On Tue, 26 Oct 2021 13:56:25 GMT, Daniel Fuchs <dfu...@openjdk.org> wrote:
>> This change ensures that the realm string passed to the BasicAuthenticator >> constructor is a quoted-string, as per RFC7230 [1]. A Utils class is added >> to jdk.httpserver/sun.net.httpserver that holds the new isQuotedString() >> method and the pre-existing isValidName() method (previously in ServerImpl.) >> Two tests are included: >> - BasicAuthenticatorRealm.java to check that Latin-1 chars in the realm >> string are transported correctly, >> - BasicAuthenticatorExceptionCheck.java to check realm strings with escaped >> quotes. >> >> Testing: tier 1-3. >> >> [1] https://datatracker.ietf.org/doc/html/rfc7230 > > src/jdk.httpserver/share/classes/sun/net/httpserver/Utils.java line 78: > >> 76: public static boolean isQuotedString(String token) { >> 77: for (int i = 0; i < token.length(); i++) { >> 78: char c = token.charAt(i); > > For the value it would probably be more correct to work with the bytes > returned by `getBytes(StandardCharsets.ISO_8859_1)` rather than with Java > UTF-16 chars - I don't think UTF-16 is a super set of ISO-8859-1 As discussed offline, the string representations are identical < 256 so no need to transliterate. for (int i=0; i<256; i++) { var s16 = new String(new byte[] {(byte)0, (byte)i}, "UTF-16"); var s88 = new String(new byte[] {(byte)i}, "ISO-8859-1"); if (!s16.equals(s88)) throw new RuntimeException(""%s" != "%s"".formatted(s16, s88)); } ------------- PR: https://git.openjdk.java.net/jdk/pull/6117
