On Thu, 25 Apr 2024 17:20:11 GMT, Matthew Donovan wrote:
> For this PR, I identified TLS tests that can fail due to hard-code
> certificates expiring. I updated those tests to use certificates that are
> generated programmatically. This includes adding some helper methods to the
> CertificateB
Following up here.
I believe I have discovered that it is possible to craft a malicious HTTP
response that can cause the built-in HttpURLConnection and HttpClient
implementations to throw exceptions. Specifically, HttpURLConnection can be
made to throw a NegativeArraySizeException, and HttpClient
Isn’t the HttpClient almost always used to access other services?
Why would a developer access a malicious service?
I also think there are lots of ways for a service to crash the client - .e.g it
could attempt to return a very large response - if the client uses a memory
buffered reader, it wil
Scraping of unknown/untrusted websites is a common task in
certain...fields? I don't want to comment on it too deeply, but I know that
is something folks would do.
Imagine a site where someone inputs a URL, clicks submit, and then with the
power of funding they return a summary of the page.
On Mo
Yes, but normally you fork a worker process that tracks progress and scrapes N
sites. If the worker process dies processing a site, the site is marked “bad”
and only periodically scraped after a retry/backoff period.
There are probably a lot of ways to crash a worker process, intentionally or
a
First, thank you both for the responses. I know how busy everyone is, and I
really appreciate the time.
We can talk about use cases and architecture and such, but I think we all
agree that a developer should be able to make an HTTP request with
HttpClient without worrying about whether or not it w
I have found that the OpenJDK net team is very open to receiving patches.
Have you filed an issue that has been accepted? This is usually the first step.
> On Jul 29, 2024, at 5:20 PM, Andy Boothe wrote:
>
> First, thank you both for the responses. I know how busy everyone is, and I
> really a
> I have found that the OpenJDK net team is very open to receiving patches.
That is great news!
> Have you filed an issue that has been accepted? This is usually the first
step.
I have not! And of course it is the first step. 🤦♂️ Thank you for the
guidance!
Thank you both again for the time. R
