Non-ASCII Header Encoding Issues #891
Comments
|
The spec wants ISO-8859-1 for header values. |
|
So is this just a documentation issue then? My primary reasoning for propagating the issue was that from my testing Apache supports it. The original poster also claims HttpUrlConnection support, which I didn't see. |
|
I think we should do ISO-8859-1, but servers that rely on that behavior shouldn't be. |
|
Punting to the icebox until somebody complains! |
|
Android use the below method in com.android.internal.os.RuntimeInit to set default UA, and okhttp-urlconnection direct use the UA as default http head without encode it. /**
* Returns an HTTP user agent of the form
* "Dalvik/1.1.0 (Linux; U; Android Eclair Build/MASTER)".
*/
private static String getDefaultUserAgent() {
StringBuilder result = new StringBuilder(64);
result.append("Dalvik/");
result.append(System.getProperty("java.vm.version")); // such as 1.1.0
result.append(" (Linux; U; Android ");
String version = Build.VERSION.RELEASE; // "1.0" or "3.4b5"
result.append(version.length() > 0 ? version : "1.0");
// add the model for the release build
if ("REL".equals(Build.VERSION.CODENAME)) {
String model = Build.MODEL;
if (model.length() > 0) {
result.append("; ");
result.append(model);
}
}
String id = Build.ID; // "MASTER" or "M4-rc20"
if (id.length() > 0) {
result.append(" Build/");
result.append(id);
}
result.append(")");
return result.toString();
}As an result, when I use okhttp-urlconnection in my apk, my server recevied the below request from an device with non-ASCII MODEL, which is invalid.
|
|
Yep, we should sanitize the User-Agent. |
|
Working plan: throw an exception on non-ASCII headers in |
This includes potential security problems (newline characters) as well as simple non-ASCII characters including international characters and emoji. Closes #891
|
@swankjesse Why the add method is not throwing illegalArgumentException, for us developers to catch and handle the error and mostly importantly to know that this method will throw this exception. Not many will look into the source and find that the header values are sanitised strictly. |
|
@vvelmurugan which header aren’t we being strict enough on? Most code paths that add headers are strict! |
|
@swankjesse I think I am not clear with my question. My question is if it is like this then our lint itself will suggest to handle that exception and we will look into okhttp code on why this exception is thrown. Currently many devs who come from HttpUrlConnection will not know that you sanitise headers for non-ascii characters |
|
@vvelmurugan ahhhh. Can you open a new issue requesting better documentation on the restrictions upon headers? Also please tell us which docs you read before running into this issue so we have a good idea as to where to document it! |
) - We include the application name in the User-Agent request header to identify the app usage. If the app name includes special characters, it leads to a crash because the header value should not contain non-ASCII values. square/okhttp#891 - In this commit, we have passed the package name to the User-Agent instead of the App name because the package name is also unique.
When passing headers parameters containing a 'é' it is received on server side as 'é'.
It might seem wird to pass such chars as arguments but I can't modify server side.
I know this behaviour is specific to retrofit because it worked with the old client using HttpUrlConnection and it also works with Postman chrome plugin.
via @cmorin6 from square/retrofit#516
The text was updated successfully, but these errors were encountered: