[servlet-dev] CONNECT and getRequestURI ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[servlet-dev] CONNECT and getRequestURI ?

From: Greg Wilkins <gregw@xxxxxxxxxxx>
Date: Tue, 14 Feb 2023 10:30:17 +1100
Delivered-to: servlet-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/servlet-dev/>
List-help: <mailto:servlet-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/servlet-dev>, <mailto:servlet-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/servlet-dev>, <mailto:servlet-dev-request@eclipse.org?subject=unsubscribe>

All,

We have an issue with CONNECT requests being handled by servlets.

Some security firms are routinely hitting public websites with CONNECT requests to probe for security vulnerabilities.

If the request lands on a HttpServlet that does not override service, then a method not supported response is sent. But if a servlet overrides service, then what should the getRequestURI method return?

Internally we model a CONNECT request as a URI with authority, but no path. Thus we are currently returning null from getRequestURI. This is causing some NPEs (which turn into 500s) for some code that does not expect a null return from getRequestURI.

Currently the spec is mute about what to do if there is no path. Should we just return empty string? or is null OK?

cheers

Greg Wilkins <gregw@xxxxxxxxxxx> CTO http://webtide.com

Follow-Ups:
- Re: [servlet-dev] CONNECT and getRequestURI ?
  - From: Stuart Douglas

Prev by Date: Re: [servlet-dev] Ordering Filters/Listeners
Next by Date: Re: [servlet-dev] CONNECT and getRequestURI ?
Previous by thread: [servlet-dev] Ordering Filters/Listeners
Next by thread: Re: [servlet-dev] CONNECT and getRequestURI ?
Index(es):
- Date
- Thread

Breadcrumbs