P4
ADDITIONAL SYSTEM INFORMATION :
Darwin 16.7.0 Darwin Kernel Version 16.7.0: Tue Jan 30 11:27:06 PST 2018; root:xnu-3789.73.11~1/RELEASE_X86_64 x86_64
java version "1.8.0_51"
Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.51-b03, mixed mode)
A DESCRIPTION OF THE PROBLEM :
getHeaderFields is documented to return the HTTP Request Headers. But, in the source code https://docs.oracle.com/javase/8/docs/api/java/net/URLConnection.html this omission is not documented.
In the source code for the class implementation http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/484e16c0a040/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java, we can see that the Authorization and Proxy-Authorization are omitted, for security reasons. But, this behavior is not documented.
Further, the class does not hide other headers known to carry sensitive data, like "OAuth-Client-Info"
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
javac Test.jave
java -cp . Test
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
1. We put in three headers; we expect to get three headers during the verification check.
2. We expect the above based on the class's public documentation.
ACTUAL -
1. Two headers are printed.
2. One of them contains secret info.
---------- BEGIN SOURCE ----------
import java.util.Map;
import java.net.http.HttpURLConnection;
import java.net.URL;
import java.util.List;
import java.util.Iterator;
class Test {
public static void main( String[] argzes ) throws Exception {
URL url = new URL( "https://localhost:12345" );
HttpURLConnection c = (HttpURLConnection) url.openConnection();
c.addRequestProperty( "OAuth-Client-Info", "Basic " + env.client_oauth_info );
c.addRequestProperty( "Authorization", "Bearer " + env.client_token_base64 );
c.addRequestProperty( "Accept", "text/html" );
Map<String,List<String>> requestHeaders = c.getRequestProperties();
for ( Iterator<String> i = requestHeaders.keySet().iterator(); i.hasNext(); ){
String key = i.next();
System.out.println( key + ": " + requestHeaders.get( key ).get( 0 ) ); // print only first header value
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Change to HTTP and utilize a logging proxy or packet sniffer
FREQUENCY : always
Darwin 16.7.0 Darwin Kernel Version 16.7.0: Tue Jan 30 11:27:06 PST 2018; root:xnu-3789.73.11~1/RELEASE_X86_64 x86_64
java version "1.8.0_51"
Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.51-b03, mixed mode)
A DESCRIPTION OF THE PROBLEM :
getHeaderFields is documented to return the HTTP Request Headers. But, in the source code https://docs.oracle.com/javase/8/docs/api/java/net/URLConnection.html this omission is not documented.
In the source code for the class implementation http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/484e16c0a040/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java, we can see that the Authorization and Proxy-Authorization are omitted, for security reasons. But, this behavior is not documented.
Further, the class does not hide other headers known to carry sensitive data, like "OAuth-Client-Info"
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
javac Test.jave
java -cp . Test
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
1. We put in three headers; we expect to get three headers during the verification check.
2. We expect the above based on the class's public documentation.
ACTUAL -
1. Two headers are printed.
2. One of them contains secret info.
---------- BEGIN SOURCE ----------
import java.util.Map;
import java.net.http.HttpURLConnection;
import java.net.URL;
import java.util.List;
import java.util.Iterator;
class Test {
public static void main( String[] argzes ) throws Exception {
URL url = new URL( "https://localhost:12345" );
HttpURLConnection c = (HttpURLConnection) url.openConnection();
c.addRequestProperty( "OAuth-Client-Info", "Basic " + env.client_oauth_info );
c.addRequestProperty( "Authorization", "Bearer " + env.client_token_base64 );
c.addRequestProperty( "Accept", "text/html" );
Map<String,List<String>> requestHeaders = c.getRequestProperties();
for ( Iterator<String> i = requestHeaders.keySet().iterator(); i.hasNext(); ){
String key = i.next();
System.out.println( key + ": " + requestHeaders.get( key ).get( 0 ) ); // print only first header value
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Change to HTTP and utilize a logging proxy or packet sniffer
FREQUENCY : always