Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reparse URI when host is missing #33614

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Reparse URI when host is missing #33614

wants to merge 1 commit into from

Conversation

bodograumann
Copy link

When a hostname contains an underscore, it is valid in RFC 3986, but only part of a registry-based authority under RFC 2396. Due to the fact, that URI only supports RFC 2396, we cannot simply use getHost() in these cases. Instead we need to parse the URI ourselves.

Only parsing the authority part seems too much effort, given the custom UrlParser we are using.

Closes #27774
Closes spring-projects/spring-security#15852

@bodograumann bodograumann mentioned this pull request Sep 30, 2024
Open
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Sep 30, 2024
@bclozel
Copy link
Member

bclozel commented Sep 30, 2024

I think this is duplicating #33608, but I missed the comments in #27774.
We will discuss this as a team, but my comment on #33608 my still stand.

@bclozel bclozel added the in: web Issues in web modules (web, webmvc, webflux, websocket) label Sep 30, 2024
@bodograumann
Copy link
Author

bodograumann commented Sep 30, 2024
edited
Loading

Thanks for taking this into consideration.

My main goal is to get spring-projects/spring-security#15852 fixed, so simply not using URI with UriComponentsBuilder would also achieve that goal as suggested here: spring-projects/spring-security#15853
Unfortunately I wasn't yet able to provide proper tests there...

In the other PR you mention #33542, but afaict it is concerned with the differences between RFC 3986 and the WhatWG living spec, not with the difference between RFC 3986 and RFC 2396.

I also found https://cr.openjdk.org/~dfuchs/writeups/updating-uri/, but I couldn't find any updates on further progress.

@rstoyanchev
Copy link
Contributor

I agree with Brian this could lead to surprises, and we should not quietly re-parse from within fromUri(URI). Spring Security can do that in fallback mode as I commented under spring-projects/spring-security#15853.

@rstoyanchev rstoyanchev added the status: waiting-for-feedback We need additional information before we can continue label Oct 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: waiting-for-feedback We need additional information before we can continue status: waiting-for-triage An issue we've not yet triaged or decided on
Projects
None yet
Milestone
No milestone
4 participants
@bodograumann @bclozel @rstoyanchev @spring-projects-issues