On Tue, 26 Oct 2021 12:46:31 GMT, Julia Boes <jb...@openjdk.org> wrote:
> This change ensures that the realm string passed to the BasicAuthenticator > constructor is a quoted-string, as per RFC7230 [1]. A Utils class is added to > jdk.httpserver/sun.net.httpserver that holds the new isQuotedString() method > and the pre-existing isValidName() method (previously in ServerImpl.) > Two tests are included: > - BasicAuthenticatorRealm.java to check that Latin-1 chars in the realm > string are transported correctly, > - BasicAuthenticatorExceptionCheck.java to check realm strings with escaped > quotes. > > Testing: tier 1-3. > > [1] https://datatracker.ietf.org/doc/html/rfc7230 src/jdk.httpserver/share/classes/com/sun/net/httpserver/BasicAuthenticator.java line 77: > 75: * <p>Where a backslash ("\") is used as quoting mechanism within the > realm > 76: * string, it must be escaped by two preceding backslashes, for > example > 77: * {@code "foo\\\"bar\\\""} will be embedded as {@code "foo\"bar\""}. I would drop this sentence as I find it confusing - even though I understand what you are trying to say. I would replace it with something like: The value of the {@code realm} parameter will be embedded in a quoted string. Any quote it contains must be escaped by the caller. src/jdk.httpserver/share/classes/com/sun/net/httpserver/BasicAuthenticator.java line 90: > 88: if (realm.isEmpty()) // implicit NPE check > 89: throw new IllegalArgumentException("realm must not be empty"); > 90: if (!isQuotedString(realm)) A better name for the method would be `isQuotedStringContent()`? src/jdk.httpserver/share/classes/sun/net/httpserver/Utils.java line 76: > 74: * Validates an RFC 7230 quoted-string. > 75: */ > 76: public static boolean isQuotedString(String token) { See my comment about the method name above src/jdk.httpserver/share/classes/sun/net/httpserver/Utils.java line 78: > 76: public static boolean isQuotedString(String token) { > 77: for (int i = 0; i < token.length(); i++) { > 78: char c = token.charAt(i); For the value it would probably be more correct to work with the bytes returned by `getBytes(StandardCharsets.ISO_8859_1)` rather than with Java UTF-16 chars - I don't think UTF-16 is a super set of ISO-8859-1 ------------- PR: https://git.openjdk.java.net/jdk/pull/6117
