Re: [jetty-users] BadMessageException

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] BadMessageException

From: John English <john.foreign@xxxxxxxxx>
Date: Mon, 22 May 2023 20:54:44 +0300
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users/>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0

On 22/05/2023 18:55, Joakim Erdfelt wrote:

Don't blindly call request.getParameter() without fully (and I domean FULLY) understanding the side effects.


Now you tell me... :) :)

A call to request.getParameter() can read the request body content
as well. (per Servlet spec). A call to request.getParameter() can
fail for bad input, bad encoding, bad expectations, IO exceptions,
etc (it's quite a long list of causes). Since request.getParameter()
has no checked exceptions, you are stuck with RuntimeException.


But presumably all of the above are things outside of my control -- so

shouldn't I just report any exception from a call to getParameter() as a400?

I suppose I'm going to have to browse the Jetty source code in order tobe able to use it properly... :(

Since request.getParameter() has no checked exceptions, you are
stuck with RuntimeException.


True, but there are RuntimeExceptions and RuntimeExceptions. Perhaps

deriving BME from something like MalformedParametersException would havebeen a better idea, but too late for that I suppose.

I wouldn't catch all exceptions in my ErrorPageErrorHandler, but
only specific ones that I care about presenting to users.


I catch the exceptions I know and care about, and turn them into
meaningful messages for the end users. It's the unexpected ones I want
to be told about, since they usually indicate a programming error (e.g.
NPE, IndexOutOfBounds...) so in those cases I give an "oops, we goofed"
error message to the user, and send an email to the developers.

In this case it isn't an "oops, we goofed" situation. So it sounds like
my Plan B might be the best thing to do:

Plan B: Call request.getParameter() inside a try block at the startof request processing, and return a 400 response (as this exceptionseems to be trying to do) if an exception is thrown.

So I have put this (with "kludge marks"around it) before I start lookingat the request, and it seems to work:


  try {
    request.getParameter("foo"); // doesn't matter what
  }
  catch (RuntimeException e) {
    if (e.getCause() instanceof IOException) {
      throw e;    // I deal with wrapped IOExceptions elsewhere
    }
    response.sendError(400,"Bad Request");
    return;
  }

And now I wonder, how many other things are lurking there ready to biteme? I always assumed that, like a request to "/foo%", the problem wouldbe detected when the request was processed, before my code ever got tosee it, and then passed straight to the error handler defined in web.xml.


Oh well, it all helps to keep me in work I suppose. :)

Thanks for the response,
--
John English

References:
- [jetty-users] BadMessageException
  - From: John English
- Re: [jetty-users] BadMessageException
  - From: Joakim Erdfelt

Prev by Date: Re: [jetty-users] BadMessageException
Next by Date: [jetty-users] SolrJ/Solr: HTTP protocol violation: Authentication challenge without WWW-Authenticate header
Previous by thread: Re: [jetty-users] BadMessageException
Next by thread: [jetty-users] SolrJ/Solr: HTTP protocol violation: Authentication challenge without WWW-Authenticate header
Index(es):
- Date
- Thread

Breadcrumbs