if (s != null) { + throw new MalformedURLException(s); + } return u; } // For both copies of the file, uncomment one line and comment the other @@ -333,7 +338,7 @@ public class HttpsURLConnectionImpl * @param key the keyword by which the request is known * (e.g., "<code>accept</code>"). * @param value the value associated with it. - * @see #getRequestProperties(java.lang.String) + * @see #getRequestProperty(java.lang.String) * @since 1.4 */ public void addRequestProperty(String key, String value) { diff --git a/src/share/classes/sun/net/www/protocol/jar/Handler.java b/src/share/classes/sun/net/www/protocol/jar/Handler.java index 8e9f8e3a35..4a3ae7e8ae 100644 --- a/src/share/classes/sun/net/www/protocol/jar/Handler.java +++ b/src/share/classes/sun/net/www/protocol/jar/Handler.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -121,6 +121,13 @@ public class Handler extends java.net.URLStreamHandler { return h; } + public String checkNestedProtocol(String spec) { + if (spec.regionMatches(true, 0, "jar:", 0, 4)) { + return "Nested JAR URLs are not supported"; + } else { + return null; + } + } @Override @SuppressWarnings("deprecation") @@ -147,6 +154,12 @@ public class Handler extends java.net.URLStreamHandler { } spec = spec.substring(start, limit); + String exceptionMessage = checkNestedProtocol(spec); + if (exceptionMessage != null) { + // NPE will be transformed into MalformedURLException by the caller + throw new NullPointerException(exceptionMessage); + } + if (absoluteSpec) { file = parseAbsoluteSpec(spec); } else if (!refOnly) { |