Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [servlet-dev] CONNECT and getRequestURI ?

PD,

There is no dedicated method (extremely rare that a CONNECT ends up in a servlet), but a Servlet can override the `service` method directly and that will be called for all methods.

cheer


On Tue, 14 Feb 2023 at 12:20, Ph. Dinh <pmd1nh-bus@xxxxxxxxxxx> wrote:
Hi,

I don't see doConnect() in EE10 Servlet doc


neither EE6 has it:

how can a servlet override it?

Regards,

PD
From: servlet-dev <servlet-dev-bounces@xxxxxxxxxxx> on behalf of Stuart Douglas <sdouglas@xxxxxxxxxx>
Sent: Monday, February 13, 2023 4:15 PM
To: servlet developer discussions <servlet-dev@xxxxxxxxxxx>
Subject: Re: [servlet-dev] CONNECT and getRequestURI ?
 
If you don't like null because of the potential for NPEs I think you could also make a similar argument for the empty string. If developers are not thinking about connect requests they could assume that it will always be at least length 1 and you could end up with different exceptions.

Stuart

On Tue, 14 Feb 2023 at 11:07, Greg Wilkins <gregw@xxxxxxxxxxx> wrote:

So options are now null, "" and "/".  Older jetty was "", newer jetty is null and undertow is "/".
Where does tomcat land in this?   I'm very happy to change jetty to anything, I just want it to be standard.
I think null is probably my least favourite and I'm on fence with "" vs "/".

cheers



On Tue, 14 Feb 2023 at 10:55, Stuart Douglas <sdouglas@xxxxxxxxxx> wrote:
Undertow will just return a '/' in this case, it seemed like the value that was least likely to cause problems.

Stuart

On Tue, 14 Feb 2023 at 10:30, Greg Wilkins <gregw@xxxxxxxxxxx> wrote:

All,

We have an issue with CONNECT requests being handled by servlets.   

Some security firms are routinely hitting public websites with CONNECT requests to probe for security vulnerabilities.

If the request lands on a HttpServlet that does not override service, then a method not supported response is sent.    But if a servlet overrides service, then what should the getRequestURI method return?

Internally we model a CONNECT request as a URI with authority, but no path.  Thus we are currently returning null from getRequestURI.  This is causing some NPEs (which turn into 500s) for some code that does not expect a null return from getRequestURI.

Currently the spec is mute about what to do if there is no path.  Should we just return empty string? or is null OK?

cheers






--
_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev
_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev


--
_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev
_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev


--
Greg Wilkins <gregw@xxxxxxxxxxx> CTO http://webtide.com

Back to the top