Jetty
  1. Jetty
  2. JETTY-1479

org.mortbay.jetty.Request::getServerName can throw NumberFormatException on invalid Host headers

    Details

    • Type: Bug Bug
    • Status: Resolved Resolved
    • Priority: Trivial Trivial
    • Resolution: Duplicate
    • Affects Version/s: 6.1.14
    • Fix Version/s: 7.6.0
    • Component/s: HTTP
    • Labels:
    • Number of attachments :
      0

      Description

      I've seen a bunch of NumberFormatExceptions appear in the log files for two separate projects. After doing some digging, I found that all requests had malformed Host headers (all in the form "foo.com:" – notice the trailing colon).

      RFC2616 says that Host needs to be a hostname or a hostname followed by colon and a port. So the requester is clearly doing the wrong thing. But the server is also supposed to be lenient... and the RFC states that a missing port should be interpreted as port 80.

      I've already contacted the guilty party to fix the Host header. Now I'm asking the Jetty community to please patch up Jetty to be more resilient in this scenario.

      This is the code in question (reformatted slightly):

      if (hostPort.peek(hostPort.getIndex() + i) == ':')

      { _serverName = hostPort.peek(hostPort.getIndex(), i).toString(); _port = BufferUtil.toInt(hostPort.peek(hostPort.getIndex() + i + 1, hostPort.length() - i - 1)); return _serverName; }

      The exception happens in BufferUtil.toInt because it's getting an empty string. Could it instead return 80 if the portion following the colon is empty (or even invalid – e.g. "foo.com:bar")?

      An alternate thought, should Jetty be returning 400 instead since the request doesn't conform to RFC2616?

      Thanks

        Activity

        Hide
        Joakim Erdfelt added a comment -

        Curious issue.
        Just so you know, but Jetty 6.x is no longer being developed.
        Jetty 7.x and Jetty 8.x are the current live/stable versions of Jetty.

        As for this bug....
        Jetty 7.x and 8.x also show this behavior.
        However, they return an Error 500 + NumberFormatException.
        I think Error 400 (Bad Request) should be the appropriate response in this situation.

        Show
        Joakim Erdfelt added a comment - Curious issue. Just so you know, but Jetty 6.x is no longer being developed. Jetty 7.x and Jetty 8.x are the current live/stable versions of Jetty. As for this bug.... Jetty 7.x and 8.x also show this behavior. However, they return an Error 500 + NumberFormatException. I think Error 400 (Bad Request) should be the appropriate response in this situation.
        Hide
        Jan Bartel added a comment -

        This is a duplicate of a bug raised and fixed for jetty @ Eclipse:

        https://bugs.eclipse.org/bugs/show_bug.cgi?id=366774

        Show
        Jan Bartel added a comment - This is a duplicate of a bug raised and fixed for jetty @ Eclipse: https://bugs.eclipse.org/bugs/show_bug.cgi?id=366774
        Hide
        Philip Davis added a comment -

        Great, thanks for a speedy response. Glad to hear you guys are on the ball and it's just me that's behind the times.

        Show
        Philip Davis added a comment - Great, thanks for a speedy response. Glad to hear you guys are on the ball and it's just me that's behind the times.

          People

          • Assignee:
            Unassigned
            Reporter:
            Philip Davis
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: