Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Be strict on invalid characters in request headers. #1785

Merged
merged 1 commit into from
Aug 3, 2015
Merged

Be strict on invalid characters in request headers. #1785

merged 1 commit into from
Aug 3, 2015

Conversation

swankjesse
Copy link
Collaborator

This includes potential security problems (newline characters) as well as
simple non-ASCII characters including international characters and emoji.

Closes #891

@squarejesse
Be strict on invalid characters in request headers.
a57aa43 
This includes potential security problems (newline characters) as well as
simple non-ASCII characters including international characters and emoji.

Closes #891
@swankjesse
Copy link
Collaborator Author

FYI @nfuller this is a behavior change!

JakeWharton added a commit that referenced this pull request Aug 3, 2015
@JakeWharton
Merge pull request #1785 from square/jwilson_0803_strict_headers
bf69c55 
Be strict on invalid characters in request headers.
@JakeWharton JakeWharton merged commit bf69c55 into master Aug 3, 2015
@swankjesse swankjesse deleted the jwilson_0803_strict_headers branch August 26, 2015 01:05
amartinz pushed a commit to NamelessRom/android_external_okhttp that referenced this pull request Jun 30, 2016
@nfuller
Relax validation of HTTP header values to retain L/M behavior
3c28a13 
This relaxes some validation logic newly introduced in the version
of OkHttp used in N.

This change leaves the character code validation stricter
than it was in M by still preventing control codes like \n, \r,
backspace and delete. It does allow developers to pass
Java characters > 7F to addRequestProperty() and also receive
headers from servers which contain characters > 7F.

Android's HttpURLConnection does not follow the HTTP spec as
it encodes request header values and interprets response
headers as UTF-8 and not ISO-8859-1.

If a server is expecting or sending ISO-8859-1 encoded characters
>7F in headers then these will still be corrupted or misinterpreted
by Android. However, this has been the behavior since L and is not
changed here.

The OkHttp change which caused characters >7F to generate an
IllegalArgumentException and partially reverted here:
square/okhttp#1785

See also: square/okhttp#1998
square/okhttp#2016
for recent upstream bugs.

Bug: 28867041
Bug: https://code.google.com/p/android/issues/detail?id=210205
(cherry picked from commit 75687ca5ae54f417afb4c02ba04767da6786d829)

Change-Id: Ib640b58addff4c0c4eac589c77eb74a6bd6b3ec2
amartinz pushed a commit to NamelessRom/android_external_okhttp that referenced this pull request Jun 30, 2016
@nfuller @15characterlimi
Reapply: Relax validation of HTTP header values to retain L/M behavior
86a4f0d 
This reapplies AOSP commit 3c28a13
There is a chance that we may want to revert this change in future.

Previous commit message:

This relaxes some validation logic newly introduced in the version
of OkHttp used in N.

This change leaves the character code validation stricter
than it was in M by still preventing control codes like \n, \r,
backspace and delete. It does allow developers to pass
Java characters > 7F to addRequestProperty() and also receive
headers from servers which contain characters > 7F.

Android's HttpURLConnection does not follow the HTTP spec as
it encodes request header values and interprets response
headers as UTF-8 and not ISO-8859-1.

If a server is expecting or sending ISO-8859-1 encoded characters
>7F in headers then these will still be corrupted or misinterpreted
by Android. However, this has been the behavior since L and is not
changed here.

The OkHttp change which caused characters >7F to generate an
IllegalArgumentException and partially reverted here:
square/okhttp#1785

See also: square/okhttp#1998
square/okhttp#2016
for recent upstream bugs.

Bug: 28867041
Bug: https://code.google.com/p/android/issues/detail?id=210205
(cherry picked from commit 75687ca5ae54f417afb4c02ba04767da6786d829)

Change-Id: Id683ec13142f1d7d8792143066f1dd2e5f62cf86
cm-gerrit pushed a commit to CyanogenMod/android_external_okhttp that referenced this pull request Aug 24, 2016
@nfuller
Relax validation of HTTP header values to retain L/M behavior
75687ca 
This relaxes some validation logic newly introduced in the version
of OkHttp used in N.

This change leaves the character code validation stricter
than it was in M by still preventing control codes like \n, \r,
backspace and delete. It does allow developers to pass
Java characters > 7F to addRequestProperty() and also receive
headers from servers which contain characters > 7F.

Android's HttpURLConnection does not follow the HTTP spec as
it encodes request header values and interprets response
headers as UTF-8 and not ISO-8859-1.

If a server is expecting or sending ISO-8859-1 encoded characters
>7F in headers then these will still be corrupted or misinterpreted
by Android. However, this has been the behavior since L and is not
changed here.

The OkHttp change which caused characters >7F to generate an
IllegalArgumentException and partially reverted here:
square/okhttp#1785

See also: square/okhttp#1998
square/okhttp#2016
for recent upstream bugs.

Bug: 28867041
Bug: https://code.google.com/p/android/issues/detail?id=210205
Change-Id: Ibdf14d819411a12fcc78d012bfca97db048b7e6e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@swankjesse @JakeWharton @squarejesse